Saudi Aramco admitted that about 30,000 computers had been infected with malware known as Shamoon. They were quick to point out that “its primary enterprise systems of hydrocarbon exploration and production were unaffected as they operate on isolated network systems. Production plants were also fully operational as these control systems are also isolated.”
If true, this is actually quite impressive, more on this later, and it provides a good chance to review emergency ICS isolation.
We always recommend owner/operator clients have a set procedure for physically disconnecting the SCADA or DCS (Purdue/ISA-95 Model Level 2) from the corporate network (Level 4) and increased restrictions on connecting laptops or USB drives to the SCADA or DCS.
- What are the typical conditions that warrant a disconnection? (a security incident on the corporate network is one)
- Who decides when the physical disconnect takes place?
- Who decides when the physical connection can be reestablished?
The Aramco incident raises another key ICS security point: nothing required for operation of the process should be on the corporate network. Most operations team agree with this from the start, but all too often we find monitoring systems relied on by the control center or even systems capable of control on the corporate network. In the later case, it is usually a system on the corporate network that is used only for non-essential monitoring but is capable of control. Of course, attackers may not self-limit themselves to monitor only.
Now back to the impressive claim of the Aramco’s ICS being unaffected. First, they likely mean isolated in the sense of restricted and minimal connections rather than no communication. One of the definitions of isolation is minimal contact so the statement would be accurate. That said, Aramco’s ICS are almost certainly in a separate zone with a firewall creating the security perimeter.
Most, but certainly not all, organizations do not allow the file sharing ports through the ICS security perimeter, and thankfully I have yet to see a SCADA or DCS that allows inbound email. So the firewall should have done its job of protecting the ICS from Shamoon on the corporate network. However at the time all these computers were getting wiped, Shamoon was an unknown attack that should have triggered the complete ICS isolation.