When cyber-attacks become physical threats

March 16, 2018
Recent attack against petrochemical plant in Saudi Arabia could be a harbinger of things to come

The reality of seeing a global cyber-attack that results in a real-life disaster seems to be growing daily. While government officials and other cybersecurity experts have been sounding the alarm bell for years about the potential physical threats posed by malicious online actors, they only thing that appears to be holding back catastrophe is mere dumb luck, which could soon run out.

According to a story published on Thursday by the New York Times, investigators believe that a recent cyber-attack targeting a petrochemical plant in Saudi Arabia was intended to not only sabotage the plant’s operations but also cause an explosion. The only thing that reportedly prevented the explosion was a mistake in the computer code used by the attackers. Experts believe a nation state was most likely behind the attack.

Though investigators looking into the incident haven’t identified who they believe to be responsible for the attack or from which country it originated, many experts, including Tom Kellermann, Chief Cybersecurity Officer of Carbon Black, are pointing the finger squarely at Iran.

“This attack represents an escalation as Iran has permitted its elite hacker crews, such as APT33, to hunt again. This is the second time that Saudi’s energy sector has been damaged by a cyber-attack,” Kellermann says. “It’s evident Iran may be receiving technological assistance from Russian cyber militias as evidenced by the elegance of the Iranian 'Kill Chain' and operational security of its cyber activities. The West should be concerned as the Israeli and U.S. energy sectors lie in the crosshairs.”

According to Brian Contos, CISO at Verodin, cyber-attacks aimed at critical infrastructure and other sectors are escalating overall due to an increase in both the number of threat actors and the availability of attacks at their disposal. In addition, these attacks –whether carried out by nation-states, cyber criminals, hacktivists, etc. – have also proven to be successful, by and large, which has further increased their allure. “Conducting cyber-attacks carries reduced risk for the attacker and often reduced investment of time, money and resources,” Contos adds. The economics of cyber-attacks alone make it appealing.”

Protecting Critical Infrastructure

Given that the code mistakes in this most recent incident have undoubtedly been corrected by now, cybersecurity experts are imploring critical infrastructure operators to not only lean on best of breed technologies but to also retain people who will work just as diligently to thwart potential attacks as hackers do at launching them. Kellermann advises organizations in the energy sector to create “multi-disciplinary threat hunting teams” that leverage endpoint detection and response (EDR) as well as memory augmentation technologies to gain visibility into the threat environment and identify backdoors that many already exist within their networks.

“The organizations must also 'iron box,' e.g. deploy modern application security with high enforcement,” Kellermann adds. “Finally, I would recommend deploying deception grids along viable attack paths.”

Since many industrial control systems are designed with availability rather than cybersecurity in mind and are therefore dependent upon a variety of security products to protect them, Contos says organizations must immediately begin validating their security efficacy so they will know how these tools will respond during an attack.

“Organizations need to be able to know what’s blocking, what’s detecting and what’s alerting before an attack happens,” he says. “In most cases, that’s simply not happening and instead, organizations are managing their security effectiveness based on assumptions. Assumptions don’t work in security and that’s why the attackers are beating the defenders.”

Tim Erlin, VP of Product Management and Strategy at Tripwire, says the most effective tools for reducing the risk of successful cyber-attacks have proven to be well-known, foundational security controls.

“Deploying and maintaining secure configurations, finding and fixing vulnerabilities, limiting privileged access, and basic monitoring; these are the cornerstones of foundational security,” he says. “There are challenges in applying core security controls to industrial environments, but that doesn’t change the fact those controls make the biggest difference in reducing risk.”

Still others, including Justin Jett, Director of Audit and Compliance at Plixer, say that critical infrastructure needs to move to a “Zero Trust” model, which is the concept that an organization should not automatically trust anything – users, machines, etc. – located either inside or outside its’ perimeter. In addition, Jett says critical infrastructure operators should deploy network traffic analytics to provide a baseline of normal operations and subsequently configure alerts for when said traffic deviates from the norm.

“We can no longer trust that the vendors used to build our infrastructure will protect critical infrastructure from attacks,” Jett says. “If critical infrastructure doesn’t act to prevent further attacks, there could be devastating consequences for governments and their people.”  

Aside from the physical dangers presented to both facilities and people in a cyber-attack against critical infrastructure, Andrew Lloyd, president of Corero Network Security, says organizations should also be motivated to better protect against network incursions due to potential financial penalties, such as the Directive on Security of Network and Information Systems (NIS Directive) in the EU which is set to go into effect later this year.

“Whatever these attack vectors were/are, precisely this sort of catastrophic failure is what the NIS Directive is intended to address. The punitive penalties (of up to €20 million or 4 percent of global revenues) within the new NIS regulations should be more than a big enough stick to persuade all operators of essential services to act,” he says. “Oil, gas and petrochemical companies alongside major transportation, utilities and healthcare operators across all 28 EU member states become subject to this new law on May 9, 2018.”

The Looming Russian Threat

If the news of the severity of the cyber-attack in Saudi Arabia wasn’t bad enough, the U.S. Computer Emergency Readiness Team (US-CERT) also issued an alert on Thursday warning about the Russian government’s attempts to infiltrate the networks of U.S. Government entities as well as organizations in a variety of other sectors, including energy, nuclear, commercial facilities, water, aviation, and critical manufacturing.

“DHS and FBI characterize this activity as a multi-stage intrusion campaign by Russian government cyber actors who targeted small commercial facilities’ networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks. After obtaining access, the Russian government cyber actors conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems (ICS),” the alert read.

Although there has been a significant rise in the number of cyber-attacks in the energy and critical infrastructure sectors over the past year, Edgard Capdevielle, CEO of Nozomi Networks, says the fact that DHS has now confirmed Russia as the threat actor and that their intent was to compromise industrial networks reinforces that these threats are real and must be addressed.

“This alert reminds us that our nation’s energy and critical infrastructure is only as strong as our weakest links, as these threat actors targeted third-party suppliers to gain access to their intended targets. In addition, the entry point centered on spear phishing to gain entry to these third parties, taking advantage of the human nature to trust by sending legitimate-looking emails with resumes and CVs to companies at a time when there’s a skills shortage in ICS talent,” he says.

To increase their resiliency to these attempted intrusions, Capdevielle recommends critical infrastructure operators implement real-time monitoring of ICS systems to detect anomalous behavior.

“Such activity could include unusual network connections, unusual communication messages, new or unusual commands from new sources, or new network flows,” he explains. “Furthermore, the presence of known indicators of compromise should be immediately identified by ICS monitoring solutions, giving operators a clear warning to take action on malware in their systems.”

Preparing for the Inevitable

Cybersecurity experts agree that it’s only a matter of time before a critical infrastructure network is knocked offline within a Western country.

“Critical infrastructure is already highly connected and, in many cases, dependent on traditional IT devices, networks and even the Internet,” Contos says. “Because of the expanding critical infrastructure footprint and rise in purpose-built attacks designed to target critical infrastructure, it’s not a question of will critical infrastructure be knocked out by a cyber-attack but when and how severely.”

And although it’s difficult to predict when a cyber-attack against critical infrastructure will occur, Kellermann says the “writing is on the wall” that one is going to take place again soon.

“Many critical infrastructure organizations are relying on outdated technologies and security policies. Couple that with geopolitical tension reaching a tipping point around the globe and you have an environment that’s ripe for attacking,” he says. “Having been a white hat for 22 years, I have never been more concerned.”

About the Author:

Joel Griffin is the Editor-in-Chief of SecurityInfoWatch.com and a veteran security journalist. You can reach him at [email protected].