By Joel Langill
Dragonfly was a wake-up call for discrete manufacturers and industrial control system [ICS] providers that support them and the malware campaign also showed the need for a new security model.
Unique in its method toward attacking ICS equipment that is part of the critical infrastructure in manufacturing environments, Dragonfly elevated the need to change the approach in protecting industrial environments.
While the Dragonfly campaign was originally believed to have targeted the energy sector, research I conducted on behalf of Belden revealed the malware most likely focused on pharmaceutical targets. That impact is discussed in A New Era for ICS Security: Dragonfly Introduces Offense in Depth.
Dragonfly Escalates the Challenge
Dragonfly was not the first cyber campaign to attack industrial control systems. In 2010, Stuxnet was discovered launching cyber attacks against Iranian nuclear facilities and may have been the first campaign to leverage the supply chain in order to attack target organizations.
Significantly escalating the sophistication of advanced persistent threats, Dragonfly demonstrates just how critical the risk has become in three key ways:
1) As the first malware attack on the discrete manufacturing sector, Dragonfly clearly exposed the risk that supply chain partners can pose.
2) Created solely for espionage, Dragonfly gathered information for the likely purposes of counterfeiting or competitive intelligence rather than destruction of the industrial control systems it infected.
3) Recognized as “offense in depth,” Dragonfly was pervasive and persistent. The campaign deployed several different types of attacks including spear phishing emails, watering hole attacks and Trojanized-software downloads embedded on the customer support pages of the three ICS vendors at the center of the effort.
Due to its comprehensive nature and the model it provides for others, Dragonfly and its successors represent a tipping point in industrial cyber security. The detection and remediation of sophisticated cyber espionage campaigns require a thorough evaluation of existing approaches and identification of a new model for defending industrial control systems.
Achilles Heel: Traditional Solutions
The impact of Dragonfly’s strategy to use supply chain partners to breach target companies cannot be underestimated. Nearly every traditional solution was defeated based on the end user’s trust in the source of the content – whether through an email message or software download.
Solutions that Dragonfly successfully circumvented included:
Application whitelisting: The Trojanized software came from a credible and trusted partner, so users were less likely to question the integrity of the product.
Application blacklisting: These solutions add an additional layer of protection with traditional, signature and anti-virus applications. Unfortunately, the leading anti-virus solutions did not release signatures for Havex, the remote access tool which gave hackers back-door access to victims’ computers, until mid-2014.
Restricted user accounts: Because users with restricted levels of access were among those who accessed the malicious code, once breached, their systems propagated the threats without challenge.
Host-based firewalls: Since the local services being run came from authorized sources, and had been properly installed, firewalls would be configured to allow the network access needed.
Virtual Private Networks (VPNs): VPNs are widely and deservedly recognized for protecting the integrity, confidentiality and availability of communication from external threats. The risk, therefore, lies in the simple fact VPNs do very little in controlling what comes in and what shows up at the end of the tunnel. Dragonfly’s co-opting of authenticated end points meant viruses were able to pass through the tunnel and infect computers without interruption.
New Holistic Model
If trust is what made it possible for Dragonfly to circumvent traditional security solutions, then a new model must limit the risk presented by trust between partners – without limiting the ability for partners to do business together.
Standards play an essential part in security assurance between partners.
First, procurement standards need to be broadened to recognize the risk that supply chain partners pose, especially small companies [in the case of Dragonfly the suppliers known to have been infected, Mesa Imaging, eWon and MB Connect Line had less than 50 employees].
Procurement Standards for ICS Components
“Cyber Security Procurement Language of Control Systems” from the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) offers valuable information for addressing the gaps in cyber security posed by supply chain partners, including:
• Security related to web-based interfaces
• Requirements for internal coding practices used by suppliers
• Precautions to consider at the security perimeter
• Protections for vital information at rest and in transit
Second, for security assurance, manufacturers need to embrace and require that suppliers meet industry specific standards. The International Society of Automation (ISA) has developed a suite of standards, ISA/IEC 62443, specifically designed for industrial automation and control system security. The goal is to offer a consistent mechanism for measuring the security capability of ICS components.
To that end, two certifications have been developed by the ISA Security Compliance Institute that can be used to demonstrate that a component meets the requirements set by the standards:
• The Security Development Lifecycle Assurance certification program evaluates a supplier’s product development lifecycle processes
• The Embedded Device Security Assurance certification program addresses embedded device characteristics and supplier development practices for those devices
Beyond the application of standards, which establish the requirements that partners must meet, the ability to allow access, while controlling that access, is foundational. There are five approaches for ensuring trust is not the lever that allows attacks like Dragonfly to wreak havoc.
1) Network Segmentation: The basic premise behind segmentation is network traffic is limited to particular zones and networks. This allows security controls to be enforced on the communications links or conduits that exist between zones, allowing even “trusted” traffic to be vetted before entering the network and preventing it from traversing boundaries.
2) Network Whitelisting: Similar to application whitelisting, the idea of network whitelisting is to only allow a device to place authorized traffic onto the network. By deploying this approach at the perimeter of critical security zones using a transparent or bridged firewall, organizations gain significant resilience to cyber events by controlling the traffic on the network and the destination of all traffic originating from a particular host.
3) Protocol Whitelisting: Beyond network whitelisting, the increasing sophistication of attacks requires the ability to not only filter traffic based on the transports used, but also the application content. Deep Packet Inspection [DPI] provides the ability to restrict specific application content from entering the network, with a device that is application-aware.
4) Email Domain Blacklisting: Free email accounts (Yahoo, MSN, Gmail, etc.) have been consistently used to launch targeted spear phishing attacks such as the ones that were part of Dragonfly. Overall security resiliency will improve when addresses from these sources (not just the email addresses) are blocked from entering business networks.
5) VPNs with DPI/Stateful Firewalls: the limitations of VPNs in cyber protection can be overcome when used in combination with:
a. DPI technology to restrict the content of traffic entering the VPN tunnel
b. Stateful firewalls that specify allowed IP addresses and TCP/UDP destination ports of traffic
What Dragonfly illustrated in its ability to bypass traditional solutions for securing industrial control systems is a more holistic approach is needed. To truly defend against increasingly sophisticated advanced persistent threats, industrial cyber security strategies must recognize that while preventing breaches is desirable, being able to detect and address the breach quickly and effectively is the imperative.
Joel Langill is an independent security researcher, consultant, creator of the website SCADAhacker.com, and founder of RedHat Cyber. For more information on the Dragonfly malware campaign and the new, holistic model required for industrial cyber security, check out Defending Against the Dragonfly Cyber Security Attacks.