By Eric Knapp
In films, cyber incidents have long been able to cross the divide from the digital to the physical. We’ve seen fictional code destroy everything from top-secret government facilities to invading alien spaceships. We’ve seen criminals ransom companies, cities and even nations under the threat of some impending cyber-catastrophe. Just a few years ago, these scenarios were confined to the realm of science fiction.
Now, they’re an unfortunate part of history. Like many technologies introduced to us through science fiction, malware has evolved to a level where these types of threats are not only possible, some of them have actually been realized.
Malware has grown up.
Decades ago, the creeper malware was popping up on computer screens, challenging users to “catch me if you can.” Today, malware is a bit more sophisticated. It’s modular, intelligent and highly adaptive, able to recognize the systems upon which it’s installed and change its behavior accordingly. It’s sneaky, capable of hiding it’s tracks, burrowing into legitimate processes, and—if it is discovered—mutating, surviving reboots and remaining frustratingly persistent.
The first highly publicized example of fiction turning to fact happened over four years ago, when a nuclear facility was effectively sabotaged via a custom, targeted cyber weapon.
Cyber incidents resulted in physical consequences even earlier but never before using such sophisticated and focused malware, specifically targeting industrial control systems. Words like “military-grade malware” and “weaponized cyber” and “cyber war” were seen in headlines around the globe.
In the past years, the trend has continued at an alarming rate.
We’ve seen examples of coordinated cyber-espionage campaigns such as Night Dragon, DuQu and more recently Dragonfly. We’ve also seen increasingly complex malware, such as the Flame virus, which represents over 20 megabytes of modular, commercial-grade malware. Its capabilities included everything from eavesdropping on Skype conversations to stealing data from nearby Bluetooth devices; a new generation of cyber espionage.
The most recent cyber espionage campaign is still ongoing: the Havex RAT (Remote Access Toolkit) is another example of a complex and persistent malware. Through the clever use of Trojanized vendor updates, it was able to infect very targeted users in the energy industry. Once infected, Havex scanned for OPC servers and began to enumerate industrial systems. What will happen next? We can only speculate. Anything that we might guess at this point would be … fiction.
Instead of speculating, we can look at the trends of evolving cyber capabilities. By understanding how malware has evolved, and how it continues to be created, we can better understand the threat that it represents.
Malware today is an industry. Like the software industry, the quality and complexity of the product varies, but malware can be (and often is) a commercial-grade product. Why is malware created? For the same reasons that any other product is created: For profit. To launch a successful cyber attack, one needs to have both motive and means. The means, or in this case the malware, can be purchased online. So what about motive?
Again, we can draw upon history to guide us. According to the 2013 Verizon Data Investigations Report, 20 percent of incidents are now targeting energy, transportation and critical manufacturing organizations. In addition to DuQu and Flame, we’ve seen new examples of targeted cyber attacks. Saudi national oil company, Saudi Aramco, was hit hard by the W32.Disttrack virus, also known as Shamoon. The attack was one of the most destructive cyber strikes in history, stealing data and over-writing the boot sectors of infected machines, effectively decommissioning over 30,000 computers.
In early 2013, several Saudi Arabia government websites were temporarily disabled after a series of cyber-attacks. Even more recently a politically motivated group of hackers called AnonGhost threatened to launch cyber-attacks on energy companies Adnoc and Enoc among others globally. They claimed to be protesting the use of the dollar by these companies to trade oil.
It might read like science fiction, but it’s not. And understanding the reality of the situation is the first step toward effective cyber defense.
For vendors, it means understanding how a cyber attack might impact components and systems, and making changes to mitigate that risk. It means implementing a Secure Development Life Cycle (SDLC), with threat modeling, static code analysis, and iterations of reviews, tests and even certifications to ensure that every new product is as secure as it can be, out of the box. It means investing in new technologies, to provide additional layers of security, safety and reliability to new and legacy industrial control systems. It means changing the way they think about cyber security.
For asset owners, it also requires a cultural shift. Cyber security can no longer be explained away as unlikely, or improbable. As a target, you need to think like a target: Where could an attack come from? What could be compromised? How, and why? What would happen if a cyber attack succeeded?
From one perspective, it’s a prescription for paranoia. From another perspective, it’s a rational exercise in risk assessment, to determine what the real risk of a cyber incident might be so appropriate counter measures can end up implemented. It’s a very subtle shift in thinking that will result in a massive improvement in our overall cyber security posture.
So watch those science fiction movies, read some mystery novels, and start to think like a bad guy. If we can understand the threat, we can model it, predict it, and—with some luck — stop it.
There’s not much difference between a virus that can destroy an industrial centrifuge, the one in the movies that destroyed the mothership of an invading alien space fleet, and the next one — the one that hasn’t happened yet, and the consequences of which we can only imagine.
Eric Knapp is global director of cyber security solutions and technology for Honeywell Process Solutions.