SCADA Security 2012 Crystal Ball

The Oscar season is upon us and instead of predicting who will win Academy Awards I am writing today to talk about what I see in my “Crystal Ball” for 2012.

What could 2012 do to top 2010 where the game changing Stuxnet worm was revealed, or 2011 when Stuxnet’s publicity led to hackers and criminals releasing 215 vulnerability disclosures for SCADA / Automation products.1  That is more vulnerabilities than were disclosed in the previous decade! Well, humdrum as it may be, my general prediction for cyber security in SCADA / Automation is there will be no big, messy security events in 2012 like we have seen in the past. No Stuxnet and no Slammer!

Now this might seem like it is good news, but it isn’t. The developers of cyber attacks learnt a lot from Stuxnet and one was “Don’t get found out.” As long as your worm stays under the radar, it can do its dirty work for years. We saw this trend start in 2009 and 2010 and then take off last year with sophisticated threats such as Night Dragon, Duqu, and Nitro. Each of these had been running for a year before they were discovered. All were designed to steal valuable information such as ICS / SCADA designs, exploration lease bid data, or chemical trade secrets.

Night Dragon, Duqu and Nitro

Night Dragon for example, stole sensitive data such as oil field bids and SCADA operations data from energy and petrochemical companies.  The Duqu malware used a lot of the same source code as Stuxnet; however, unlike Stuxnet, it was a stealer of information rather than an attacker of PLC systems (Symantec reports that the information it was stealing were design documents for industrial control systems, so perhaps it is a warm up for a another destructive attack).  Nitro attacked 25 manufacturers of chemicals and advanced materials for the purpose of industrial espionage, i.e., collecting intellectual property for competitive advantage.

Whether the goal of malware is IP (Intellectual Property) theft or as a precursor to later destructive attacks against automation systems, the impact on organizations could be devastating. Impacting the production of a competitor, short-selling the shares of a company or extorting money under the threat of a disruption are all profitable activities for a criminal or nation-state group.

Eric Byres’ 2012 Predictions

In 2012, I predict that over 500 vulnerabilities in automations products will be disclosed by freelance “researchers” and half of the disclosures will include sample attack code. This prediction is off to a strong start with the numerous disclosures revealed at the S4 Project Basecamp session last week.

My second prediction is that the trend of industrial malware to be stealthy will continue. Like the 2011 trio of Night Dragon, Duqu and Nitro, it may remain undetected for long periods of time and may only come to light when it is too late to prevent significant business or process damage.

Complacency is the Enemy

All of this means that bad guys increasingly know where to find holes in automation products; they are being spoon-fed the software to exploit the holes, and they have public examples of how to cover up their tracks.

There are two bottom lines for operators. First, if you think your system has never been penetrated, you have not looked hard enough. Second, keeping malware out of ICS is impossible. The only way to avoid expensive business losses or production disruption is to start protecting your system with defense-in-depth measures today.

Check back this time next year to see if my predictions came true or whether I will have to eat crow…

¹Even more alarmingly, about 40% of 2011 ICS security disclosures were accompanied by attack code.

Related Content to Download

Note: you need to be a member of tofinosecurity.com and logged in to have access to the document below. Register here to become a member.

White Paper - "Effective OPC Security for Control Systems"   Even if you do not use OPC, this White Paper has a good discussion of Defense-in-Depth.                This White Paper was written in collaboration with MatrikonOPC.

Related Links from Practical SCADA Security

• S4 SCADA Security Symposium Takeaway: Time for a Revolution
• #1 ICS and SCADA Security Myth: Protection by Air Gap

Related Links from Third Party Sources

• Wired.com: Hoping to Teach a Lesson, Researchers Release Exploits for Critical Infrastructure Software
• Mcafee.com: Global energy Cyber Attacks “Night Dragon”
• Symantec.com: W32.Duqu - The precursor to the next Stuxnet
• Symantec.com: The Nitro Attacks - Stealing Secrets from the Chemical Industry

Subscribe to the "Practical SCADA Security" news feed

Author Eric Byres