Physical and digital systems are increasingly linked together in modern industrial environments like those seen in the United States. While this connectivity automates the management of industrial control systems (ICS), it also means a digital attack against our nation’s critical infrastructure could negatively affect users’ physical health and safety. In the name of national security and public health, it’s imperative that IT and OT professionals put their heads together to strengthen the United States’ security posture when it comes to industrial control systems, among other trends. They can start by learning from the past.
Celebrating the fifth and final week of National Cyber Security Awareness Month (NCSAM) 2016, we at The State of Security would like to emphasize the goal of building resilience in critical infrastructure. We’ll do so by discussing three ICS security incidents that rocked 2016 and by sourcing expert opinion on what we can learn from each of those events.
1. Operation Ghoul
In August 2016, researchers at Kaspersky Lab uncovered “Operation Ghoul,” a spear-phishing campaign targeting industrial organizations in the Middle East. Each attack began with a phishing email that appeared to come from the Emirates NBD, a bank based in the United Arab Emirates. In reality, the email was a fake. It came with an attached document laced with HawkEye, malware which collects victims’ keystrokes, clipboard data and other information on behalf of the attackers.
At the time of discovery, Kaspersky had identified 130 victims of Operation Ghoul. Most of those organizations operated in the petrochemical, naval, military, aerospace and heavy machinery industries located in Spain, Pakistan, the United Arab Emirates, India, Egypt, and elsewhere around the Middle East.
What We Should Learn
Lane Thames, a software development engineer and security researcher with Tripwire’s Vulnerability and Exposure Research Team (VERT), feels Operation Ghoul highlights the security industry’s ongoing need to address human error when defending against digital attacks:
“Operation Ghoul was an interesting attack campaign because it exploited the ‘human element’ in order to penetrate its target, and it used commercial-off-the-shelf malware to achieve its final outcomes. There was no innovation in this campaign, which successfully penetrated mostly industrial and engineering organizations.
“The attack is one of many that continues to illustrate, unfortunately, that we are still lagging behind the bad guys in this game of cybersecurity. Cybersecurity is a hard problem, and a solution cannot be approached by technology alone. There is a human component as well as a technology component in the solution space. Both must be addressed in order to start gaining ground in this game.
“I personally believe that we have a long way to go because we are failing miserably at addressing the human component of cybersecurity. Our educational ecosystem is not properly focusing on this problem. In the short term, organizations should focus on continuous cybersecurity training and awareness for its employees.
“For the long term, we need to start teaching our children early on about the consequences of using digital technology. The fundamentals of cybersecurity need to be integrated into our education programs, especially STEM-based curricula. STEM students are the ones who will be developing our technology of tomorrow. They need to know how cybersecurity works just as much as one who specializes in cybersecurity. Until we start addressing the educational front, I’m afraid the bad guys will continue to win.”
2. BlackEnergy-Borne Power Outage
On December 23, 2015, the western Ukrainian power company Prykarpattyaoblenergo reported a power outage that affected an area including the regional capital Ivano-Frankivsk. An investigation later determined that attackers had leveraged a Microsoft Excel document containing malicious macros to compromise an employee’s workstation and inject BlackEnergy malware into the company’s network. The malware provided “interference” while the attackers cut off power to the affected region.
What We Should Learn
Pavel Oreški, an IT analyst at Tripwire’s parent company Belden, says the attack demonstrates how spam mail still continues to pose a serious threat to organizations:
“The BlackEnergy malware incident at the Ukrainian power company Prykarpattyaoblenergo shows precisely how an unthinking act of just one employee can lead to a very destructive event. I can’t help but imagine a similar attack affecting a nuclear power plant with much worse consequences.
“In this incident, the attack initialized after the recipient opened an Excel document and trusted an unverified email sender enough to enable macros. All of us encounter similar types of spam mail on a daily basis. I sure do.
“What if I were to ignore IT security principles and click on the document? That could allow the attacker to destroy the disks of our enterprise resource planning (ERP) system, for example. During recovery, the company might be paralyzed for a few hours, an outage which could cause purchase, production, and delivery delays with unhappy customers as a result.”
To read the full article on The State of Security, click here.