- November 12, 2012
Automation.com, November 2012
By Bill Lydon, Editor
Homeland Security's Lisa Kaiser gave a sobering presentation on cyber security issues and attacks. Kaiser emphasized that we are playing catch-up, noting that Foreign Cyber Espionage in the USA has been more intense in the last few years with a large black market for buying and selling information.
By Bill Lydon, Editor
Homeland Security’s Lisa Kaiser, Operations Lead, Cyber Security Implementation, (CSI) ICS-CERT gave a sobering presentation at the OPC Technology Summit 2012 on cyber security issues and attacks. Kaiser emphasized that we are playing catch-up. She noted that Foreign Cyber Espionage in the USA has been more intense in the last few years with a large black market for buying and selling information. Characterizing the past, Kaiser showed an old EDS video of industrial robots hacked by a child named Suki:
Initially cyber hacking was almost like sport but now it is becoming far more serious. Kaiser described a cyber-attack in 2007 from an unidentified foreign power that broke into the department of defense, state, commerce, and other government agency systems and downloaded terabytes of information – an amount about the size of the information in the Library of Congress. Another major incident was when the United States Military CENTCOM, Central Command System, was penetrated undetected for several days while attacker gathered information.
Kaiser described various other cyber activities including:
- In 2012 Chinese hackers gained 'full access' to NASA's Jet Propulsion Laboratory that commands 23 spacecraft.
- In the last 6 months malware has been repeatedly used against oil companies.
- 82 targeted intrusions focused on Nuclear power and chemical plants.
- ICS-CERT is tracking a major spear-phishing campaign into U.S. Oil & Natural Gas Pipelines
- 23 pipeline operators were targeted December 2011-May, 2012.
- Attack on Saudi Aramco wiped out 30,000 computer systems in August. The next week RasGas experienced a similar cyber-attack. The malware used stole information and then destroyed data and computer operation.
- ICS-CERT receiving increased reports of attacks on industrial systems.
Kaiser showed data illustrating a 400% increase in the reporting of vulnerabilities to ISC-CERT from 2010 to 2011. In the last six months, ISC-CERT has had over 20,000 reports of unauthorized internet access to control systems.
She played another more serious video from the Middle East in Arabic with English subtitles encouraging followers to initiate “electronic jihad.” The video noted that attacks can be done using their ingenuity from their homes to further the causes of the mujahidin. One highlight included cyber-attacks by a 17 year old young boy that successfully disabled websites including Yahoo, CNN, and Amazon and other U.S. infrastructure using a 133 MHz Pentium PC. The video went on to describe the 2007 cyber-attack on U.S. government systems and encouraged anyone with knowledge of computers to pursue this type of activity to inflict harm and economic costs on the U.S. and others. If video below doesn't play, use this link.
Phishing & Spear phishing
Ordinary phishing emails typically contain a link to a counterfeit website, designed to look like an authentic login page. It will actually capture personal data for cyber criminals, who will use it to commit financial fraud. The emails are typically poorly targeted so the criminal enterprise relies on sheer volume of email to create victims. Spear phishing is different. Targets are identified in advance and the emails that attempt to trick them into handing over personal data can be highly specific. They might purport to come from a friend or colleague, or seek to exploit the target’s known interests.
Using another video, Kaiser illustrated how the control analysis center at Idaho National Laboratories is used to learn about cyber-attacks and how to protect systems. The video showed a chemical pilot plant where experts created a series of remote cyber-attacks to compromise the plant operations causing a potentially dangerous situation. In this case malicious code was embedded in a PowerPoint presentation and inserted into the corporate domain. It opens a covert channel from the victim’s computer through the corporate firewall to the attackers on the internet. Once the attacker has control of the victim’s computer, the attacker uses a variety of scanning mechanisms and network analysis tools to take control of more machines in the corporate environment. By “watching” how machines are exchanging information, the attacker is able to hijack sessions between the corporate domain and the industrial automation system domain. The attacker is then able to extend their covert channel into the automation system’s domain. In this example, the attack took control of pumps to overflow tanks and at the same time the operator screens were controlled to show all systems running normally, effectively masking the attacker’s activity.
iPhone & iPad Issues
Kaiser discussed the Federal Information Processing standard, FIP 140-2, covering encryption and Apple Inc. products. Federal Information Processing Standard (FIPS) 140 – Security Requirements for Cryptographic Modules is a U.S. Federal government standard that defines a minimum set of security requirements products must meet to be acceptable for use in the U.S. federal government. When the iPhone was introduced, federal agencies had a meeting with Apple, which included Steve Jobs, with the goal of working with them to have their products certified to FIP 140-2 encryption. The U.S. Federal Government was told that Apple had no interest in pursuing this standard and, as a result, the federal government does not use Apple products. In my discussion with Kaiser, I learned that the government’s computer systems have subsequently been infected with malware because employees plug in Apple devices to charge them. Some federal agencies are using mobile device management systems to integrate Apple devices into the federal ecosystem. The certification is managed by NIST (National Institute of Standards & Technology) and Apple’s iOS is currently pending review. In contrast the U.S. Federal government continues to use Microsoft products since they are certified FIP 140-2.
Kaiser discussed the importance of having awareness campaigns to bring issues that compromise systems to employees’ top of mind. She told a story of how they wrote “classified” on CDs and threw them into parking lots of government facilities. An amazingly large number of federal employees with security clearances picked them up and put them in a computer drive.
There are a great deal of resources available at including:
- Cyber Security Evaluation Tool (CSET)
- Department of Homeland Security: Cyber Security Procurement Language for Control Systems
Thoughts & Observations
Cyber Security has been under discussion for quite some time but it seems to be an issue that doesn’t come to the forefront until major disasters and/or government regulations. It is likely that both of these will be motivators for improving industrial automation systems in the future.
The Cybersecurity Act of 2012 sought to protect computer networks running the power grid, gas pipelines and water supply and transportation systems from hackers by creating a set of security standards for companies to meet. The Act was defeated in Congress.
A draft version of a Presidential Executive Order has been drafted. Homeland Security Secretary, Janet Napolitano, said at a Washington event on Sept. 28, 2012, “The Executive Order is being drafted and in the interagency process. I can’t give you a firm timeline.” The significance of an Executive Order is that anyone doing business with the U.S. Federal government would need to comply. This includes all branches of the federal government including GSA (General Services Administration). The implication of an Executive Order is that industrial automation and building automation products purchased by any Federal government agency would be required to comply with the Executive Order.
I get the impression from listening to Lisa Kaiser and other presentations that cyber-attacks on automation and control systems are increasing significantly - the “big game” has not started yet. Adversaries are just learning, poking and gather data. Winners of classic military battles generally get good reconnaissance and probe at their opponents’ defenses before launching major attacks. Carrying the war analogy further, there are typically campaigns with many battles.
You better take a harder look at cyber security for your automation and control systems.
Did you enjoy this great article?
Check out our free e-newsletters to read more great articles..Subscribe