Following the breaking news that ESET discovered ‘Industroyer’, a malware that is the biggest threat to critical infastructure since Stuxnet (the malicious worm that was responsible for causing substantial damage to Iran’s nuclear program), IT security experts commented below from cyber security professionals on this latest discovery.
Paul Edon, Director at Tripwire:
“Historically Industrial networks have used airgap and diode-based architecture to defend against the risks associated with corporate intranet and Internet communications. However, due to economic pressures i.e. increasing costs and decreasing numbers of skilled resources, it has become necessary for many organisations to centralize some of the management and control functions that would have previously been local to industrial plants, refineries, and distribution facilities. This centralization has meant expanding the reach of the enterprise network into the industrial environment and in doing so exposing those industrial environments to levels of cyber risk for which they were neither secured nor designed.
“Post design security is always a much greater challenge than the “security by design and default” that we would expect today. However, the majority of attacks can still be defended against by employing the same strategy as that used for the enterprise i.e. “Security Best Practise”, “Defence in Depth” and “ Foundational Controls”.
“Security best practise includes selecting suitable frameworks such as NIST, ISO, CIS, ITIL to help direct, manage and drive security programmes. It also means ensuring that your strategy includes all three pillars of security; People, Process and Technology. Protection should apply at all levels; Perimeter, Network and End Point. Finally, select the foundational controls that best suit your environment. There is a wealth of choice – Firewalls, IDS/IPS, Encryption, Duel Factor Authentication, System Integrity Monitoring, Change Management, Off-line Backup, Vulnerability Management and Configuration Management to name but a few.
“We will continue to see the introduction of new threats targeting the industrial technologies, but it is important to understand that good security hygiene will greatly reduce the effectiveness and therefore the success.”
Tim Helming, Director at DomainTools:
“Time will tell whether the risks posed by the Intustroyer malware are realized in actual attacks, but because of both its capabilities and its stealth, it underscores how crucial access control, network segmentation, and the rigorous application of the principle of Least Privilege are. Least Privilege dictates that any entity be given the absolute least level of access required–the ‘entity’ being anything from a kernel module all the way up the stack to the human. The best way to mitigate the risks posed by Industroyer is to prevent its implantation on the trusted network to begin with.”
Andrea Carcano, Co-Founder and Chief Product Officer at Nozomi Networks:
“After years of working closely with global power generators we have seen that network communications across grids are usually very stable and that, once baselined, it’s possible to detect anomalies. Unusual messages using regular power system communication protocols can be identified and flagged, and action can be taken on them before an outage occurs.
“The implications of the Crash Override or Industroyer malware are significant. Unlike Stuxnet, which was designed to attack a particular uranium enrichment plant, this malware is broad-based and could affect power grids in many countries. We recommend that electric utilities monitor and improve their cyber resiliency programs, including implement real-time ICS cybersecurity and visibility solutions.”
John Chirhart, Federal Technical Director at Tenable Network Security:
“With all of the buzz around Industroyer being “the next Stuxnet,” you’d think it was one of the most sophisticated threats out there, but with no zero days in the Industroyer payload, the significance of this malware as a stand-alone event is small.
Security for critical infrastructure assets like industrial control systems is important, but we need to remember that malware like Industroyer, or WannaCry, represent the new normal of today’s fast-paced security environment and require a different approach. There’s no way to be strategic about your security if you’re always reacting to the threat of the day.
As cloud and IoT break down the distinction between operational technology like ICS/SCADA and information technology like laptops and mobile devices, most security vendors have failed to innovate at the rate of change, so the convergence of modern IT and OT computing assets is leaving customers struggling to discover and secure all of the devices on their networks.
Single use “best of breed” security products are no longer enough. CISOs need a unified view from a single platform that can draw on active, passive and agent scanning to see everything from containers to MRI machines. Stop chasing the latest headline-breaking threat and instead, implement a strategic and agile security program to proactively manage cyber risk for the modern enterprise. That’s what separates a world-class cyber organization from a mediocre one.”
Terry Ray, Chief Product Strategist at Imperva:
“We are beginning to see an uptick in infrastructure attacks and in the case of Industroyer, the attackers seem to have extensive knowledge about industrial control protocols. Since the industrial controls used in the Ukraine are the same in other parts of Europe, the Middle East and Asia, we could see more of these attacks in the future. And while these attackers seem to be content to disrupt the system, it’s not outside the realm of possibility that they could take things a step further and inflict damage to the systems themselves.
While ICS are used heavily in energy and water, both certainly critical infrastructure, it is also used in large scale automation, which can include, manufacturing, shipping, aerospace and other industries that should also take note of such exploits.
Many of these industrial control systems have been in operation for years with little or no modification (no anti-virus updates or patches). This leaves them open to a wide range of cyber threats. It is therefore imperative that we find alternative measures to manage the risk.”
Andrew Clarke, EMEA Director at One Identity:
- Is ‘Industroyer’ as scary as it sounds?
- Yes, this is as scary as it sounds. First, it’s very difficult to detect because it uses known and allowable code yet in nefarious modes. In addition, we’re not talking about stealing some incriminating photos from some celebrities cloud storage location. This is controlling the power grid. It means that hospitals could lose power mid-surgery. Or traffic lights cut out causing accidents. The ability to alert citizens to bad weather halts.
- What are the Implications?
- The implications are vast and varied. I highlighted some of the short term results of a hacker owning the grid. But what should a government do to halt this? To begin with, government needs to make more and better investments in technology. This costs money and government only has so much investment dollars. Every dollar spent in security is a dollar not spent on roads, or education – a difficult set of choices to be sure. In addition, government must demand from its supplier better and tighter security so these types of hacks are identified and stopped in its tracks and vendors need to provide these improvements.
- Is it defensible?
- The good news is that everything is defensible – but at a cost. Is the solution a software solution? Or do all these pieces of hardware need to be upgraded? Vastly different costs which will impact the government and citizens separately.
- What makes this industry so susceptible?
- Candidly, I don’t think this industry is any more or less susceptible than any other industry. It’s more to the point that the results of a hack to the power grid are far dangerous than an individual losing control over their checking account. When the grid goes down, millions are affected and in a very bad way.
- What can be done?
- Security is a never-ending dance. The hackers create a method of hacking, organizations and vendors change their solution to address that vulnerability. The hackers change their modus operandi, vendors adapt. There is no end in sight for this cycle of hack and solution.Organizations need to factor this effort and cost into their future operating costs.