For years, the U.S. has expressed concerns about potentially tainted supply chains. Some of the tech contained ‘trapdoors’ for espionage. Yet according to Fidelis Cybersecurity CSO Justin Harvey, Chinese state-sponsored attackers, in recent times have been “leaving behind something much more sinister: logic-bombs. The theory is that these logic-bombs are being left behind so that in the event of a military strike, China would have the capability to render its foes incapacitated.”
It’s no secret that critical infrastructure in the U.S. is vulnerable. Taking out the power grid could be deadly; at least it appeared to be so in the secret demo of a simulated cyberattack on New York City, causing the city to go dark during a scenario of being in the midst of a killer heat wave; “thousands” of people theoretically would have died. A different FEMA training scenario had hacktivists using zero-day attacks on America’s infrastructure; that came after Homeland Security warned that hacktivists could point, click and destroy industrial control systems.
Well now top defense contractors like Lockheed Martin, Northrop Grumman, Raytheon and other defense firms will be competing for a $460 million U.S. Cyber Command project; former Pentagon officials and contractors told NextGov the contract is for “computer code capable of killing adversaries.” Instead of the military dropping traditional bombs, it wants to launch logic bombs as in cyber weapons that would “force an enemy’s critical infrastructure to self-destruct.”
A person needs to look no further than the June 2015 Law of War Manual (pdf) to see the types of cyber weapons sanctioned. There are many intricacies in the Cyber Operations chapter, but it doesn't seem like much is absolutely forbidden. For example, cyber operations that could be construed as “use of force” include those that would “(1) trigger a nuclear plant meltdown; (2) open a dam above a populated area, causing destruction; or (3) disable air traffic control services, resulting in airplane crashes.”
How might such cyber weapons work? It’s not uncommon for industrial networks to still be running Windows XP or older systems, while also being connected to the Internet. A cyber weapon, “malicious code designed to target physical processes in industrial facilities, can remain idle for long periods of time,” explained Indegy CEO Barak Perelman; Indegy is an industrial cyber security firm.
The “malicious code can access and compromise Windows-based systems inside the industrial control network.” After a Windows system has been infected, the weapon would be stealthy enough to evade IT security controls while it searches for “a target system.” Perelman told Computerworld, “It is easy for attacks to reach industrial processes, like turbine engines, electrical utilities, petrochemical mechanisms, or water treatment facilities, and cause real physical damage.”
What real physical damage could be done if a cyber weapon attacked turbine engines, electrical utilities, petrochemical mechanisms, or water treatment facilities?
Perelman: A PLC controls the entire life cycle of a turbine. It gets input from sensors and decides on actions within milliseconds. E.g. if the temperature suddenly gets above a certain threshold, it will automatically open a release valve. If it is still rising, it will perform an emergency shutdown of the turbine. The code inside the PLC is also in charge of setting the pressure inside the turbine. A relatively-simple download of code that adds another zero to both the pressure and the threshold will result in a mechanical failure in the optimistic scenario, and an explosion in the worse one.
There have long been warnings about attackers reportedly hacking holes in SCADA (Supervisory Control and Data Acquisition) systems. SCADA automates “industrial processes and manage remote equipment. The brains of these systems are programmable logic controllers (PLCs),” Perelman explained. “If a cyber-attack reaches these controllers, changes their logic or takes them out of commission, it can have devastating physical results.”
Perelman: PLCs require little on-going maintenance and often remain in operation for decades. Therefore, it is virtually impossible to maintain an accurate inventory that details where devices are located and what logic they actually run. Also, logs commonly used in IT systems to monitor configuration changes or last known good configuration, do not exist in PLCs. In the event of a cyberattack, which alters PLCs, there are no efficient recovery mechanisms in place.
Other than disconnecting from the Internet, as many critical infrastructure facilities have moved away from air-gapped systems, what would be the best way to prevent an attack capable of altering PLCs? Is there a solution which would allow a facility to ensure it has logs or a last known configuration? Is there something industrial facilities can do, back up or another method, to have an efficient recovery mechanism?
Perelman: Disconnecting from the Internet only solves a small part of the problem, as attacks in the past have shown us. To top that, U.S energy utilities #1 threat is the insider one which network segregation doesn't protect from. The key is to provide visibility to all code and logic changes made to a PLC, both from the network and physically on the controller. Once you have that holistic visibility, you can use it to create security alerts on one hand, and backup changes for forensics and recovery purposes on the other. Currently, I'm not aware of any methods in the market that detect code changes except Indegy's. The only solutions we are seeing right now for recovery in the market are either proprietary ones designed for a specific plant, or manually counting on the engineers to perform the backup themselves.
Anonymous insiders at nuclear power plants revealed a lack of cybersecurity awareness, design flaws, threat actors, and a real power struggle between Operational Technology (OT) engineers and IT engineers. Regarding cyber attacks that can take out a nuclear power plant, some executives believe it’s simply “a movie scenario, maybe in the future.”
Perelman added insight into that power struggle. Unlike IT environments, industrial networks typically are comprised of many different proprietary (often undocumented) technologies from vendors like Siemens, Schneider, Rockwell, ABB, Allan Bradley, etc. This makes monitoring activity and searching for signatures and indicators of compromise challenging. This OT infrastructure makes it difficult (if not impossible) for facilities management personnel to identify malicious code that is manipulating processes and stop it before damage is done.
How can a facility protect against attacks on proprietary, undocumented technologies if the OT side makes it difficult for IT for monitor activity, search for signatures and deploy patches/upgrades?
Perelman: We've seen with our own eyes that when the IT department understands that OT side cares most about availability and reliability, and adjust their thinking to that state, the two can work together. This means IT has to use tools that are strictly for monitoring (not blocking) and agent-less in order not to endanger the SCADA stability. Once they do that, everyone can take a step forward with both security and building trust.
South Korea, for example, was hit with a logic bomb in 2013 that wiped hard drives at banks and broadcasting companies. As a result, one inconvenience was that it shut down ATMs and citizens could not withdraw any cash. The cyber attack started when malware infected Windows-based machines. According to a portion of the Law of War, such an attack might only be considered a mere inconvenience. Under Cyber Operations (pdf), it is explained:
“In assessing incidental injury or damage during cyber operations, it may be important to consider that remote harms and lesser forms of harm, such as mere inconveniences or temporary losses, need not be considered in applying the proportionality rule. For example, a minor, brief disruption of internet services to civilians that results incidentally from a cyber attack against a military objective generally would not need to be considered in a proportionality analysis. In addition, the economic harms in the belligerent State resulting from such disruptions, such as civilian businesses in the belligerent State being unable to conduct e-commerce, generally would not need to be considered in a proportionality analysis.”
Whether it was a result of a defense contractor being hacked or brought about in the same way the Stuxnet-like malware Duqu was found in the wild (pdf), what if a cyber weapon being developed under the nearly half-billion-dollar military contract got loose?
Perelman: Cyber-weapons are hard to control. Since attacks are ubiquitous across industrial technology platforms, they can cause collateral damage that impacts companies and industries that were not initially targeted.
The global cyber weapon market is predicted to reach $521.87 billion in 2021. While I can’t imagine any Americans wanting to see U.S. troops in harm’s way, and cyber weapons might prevent the death of soldiers, perhaps the fact that we haven’t been hit with a catastrophic cyber weapon is one more thing to be grateful for this Thanksgiving.