The most frequent question I get from reporters is “why haven’t we seen more security incidents in ICS”? It is now common knowledge that ICS are vulnerable, and eventually we will get the message out that they are, in fact, insecure by design. Why aren’t we seeing parts of the critical infrastructure, factories, building automation systems and more go down?
- There are more security incidents than you hear about, accidental, non-directed (such as mass market malware) and directed attacks. The ICS world does not talk publicly about security incidents any more than other sectors.
- There are potentially large consequences to taking out critical infrastructure. People could die; major environmental damage; large economic damage; and a big bullseye on whomever is responsible. An attacker will get a lot of attention attacking critical infrastructure even if he does not try to cause an outage or damage. Hunted down, jail, drone strike … and for what gain?
- Lack of a profit motive or business model to ICS cyber crime. Security incidents jump in volume when criminals learn how to make money from the incident. Most of the ICS cyber incidents reported by ICS-CERT and others actually are attacks on the corporate network that runs an ICS. Manufacturing recipes, oil exploration data and other business data can be monetized.
- The nation states who have exploited their adversaries critical infrastructure ICS have not received the order to attack.
I’ve been thinking about that last bullet for a while now. It lead to the paper Offensive Cyber Weapons, an ICSage session on Preparation and Persistence of ICS Cyber Weapons, and our PLCpwn research project. Every week there are more quotes and information that indicate the US and other nation states are deploying ICS cyber weapons in adversary critical infrastructure to have a capability to use the ICS cyber weapon when requested.
Here are two recent items that stood out:
A Der Spiegel interview with General Michael Hayden:
As part of our military thought, we now think of cyber as a domain. Let me define air dominance for you: Air dominance is the ability of the United States to use the air domain at times and places of its own choosing while denying its use to its adversaries at times and places when it is in our legitimate national interest to do so. It’s just a natural thing for him to transfer that to the cyber domain.
If a military wants the capability to use the “cyber domain” to take out part of an adversary’s critical infrastructure “at the time and place of its choosing”, it is necessary to have the ICS exploit in place and the ability to communicate with the exploit. (My Preparation and Persistence items).
The other item comes from the NYT article on the NSA Shotgiant program to compromise Huawei equipment:
N.S.A. analysts made clear that they were looking for more than just “signals intelligence” about the company and its connections to Chinese leaders; they wanted to learn how to pierce its systems so that when adversaries and allies bought Huawei equipment, the United States would be plugged into those networks. (The Times withheld technical details of the operation at the request of the Obama administration, which cited national security concerns.)
Planning and deployment of the exploit is very helpful if a nation state or other organizaton wants a reliable capability to effectively launch a cyber attack. Another pertinent example is NSA’s introduction of vulnerable crypto into RSA. The virtual stack of articles I’m collecting on offensive cyber efforts is large and only the proverbial tip of the iceberg that is visible.
The increasing offensive effort combined with the vulnerable and insecure by design ICS leads to the conclusion that exploits are already deployed on critical infrastructure ICS around the world awaiting an order to attack. Since effective ICS offensive efforts are increasing at a much faster rate than effective ICS defensive efforts the number of critical infrastructure ICS awaiting an order is likely to increase over the next 1 to 3 years. Perhaps there will be some ICS that have deployed exploits from multiple countries awaiting an order.
And don’t assume the weapon does not exist and is not deployed just because you don’t see a critical infrastructure ICS suffer a cyber attack. Most weapons are never used against a potential adversary.
Loyal readers may have noticed that we haven’t written about whether what NSA and other organizations around the world are doing is right or wrong. It is an important discussion, but our focus on this site is security, not ethics. We will increasingly cover what is happening in ICS cyber weapons and how this affects offensive and defensive ICS security programs.
I may be biased as an ex-NSA guy from decades ago, but I think a lot of the anger aimed at NSA is misdirected. An organization like NSA is tasked with missions and given rules, or lines they must not cross, to achieve those missions. There are a lot of talented and dedicated people who believe in the mission at NSA, and they will do whatever they can within the rules to achieve it.
The mission has expanded and the rules have gotten very loose since 9/11 (it’s very different than the 80’s where people would be in jail now). Some of this is necessary because the Internet wasn’t an issue in the 80’s, but what the administration is asking from NSA and what Congress allows NSA to do are perhaps better areas to focus attention on.
Image by U.K. Ministry of Defence