A Nasty New World of Cyber Threats for ICS and SCADA Security
February has not been a good month for ICS and SCADA security, at least not if you want to feel secure.
Vendor Vulnerability Reports
First, there has been a blizzard of vendor vulnerability reports. Microsoft started the show with a security bulletin (and patch release) for 12 security updates. Three of the vulnerabilities have a maximum severity rating of critical - the highest possible rating. While certainly not Microsoft’s worse month for vulnerabilities, it wasn’t good news.
The same day Adobe released patches for their popular Reader and Acrobat products. These patches were also critical as exploits are now circulating that allow attackers to infect a computer via a specially crafted PDF file and then run arbitrary software such as keyloggers and backdoors.
Then McAfee published more grim news in a report entitled "Global Energy Cyberattacks: Night Dragon" (interestingly, the report is only published as a PDF – sure hope they patched their Adobe software). The report details advanced persistent threat (APT) activity designed to steal data from companies in the oil, energy, and petrochemical industries.
According to the report, these attacks have been occurring for several years and have resulted in the theft of sensitive information related to proprietary industrial processes, oil and gas project-financing and exploration.
While McAfee was grabbing the headlines, the Canadian Cyber Incident Response Centre (CCIRC) was quietly warning employees that targeted emails were being sent to key government officials. These “Spear Phishing” emails appear to come from trusted individuals or organizations, but actually contain trojanized files such as the previously mentioned PDF documents. And guess what - opening the file activates the malicious code and compromises the official’s computer.
Canadian Government Cyber Attacks
This quiet process exploded when the Canadian Broadcast Corporation, Canada’s national radio and TV service, announced that computers in the Canadian Finance Department and Treasury Board had been infected via spear phishing attacks in January. Both department’s Internet access had to be closed down and is only now being put back on line. The Canadian Defence Development and Research was also attacked several months earlier.
The month is not over and unfortunately more bad news is on the way. If you are a member of Tofinosecurity.com, expect to see a restricted circulation email from us on new SCADA threats and vulnerabilities in the next few days. (If you are not a member, you can join by registering here.)
For the North American ICS/SCADA community, all this is getting even closer to home than Stuxnet did. The Night Dragon report claims that some energy company SCADA systems were targets of the data theft.
Plant Floor Vulnerabilities
The PDF vulnerabilities are definitely bad for the ICS world. Maybe we engineers don’t care if PowerPoint has a vulnerability, but Adobe Reader is found in virtually every HMI or programming station ever installed on a plant floor. How else would we read all those installation and programming manuals?
Now ask yourself, how many of those plant floor Adobe Reader packages have EVER been patched? If the refinery audits I conducted a few years ago are any indication, the answer is probably none. Windows might be on the plant floor patch cycle, but most applications get forgotten. That is a mistake – vulnerabilities aren’t just an operating system problem.
Unfortunately this past month is probably just a sign of things to come for the next decade. Welcome to the new world of cyber nastiness. For our part, we will be doing everything we can to share information that will help you secure your control system.
For more information on Night Dragon, see Industry News: Operation Night Dragon.
To become a member of Tofinosecurity.com, register here.
For more information on Advanced Persistent Threats (APTs), see my Jan 17th article: Stuxnet Guidance: The Good, The Bad and The Ugly.