4SICS Conference: Vulnerable Collider, Havex Trojan and Other Russian Threats
Modern process control systems are increasingly vulnerable to hackers - however, vendors and users are in no hurry to recognize and correct a dangerous situation. This observation became the main topic of discussion at the 4SICS international summit on the safety of industrial control systems , which was held in late October in Stockholm.
“Despite the entire Internet revolution, we are still not sufficiently concerned about security, because the old IT paradigm tells us: we operate autonomously, are not connected to anyone, we have our own cunning software, and no one can attack us. But reality has already changed a long time ago, ”said one of the key speakers of the event, Stefan Löders, head of the security department at the European Center for Nuclear Research (CERN).
Among the problems of the “new reality” that upset Löders, the disadvantages of the Siemens SIMATIC WinCC Open Architecture platform were mentioned - it is used to manage many critical objects in different countries of the world, from Zurich Airport to the Large Hadron Collider (the latter is exactly what CERN does). Vulnerabilities in this SCADA platform were found two years ago by Positive Technologies experts, who demonstrated the possibility of gaining full access to the control system using the vulnerabilities found.
At the 4SICS conference, Positive Technologies Deputy Director General Sergey Gordeychik demonstrated new examples of techno-nightmares that could be caused by an attack on SCADA systems. A report titled The Great Train Cyber Robbery showed how vulnerabilities in IT components of ICS can affect functional security in various industries. Sergey emphasized that these are not isolated cases: company experts regularly detect zero-day vulnerabilities in SCADA systems, examining the security of solutions of various manufacturers, including ABB, Emerson, Honeywell, Siemens, etc.
It is worth noting that the conference was held in the capital of Sweden just in the time when in the territorial waters of this country they stubbornly searched for a Russian submarine. Although the Swedes have been searching for this mysterious submarine for the last 33 years not the first time, the current campaign has been particularly noisy: thanks to the media and social networks, one amateur photo of the
For example, a representative of the Swedish information security company Netresec made a report on the Havex Trojan, which was used this year for a multi-stage attack on European automated process control systems: hackers hacked vendor sites and infected official SCADA distributions, which were then downloaded by customers and put into operation. As a result, the attackers managed to gain control over the control systems in several companies in France, Germany and other countries where infected software was used.
In general, the report of the Swedish information security experts came out very informative, and even vendors who distributed infected software were even revealed. But at the same time, on the very first slides of the presentation, one could see a statement that the hacker group was acting “from the territory of Russia, in the interests of Russia, and probably with the support of the Russian authorities”:
"ENERGETIC BEAR is operating out of Russia, or at least on behalf of Russia-based interests, and it is possible that their operations are carried out with the sponsorship or knowledge of the Russian state."
However, there were speakers at the conference who appreciated the contribution of Russian information security experts to the ennoblement of the universe. That turned out to be John Materley, creator of the Shodan.io project. This “IoT search engine” crawls the Internet for automated control systems with online access, and displays these systems on an interactive map . Presenting the results of his project at the 4SICS forum, John Materli thanked a lot of the team of experts on the safety of process control systems from Positive Technologies, especially Dmitry Efanov and Alexander Timorin.
At the end of the conference, the participants held a round table devoted to the forecasts in the field of safety of industrial control systems for the next 5-10 years. The forecasts turned out to be gloomy: the separation of Windows XP was called the most serious security challenge of the near future , and, on the whole, they concluded that no improvement was expected. Dale Peterson, founder of Digital Bond and a former NSA analyst, commented on this decadent sentiment very succinctly : "Well then, just relax."