andrew@theinternet

Software Engineering

OMSCS

Data Science

ICPSS Lecture Notes - Lesson 5 - Industrial Cyber Security History and Threats

Industrial Cyber Security History and Threats

  • Compared to traditional IT systems, CPS’s are:
    • more specialized
    • greater demands on reliability and longevity
    • high-stakes systems

Need to improve

  • The need to improve cannot be overstated
  • Physical security on many CPS’s are decent, but digital is not great
    • Physical is often helped by being geographically remote
    • Given that physical is decent, digital usually represents the only feasible way in
  • Historically CPS networks were air-gapped, leaving infosec as something that didn’t need to be thought about
    • in modern times, this airgap almost never actually exists, for cost and convenience reasons

What is the state of security posture for CPS’s

  • A massive pentest found tens of thousands of vulns
  • Also provided metadata around responses
    • average time to patch found was 331 days, with a long right tail
    • industry standard disclosure practice is to disclose upon patch release, giving a window between patch release and patch application for badness to happen
    • This is not (necessarily) due to negligence. Control systems are hard to patch due to things like topology, downtime requirements, and such.
      • A common response to this is to focus on strengthening the perimeter defenses in lieu of patching

Summary of Past Incident Reports

  • Most attacks seem to be opportunistic
    • This may change going forwards
  • Initial attacks tend to use simpler exploits
    • This may just be because nothing more complex was needed, not because nothing better exists
  • The majority of cyber-attracks are financially motivated
    • Again, may change going forwards
  • New malware samples are increasing at an alarming rate
  • The majority of attacks originate externally
  • However, the majority of incidents affecting industrial systems are unintentional
  • New malware code samples are increasingly more sophisticated
  • Malware and “hacking as a service” is increasingly available

APTs and Weaponized Malware

  • APT Qualities
    • Not intended to impact or disrupt network operations
    • Designed to avoid detection over long periods of time
  • Weaponized Malware Qualities
    • Possible intentions include network disruption
    • Possible intentions include physical damage of systems or devices

High Profile Cases

  • Night Dragon
    • A series of attacks over a 2 year period targeting oil and energy companies, stealing sensitive information
  • Stuxnet
    • A worm developed to infect as many computers as possible.
    • When it found Iranian centrifugrs, it activated and ruined them

The future of malware

  • Sophistication will continue to increase over time
  • It’s expensive to develop things from scratch, so it’s reasonable to expect that the majority will be evolutions on existing tools and techniques, instead of from-scratch new builds

Insider Threats

  • One of the most common pitfalls is to roll out security policies without building an appropriate threat model. This results in policies targeting the wrong things.
  • The most probable threat is an insider.
    • Employees with direct access to data
    • Employees with admin privileges
    • Employees with indirect access to data
    • Subcontractor with access to specific ICS componensts or subsystems for operation
    • Services providers with access to specific ICS components or subsystems for support

Recent history

  • Disclosures spiked around 2010
    • The year Stuxnet was discovered
  • This is likely due to:
    • a combination of increased awareness around ICS
    • increased hacktivism in cultural contexts
    • improved availability of Open Source Tools for conducting attacks