I want you to pay particular attention to one specific point that Andrew made. He wrote:
“The McAfee report doesn't say it outright, but it seems very likely that this same adversary could have taken over and sabotaged the physical processes behind the control systems they compromised, if they had been given that objective. The team had remote control of all the control system assets they compromised, and a remote-control tool on a computer with HMI capabilities gives the attacker control of the physical process through the HMI [human machine interface].”That combined with the point that Andrew and I both made that this was not a sophisticated attack should cause a lot of people to be very disturbed. Stuxnet was a complex attack tool that cost a lot of money and expertise to develop. It is unlikely that criminals or terrorists could be expected to develop attacks that sophisticated. Since most facilities are not going to run afoul of State level agencies, they are at little risk of being attacked by such high-level original programs.
What Night Dragon is so effective at pointing out is that it does not require Stuxnet-level sophistication to execute an attack on a control system. There are a whole host of less sophisticated attack tools that are readily available that can be used for a Night Dragon like attack. Many of these tools are available for free download, others are for sale. More importantly there are a wide variety of people out there who are very skilled in the use of these tools who are more than willing to sell or rent their skills and expertise in this field.
Fortunately, defending against these types of attacks is also well understood. Andrew, who is in the business of defending cyber control systems, points out the basic techniques:
• “Look seriously at whitelisting/application control/HIPS protections,ICS-CERT has an entire publication dealing with the basic security techniques designed to deal with this type of attack; Control System Security Program (CSSP) Recommended Practices.
• “Increase network segmentation,
• “Strengthen firewall rules, reducing the number and scope of connections,
• “Reduce the number and scope of VPN connections,
• “Install anomaly-based host and network intrusion detection systems,
• “Consider multi-factor authentication to reduce the impact of stolen or cracked passwords, and
• “Consider isolating the most critical parts of your control systems entirely with unidirectional diodes/gateways.”
Another important component of protecting against this common level of attack is training. So much of cyber security depends on computer users being aware of the potential types of attacks, actively watching their systems, including emails, for evidence of these attacks and taking the appropriate response.
The McAffee paper made it clear that a key tool in executing these types of attacks is phishing and spear phishing. Finding the weak link in a company security system can allow for operation behind many of the security defenses. Insuring that all computer users are adequately trained to do their part in the defending sensitive computer systems is a key part of any cyber security system. Particular attention needs to be paid to any computer user that has routine remote access to the corporate or ICS networks.
While we have been justifiably concerned with advanced attack techniques like Stuxnet, Night Dragon reminds us that more common attacks still have the potential to provide a route into our control systems.