June 10, 2019 at 17:04Viruses attacking industrial enterprises as a threat to physical security
- Transfer
Hello! Today we are sharing an article translated specifically for students of the reverse engineering course . Go.
We live in a world where more and more manufacturing processes are controlled by computers that control robots. Perhaps this sounds like a safe and effective way of working, since it excludes the human factor from production, however, what happens if an attacker decides to compromise production servers?
Consider other scenarios for stopping work processes: can extortion stall production? Can a botnet take control of production processes and instruct robots to design something else? Do emergency plans take into account that multiple systems may be under attack at the same time?
In any case, each of these scenarios is detrimental only to the business. What happens when a cyber threat turns into a real physical threat? In the manufacturing sector, it is more likely that malware will harm not only the data and the system, but also the working capacity.
In one of their comments on the industrial sector, Deloitte in March 2019 stated that during a safety analysis, they often heard the following:
Needless to say, security through retreat is no longer an effective strategy, but I will be happy to say this again. Fortunately, Deloitte also noted that the security of Operating Technology (OT) systems has finally attracted much-needed attention.
In the end, the attack does not have to be focused in order to do much damage. And threats can come from the internal network; they do not always depend on internet access.
A recent example, which must have frightened security workers at large industrial enterprises, was the assassination of the LockerGoga ransomware virus , which suffered Norwegian aluminum producer Norsk Hydro . As a result, some of the company's plants were forced to switch to manual control.
If malware disrupts the organization of production and takes control of certain processes, there are some immediate threats to physical security from inside and outside the industrial enterprise. They include:
The above examples are only extremes to which the situation can reach. If you want to get an idea of how bad things can really be, you can take a look at this article about an accident with hazardous chemicals. As a result of this accident, a whole crater formed in China.
In the past, there were many accidents caused by the fault of a person who incorrectly used interfaces connected to the Internet. Whether it was an architectural mistake or just a mistake of a bored operator after the fact does not matter anymore. However, we must take risks into account and try to avoid them.
In order not to complicate the situation even further, it is necessary to prohibit bringing your own devices . Regardless of whether people use their own devices to connect to the company’s network or not, their personal devices will be located inside the building and can potentially be used as an entry point to gain access to other systems.
Another issue worth considering may be the use of connected devices within the Industrial Internet of Things (IIoT) for existing industrial control systems. IIoT is a network consisting of many industrial devices connected by communication technologies. In this way, systems are built that can control, collect, share, analyze and provide valuable information. It sounds like a great target for an attacker who wants to profit from an organization or just destroy a factory.
Malicious software that could disrupt the production process should not be commercial, like the ransomware virus example we mentioned above. There are many reasons to suppose that malware developed in a manner similar to Stuxnet may be “hibernated” in factories awaiting a signal for an attack.
This type of malware could be hidden using a compromised delivery chain or other more common methods. Until the malware is activated, it can go unnoticed for a long time. However, cybercriminals were convinced that they can activate it as they wish.
Now that we’ve become acquainted with a family of ransomware viruses that target industrial enterprises, it’s time to move on to all sorts of scenarios that might happen if an attacker compromises the automated controls of your plant or factory.
Having a backup system is a good idea, in case the control system suddenly turns out to be faulty, but when a large-scale attack occurs on all your computers, the backup machine can be as useless as the main one. At each stage of the process, which, if improperly operated, can prove physically dangerous, a fault-tolerant mechanism must be present, rolling it back to a state in which no external influence can affect this process.
Where possible, it would be easier or more reasonable to create manual control interception of important processes so as not to stop production when computer systems are compromised.
And the best option is to prevent malware from entering and seizing controls, respectively. Implement a powerful cybersecurity solution that can block the latest threats and quickly neutralize those that have already entered the system, then your plant will have a better chance of avoiding dangerous scenarios initiated by attackers.
Even if you don’t have a 100% guarantee of ensuring the proper level of cybersecurity, staying one step ahead of the attackers is the best strategy that can save you from many problems.
Stay safe!
We are waiting for your comments, and also inform that the traditional free webinar will be held on June 13th.
We live in a world where more and more manufacturing processes are controlled by computers that control robots. Perhaps this sounds like a safe and effective way of working, since it excludes the human factor from production, however, what happens if an attacker decides to compromise production servers?
Consider other scenarios for stopping work processes: can extortion stall production? Can a botnet take control of production processes and instruct robots to design something else? Do emergency plans take into account that multiple systems may be under attack at the same time?
In any case, each of these scenarios is detrimental only to the business. What happens when a cyber threat turns into a real physical threat? In the manufacturing sector, it is more likely that malware will harm not only the data and the system, but also the working capacity.
How does industry relate to this?
