New malware represents biggest threat to critical infrastructure

ESET have identified a new strain of malware, named Industroyer, which has the capability to take down most industry control systems

Malware Critical Infrastructure

'Since the industrial controls used in the Ukraine are the same in other parts of Europe, the Middle East and Asia, we could see more of these attacks in the future. And while these attackers seem to be content to disrupt the system, it’s not outside the realm of possibility that they could take things a step further and inflict damage to the systems themselves'

Yesterday, ESET broke the news that they had discovered a malware that is the biggest threat to critical infrastructure since Stuxnet (the malicious worm that was responsible for causing substantial damage to Iran’s nuclear program) named ‘Industroyer’.

As its name suggests, Industroyer was designed to disrupt critical industrial processes and is capable of doing significant harm to electric power systems and which could also be refitted to target other types of critical infrastructure.

The 2016 attack on Ukraine’s power grid that deprived part of its capital, Kiev, of power for an hour was caused by a cyber attack. ESET researchers have suggested that the Win32/Industroyer malware would be capable of performing such an attack.

>See also: Power cut in Ukraine a cyber attack

It is unclear whether this malware was responsible for the cyber attack in the Ukraine, but it is certainly capable. Perhaps it was a test of Industroyer’s capabilities? ESET has said that Industroyer is a particularly dangerous threat, because it has the ability to control electricity substation switches and circuit breakers directly. According to ESET, it does this by using ‘industrial communication protocols used worldwide in power supply infrastructure, transportation control systems, and other critical infrastructure systems (such as water and gas).’

These controlled switches and circuit breakers, suggest ESET, act as digital equivalents to analog switches, so that they could be engineered to perform various functions; ranging in severity. The impending danger with this malware is that uses protocols in the way they were designed to be used.

Terry Ray, chief product strategist at Imperva, said “We are beginning to see an uptick in infrastructure attacks and in the case of Industroyer, the attackers seem to have extensive knowledge about industrial control protocols. Since the industrial controls used in the Ukraine are the same in other parts of Europe, the Middle East and Asia, we could see more of these attacks in the future. And while these attackers seem to be content to disrupt the system, it’s not outside the realm of possibility that they could take things a step further and inflict damage to the systems themselves.”

>See also: Could smart city malware be spread via motorways and highways?

“Many of these industrial control systems have been in operation for years with little or no modification (no anti-virus updates or patches). This leaves them open to a wide range of cyber threats. It is therefore imperative that we find alternative measures to manage the risk.”

Paul Edon, director at Tripwire suggests that “security best practice includes selecting suitable frameworks such as NIST, ISO, CIS, ITIL to help direct, manage and drive security programmes. It also means ensuring that your strategy includes all three pillars of security; People, Process and Technology. Protection should apply at all levels; Perimeter, Network and End Point. Finally, select the foundational controls that best suit your environment. There is a wealth of choice – Firewalls, IDS/IPS, Encryption, Duel Factor Authentication, System Integrity Monitoring, Change Management, Off-line Backup, Vulnerability Management and Configuration Management to name but a few.”

Ultimately, industries, governments and the public should be worried. Industroyer is a highly customisable malware, writes ESET. This means that it can target any industrial control system, not just an electricity power grid. The ESET conclude that ‘Attackers could adapt the malware to any environment, which makes it extremely dangerous. Regardless of whether or not the recent attack on the Ukrainian power grid was a test, it should serve as a wake-up call for those responsible for security of critical systems around the world.’

>See also: Hackers take down DNS infrastructure of Brazilian bank

Expert insight

Andrew Clarke, EMEA director at One Identity, has taken part in a short Q&A discussing ‘Industroyer’.

Is ‘Industroyer’ as scary as it sounds?

Yes, this is as scary as it sounds. First, it’s very difficult to detect because it uses known and allowable code yet in nefarious modes.  In addition, we’re not talking about stealing some incriminating photos from some celebrities cloud storage location.

This is controlling the power grid. It means that hospitals could lose power mid-surgery.  Or traffic lights cut out causing accidents.  The ability to alert citizens to bad weather halts.

What are the implications?

The implications are vast and varied. I highlighted some of the short term results of a hacker owning the grid.  But what should a government do to halt this? To begin with, government needs to make more and better investments in technology.

This costs money and government only has so much investment dollars.  Every dollar spent in security is a dollar not spent on roads, or education – a difficult set of choices to be sure. In addition, government must demand from its supplier better and tighter security so these types of hacks are identified and stopped in its tracks and vendors need to provide these improvements.

>See also: Get ready for the cyber war in 2017: know your enemy

Is it defensible?

The good news is that everything is defensible – but at a cost.  Is the solution a software solution?  Or do all these pieces of hardware need to be upgraded?  Vastly different costs which will impact the government and citizens separately.

What makes this industry so susceptible?

Candidly, I don’t think this industry is any more or less susceptible than any other industry.  It’s more to the point that the results of a hack to the power grid are far dangerous than an individual losing control over their checking account.  When the grid goes down, millions are affected and in a very bad way.

What can be done?

Security is a never-ending dance.  The hackers create a method of hacking, organisations and vendors change their solution to address that vulnerability.  The hackers change their modus operandi, vendors adapt.  There is no end in sight for this cycle of hack and solution. Organisations need to factor this effort and cost into their future operating costs

 

The UK’s largest conference for tech leadership, TechLeaders Summit, returns on 14 September with 40+ top execs signed up to speak about the challenges and opportunities surrounding the most disruptive innovations facing the enterprise today. Secure your place at this prestigious summit by registering here

 

Comments (0)