In-brief: Seven years after the Stuxnet worm proved that attacks on industrial environments was possible, many industrial and manufacturing firms still lack basic elements of an effective information security strategy, a new report finds.
It has been seven years since the Stuxnet worm was discovered “in the wild’ by Sergey Ulasen of the firm VirusBlokada, putting the world on notice that industrial equipment and environments could be the targets of malicious software and cyber attacks. But that message has largely been missed on industrial firms, many of which still struggle to implement basic elements of an effective security strategy, a new report finds.
Vulnerable software and communications protocols, outdated hardware and lax password administration are among the top six problems plaguing industrial concerns, leaving industrial environments such as manufacturing plants, vulnerable to damaging cyber attacks, according to a report by the security firm FireEye. (Registration required.) More industry investment in cyber security is desperately needed within the industrial sector, where the perception of cyber risk still lags, the firm said.
The report is intended to distill the challenges facing the industrial sector into a manageable list of the most important issues – akin to the OWASP Top 10, a frequently cited list of the most serious security problems facing web applications, said Sean McBride, a Lead Analyst at FireEye iSIGHT Intelligence. The list of challenges, dubbed by FireEye “The Subversive Six” is intended to serve as a set of talking or reference points between plant operations and information security teams, said McBride. “We wanted to define clearly what we see as the top items,” he said.
In addition to the items mentioned above, FireEye warned about the scourge of weak file integrity checking of firmware updates and other software, vulnerable control logic on industrial devices, the heavy reliance on Microsoft Windows systems to manage industrial devices – many of them vulnerable to attack – and poorly understood or documented third-party dependencies in industrial control system products.
[Read more Security Ledger coverage of threats to critical infrastructure. ]
Industrial and manufacturing firms as well as critical infrastructure providers face a number of challenges, McBride said. Most have to manage populations of legacy equipment that were not designed with security in mind. “You might have control systems in a facility that range from SCADA systems to relays and sensors. Some of those have been deployed for many years,” he said.
Depending on the industry, operating margins may be thin and investment dollars may be focused on capital expenditures (replacing aging equipment and facilities) rather than on information security. The result is that vendors face little customer pressure to improve the security of their products, but a lot of customer pressure to keep prices low. Some even continue to sell products that have been shown to be insecure by security researchers, he said. . “Getting companies to invest in something that is new or more secure is a challenge,” McBride said. “They’re more than willing to invest in new substations or distribution lines. The challenge is getting security built into those investments.”
McBride notes that there is some evidence of progress. Industry efforts like OPC-UA industrial automation standard to replace insecure communications with more secure alternatives. But asset owners need to change their practices to focus on cyber security risks and attacks.
“They need to start to watch what is going on in a close way,” McBride said. “They should be doing deeper inspection of packets, monitoring changes in set points, limiting the IP addresses that are authorized to update the logic running on a controller,” he said.
Low hanging fruit is file integrity checking and the use of insecure (unauthenticated) protocols, McBride said. “From a technology point of view, solving those issues puts industrial control systems on part iwth standard IT systems,” he said.
Attacks on critical infrastructure are still a rare occurence measured next to attacks on traditional IT systems. Even cyber attacks on critical infrastructure, like power plants in Ukraine, have been limited in both scope and duration. But the problem and attacks will not necessarily stay small or limited in scope, he said. That puts pressure on operations and security teams to come together and fix the problem, he said.
A 2015 report from the Department of Homeland Security found that so-called “advanced persistent threat” actors were linked to more than half of industrial control system (ICS) incident reports filed during 2014. Among the 245 incidents reported were malware infections on “air-gapped control system networks,” strategic compromises of so-called “watering hole” web sites and the use of previously unknown or “zero day” vulnerabilities in industrial control system software. DHS found 55% involved APT or sophisticated actors. Hactivists, malicious insiders and cyber criminals were behind other incidents. In many other cases, asset owners were unable to determine who or what was attacking them, the report found.