There are two interesting blog posts today (one from DigitalBond and one from the New York Times) about a presentation made last week at the S4 Conference is Miami, FL concerning an experiment to see how hard it would be to gain access to computers owned by people who had access to control systems. The short answer is toooooo easy.
Spear Phishing Experiment
I’m not going to go into details about the experiment, Dale Peterson and Nicole Perlroth both do excellent jobs in their posts, and I seriously recommend reading both. I will mention the following, the 26% of control systems personnel clicking on the ‘malware’ links in the phishing emails included job titles of:
• Control System Supervisor
• Automation Technician
• Equipment Diagnostics Lead
• Instrument Technician
• Senior VP of Operations and Maintenance
These are people that are very likely to have direct access to control systems through the computers that they used to read the spear phishing emails. So malware dropped onto their computers could be expected to make contact with the control systems.
I have written about a significant number of ICS-CERT advisories that point out that the vulnerability would require a ‘social engineering’ attack to be successful. Spear phishing is one of the more popular social engineering methods that attackers use when they want to gain access to specific areas of networks; areas like control systems that have some perimeter protection.
Even air-gapped systems can usually be reached via a spear phishing attack since many of the people targeted, or someone they are linked to on the enterprise network, will use a USB drive to transfer data to or from the air-gapped system. It is extremely easy for a moderately skilled attacker to download a virus program to each USB drive attached to an infected computer.
Education or Isolation
Dale makes a very interesting point at the end of his blog post:
“The right lesson is to treat the corporate network as an untrusted network and prevent inbound access to the ICS except for emergency situations — as well as get working on your spear phishing portion of the security awareness program and incident response capability.”
I’m afraid, however, that Dale’s advice is going to be ignored in one important aspect, there are too many devices that are being used to bridge the gap (actually I think “ferry the gap” would be a more appropriate analogy since the device is only connected to one side at a time) between the IT and ICS systems. The lap top that the control system engineers and technicians use to access/program/monitor the system will almost certainly be plugged in to the corporate network from time to time. The USB devices that are used to transfer data and updates to and from the control system will be plugged into devices on the network. And, of course, we cannot forget the wide variety of smart phone applications and wifi devices that the manufacturers are pushing to the field.
In the first instance, I think that any attempt at restricting the use of the engineering lap top on the corporate network or internet will flatly ignored by the engineering/maintenance staff. There are too many legitimate needs to download tools and updates from vendors for these people to ignore. Even if you use a separate computer to download the information, you still have to ferry it to the system; no matter how many cutouts you use, the malware can still ride with the information.
Complex Solutions for Complex Problems
No, I’m afraid that we are going to have to come up with complex solutions to this problem. But remember, not every facility is going to the legitimate target of a spear phishing/control system attack. Dale’s solution will work adequately (with the expectation of the exceptions that I discussed above) for a large number of control systems.
Higher risk systems are going to have to look at establishing, practicing, and verifying a number of different controls on the transfer of information between networks. You are going to have to start with the education of every member of the staff with access to the IT network; if one person falls for a phishing or spear phishing attack the network security can be compromised. This is going to have to include a reporting and investigative component as well.
Then there are going to have to be periodic tests of that training with actual phishing and spear phishing attempts made on personnel with network access. Publicize the failures, share with the entire staff how and why the individuals fell for the attacks. Let people learn from other people’s mistakes.
Then the IT and control system networks are going to have to be segregated to the maximum extent possible; the higher risk the facility, the more rigorous that separation will have to be. The facilities with the highest risk, those that can affect lives or national security, are going to have to be air gapped.
Finally, there are going to have to be specially designed controls put into place that govern the ferrying of data and software between the two networks. Some way of verifying that only the information that is supposed to make the crossing gets on the boat is going to have to be established. Again, the higher the risk, the more rigorous the verifying must be. And audits, checks and challenges to the controls are going to be required for the highest risk systems.
Oh yes, and remember something will get through. You better have a plan in place for detecting and removing the malware. And have it in place before you need it. The longer it takes to fix, the more embarrassed you’re going to be.