The lessons of Shamoon and Stuxnet ignored: US ICS still vulnerable in the same way

ReVuln, a Maltese start-up is one of the news discussions. "ReVuln claims to be sitting on a stockpile of vulnerabilities in industrial control software, but prefers to sell the information to governments and other paying customers instead of disclosing it to the affected software vendors,” says the report. The business model seems similar to that of Vupen; strong but morally questionable.

Project SHINE (SHodan INtelligence Extraction) is also discussed. Researchers Bob Radvanovsky and Jake Brodsky of InfraCritical used the Shodan search engine to discover 460,000 potentially vulnerable IPs; and handed the database to ICS-CERT. “Once accessed,” notes the Monitor, “these devices may be used as an entry point onto a control systems network, making their Internet facing configuration a major vulnerability to critical infrastructure.” ICS-CERT used its resources to refine the list of IPs. It first reduced it to 98,000 organizations within the US until “the list was again reduced to approximately 7,200 devices in the United States that appear to be directly related to control systems.”

The obvious lesson from SHINE is that control systems should not be internet-facing, and should be separate from the business network. This can work effectively – as last year’s Shamoon attack on Aramco demonstrates. According to the Saudi authorities the attack was intended to disrupt the Saudi economy by disrupting oil production; but it failed to bridge the air-gap between the business network and the control systems. Instead, it ‘merely’ destroyed 30,000 business computers.

But the air-gap isn’t always effective. “One of the most infamous pieces of malware, Stuxnet,” explains Stephen Cobb, security evangelist with ESET in a blog titled Are your USB flash drives an infectious malware delivery system? “is widely believed to have been introduced into Iran's Natanz nuclear facility in 2008 via a USB thumb drive. The malicious code on that flash drive damaged costly industrial equipment, centrifuges that play a critical role in Iran's nuclear program.”

Surprisingly, the lessons of Shamoon and Stuxnet do not seem to have been learned in the US, since both of the incidents reported by ICS-CERT in this Monitor involved infections getting onto control systems via USB drives. In the first, an engineer was experiencing intermittent issues with such a drive and asked IT support to have a look at it. “When the IT employee inserted the drive into a computer with up-to-date antivirus software, the antivirus software produced three positive hits,” reports the Monitor – two ‘common’ and one ‘sophisticated’ virus. The problem was that this thumb drive was used by the engineer for backing up control systems configurations within the control environment – and subsequent examination “discovered signs of the sophisticated malware on two engineering workstations, both critical to the operation of the control environment.”  Sadly, ICS-CERT doesn’t specify the sophisticated virus.

In the second incident, ten computers in the control system were found to have an infection after “a third-party technician used a USB-drive to upload software updates during a scheduled outage for equipment upgrades.”

“The US Government has highlighted a great weakness in energy infrastructure both in the US and beyond,” warns Chris McIntosh, CEO of ViaSat UK: “security is still firmly rooted in the 20th century. An attack need not be focused at hubs of power generation or sub-stations: communications lines, business networks and even smart meters can be viable points of entry for an attack.” There is no simple or immediate solution. But, “protection of the network must go beyond typical IT solutions, and,” he adds, “address the unique nature of interconnected real time control systems.  Encryption of data in transit and rigorous authentication protocols, for example, should become de rigeur. The genie of cyber-warfare is out of the bottle: organisations in the energy sector now need to get their heads out of the sand.”

What’s hot on Infosecurity Magazine?