Breaking News: ESET has discovered a malware that is the biggest threat to critical infastructure since Stuxnet (the malicious worm that was responsible for causing substantial damage to Iran’s nuclear program) named Industroyer.
As its name suggests, Industroyer was designed to disrupt critical industrial processes. The original blog post can be found here and the accompanying whitepaper can be read here. IT security experts from One Identity, Nozomi Networks, FireMon and AlienVault commented below.
Andrew Clarke, EMEA Director at One Identity:
The big question, is how does the malware get onto the network in the first place. It is likely, that it is taking advantage of vulnerabilities that have existed for some time and as typical in operational industrial systems since it provides a specific function it doesn’t need to be modified – apart from the fact that those vulnerabilities are like the unlocked door. Attention to those systems; and specifically looking at what external access is possible and then closing down that access or at least ensuring the access is only permitted for authorised and authenticated personnel/systems. Often there are hardcoded passwords in complex systems which are needed for fast interaction; and using tools that control application to application privileged password usage these can be replaced by programmatic calls that access a privileged password safe. There is no doubt that in our modern interconnected world – the traditional control systems that our society has relied on for so long is in much need a of cybersecurity upgrade!”
Andrea Carcano, Co- Founder and Chief Product Officer at Nozomi Networks:
Andrea says, “The implications of the Crash Override or Industroyer malware are significant. Unlike Stuxnet, which was designed to attack a particular uranium enrichment plant, this malware is broad-based and could affect power grids in many countries. We recommend that electric utilities monitor and improve their cyber resiliency programs, including implement real-time ICS cybersecurity and visibility solutions.”
Paul Calatayud, Chief Technology Officer at FireMon:
“The best way to protect these systems would be to deploy network segmentation to limit access to the ICS assets. The malware needs to be installed usually by a remote attack from outside the organisation. Limiting or preventing access would stop the ability of this attack to communicate with these systems. Furthermore, deploying network security policing management technologies would allow centralised monitoring of segmentation policies to ensure this defence strategy was deployed throughout the grid network.”
Chris Doman, Security Researcher at AlienVault:
“Todays report of later attacks in 2016 appear to have been more automated. I’ve seen reports these attacks were performed by the same attackers as in 2015, though haven’t analysed it myself.”