In one of their comments on the industrial sector, Deloitte in March 2019 stated that during a safety analysis, they often heard the following:
- Why would anyone crack us? We are not a nuclear power plant.
- Our operating systems are not even connected to the Internet, what to worry about?
Needless to say, security through retreat is no longer an effective strategy, but I will be happy to say this again. Fortunately, Deloitte also noted that the security of Operating Technology (OT) systems has finally attracted much-needed attention.
In the end, the attack does not have to be focused in order to do much damage. And threats can come from the internal network; they do not always depend on internet access.
A recent example, which must have frightened security workers at large industrial enterprises, was the assassination of the LockerGoga ransomware virus , which suffered Norwegian aluminum producer Norsk Hydro . As a result, some of the company's plants were forced to switch to manual control.
What is the danger?
If malware disrupts the organization of production and takes control of certain processes, there are some immediate threats to physical security from inside and outside the industrial enterprise. They include:
- Extremely high temperatures . High temperatures can be a direct condition of the production process or its side effect. In both cases, the heat must be controlled, since the elevated temperature can only be maintained in those rooms that are designed for this. If the controls fail or the heat is outside the specially equipped room, fires, reflows or other serious consequences can occur.
- Radioactivity . We are constantly convinced that nuclear power plants are safe, but tell people who lived near Fukushima and Chernobyl about this. In June 2017, the Laka Foundation published a list reporting nearly 1,000 incidents and accidents (or situations close to accidents) (https://www.laka.org/nieuws/2017/laka-releases-iaea-list-with-near- accidents-in-nuclear-power-stations-7144) at nuclear power plants and other nuclear facilities. Such reports have been collected by the International Atomic Energy Agency (IAEA) since 1990.
- Hazardous chemicals . Chemicals are used in many manufacturing processes. They must be used in the exact amount or ratio for proper operation. The use of the wrong amount of a component can lead to uncontrolled reactions. Hazards commonly associated with chemicals are explosions, fires, toxic emissions, acids, and corrosive activity. The risk of suffocation, which may occur when the presence of another gas does not leave enough oxygen in the air, should also be considered. In addition, oxidizing chemicals can in principle destroy vital parts of production.
The above examples are only extremes to which the situation can reach. If you want to get an idea of how bad things can really be, you can take a look at this article about an accident with hazardous chemicals. As a result of this accident, a whole crater formed in China.
Internet connection
In the past, there were many accidents caused by the fault of a person who incorrectly used interfaces connected to the Internet. Whether it was an architectural mistake or just a mistake of a bored operator after the fact does not matter anymore. However, we must take risks into account and try to avoid them.
In order not to complicate the situation even further, it is necessary to prohibit bringing your own devices . Regardless of whether people use their own devices to connect to the company’s network or not, their personal devices will be located inside the building and can potentially be used as an entry point to gain access to other systems.
Another issue worth considering may be the use of connected devices within the Industrial Internet of Things (IIoT) for existing industrial control systems. IIoT is a network consisting of many industrial devices connected by communication technologies. In this way, systems are built that can control, collect, share, analyze and provide valuable information. It sounds like a great target for an attacker who wants to profit from an organization or just destroy a factory.
Other viruses
Malicious software that could disrupt the production process should not be commercial, like the ransomware virus example we mentioned above. There are many reasons to suppose that malware developed in a manner similar to Stuxnet may be “hibernated” in factories awaiting a signal for an attack.
This type of malware could be hidden using a compromised delivery chain or other more common methods. Until the malware is activated, it can go unnoticed for a long time. However, cybercriminals were convinced that they can activate it as they wish.
The time has come
Now that we’ve become acquainted with a family of ransomware viruses that target industrial enterprises, it’s time to move on to all sorts of scenarios that might happen if an attacker compromises the automated controls of your plant or factory.
Having a backup system is a good idea, in case the control system suddenly turns out to be faulty, but when a large-scale attack occurs on all your computers, the backup machine can be as useless as the main one. At each stage of the process, which, if improperly operated, can prove physically dangerous, a fault-tolerant mechanism must be present, rolling it back to a state in which no external influence can affect this process.
Where possible, it would be easier or more reasonable to create manual control interception of important processes so as not to stop production when computer systems are compromised.
And the best option is to prevent malware from entering and seizing controls, respectively. Implement a powerful cybersecurity solution that can block the latest threats and quickly neutralize those that have already entered the system, then your plant will have a better chance of avoiding dangerous scenarios initiated by attackers.
Even if you don’t have a 100% guarantee of ensuring the proper level of cybersecurity, staying one step ahead of the attackers is the best strategy that can save you from many problems.
Stay safe!
We are waiting for your comments, and also inform that the traditional free webinar will be held on June 13th.