Monday, December 8, 2014

If Sony Had Been a Chemical Plant

The infosec world is still buzzing about the recent hack of Sony and how completely their information systems were owned by the attacker. Researchers will be pouring over this attack for a while trying to figure out how it all happened and what could have been done to prevent it.

The Hack

The Sony hackers took, among other things, valuable intellectual property (high quality digital copies of yet to be released films), thousands of internal documents (one source said 1 terabytes worth), and system access information to include log-in credentials and passwords. The attack was so thorough that Sony was forced to shut down all computer systems for days while they went through and inspected/cleaned every machine.

The TWITERVERSE is all agog, of course about #SonyHack. I’ve made my own small contribution (sans hashtag, of course). The one tweet of mine that I would like to look at in more detail came on Saturday:

I guess we should be glad that Sony didn't make dangerous chemicals or supply something really important....”

XYZ Chemical Company

So what would have been different if it had been XYZ Chemical Company that had attracted the ire of the GOP attackers? Other than differences in what IP was stolen, probably not much in the immediate results of the attack. The longer term results could have been much more serious to communities around XYZ plants and possibly to the nation.

Intellectual property theft? Well, formulations come to mind first. The wholesale release of formulations would give every competitor here and around the world a leg up in understanding how XYZ makes their products. Even for fully mature product lines, the little tweaks to the formulation a company makes can make a major difference in pricing and performance. This could make for a serious change in competitive status.

The public publishing of the formulations could have other consequences as well. There are a number of chemicals being used in the chemical industry that have raised concerns among environmental activists. If a formulation list included such chemicals the company could come under additional scrutiny from these activists, potentially leading to image issues. Worse yet, if any of the chemicals being used were on the lists of chemicals offensive to various environmental wacko fringe groups, the facility could become a target for varying degrees of physical attacks.

Control System Insecurity

From a security perspective the IP that is of more concern, however, would be process flow diagrams and control system working documents. Those pieces of information would make it much easier for an attacker that has gained access to the control system to figure out how to manipulate the controls in that system in a manner that could disrupt the facility in the worst possible way.

Since most corporate types use a single set of login credentials across the entire spectrum of company computer systems, it is very likely that even if the control systems were not directly breached in the attack, there would be useable log-in credentials for the control systems to be culled from the corporate log-ins. Once an attacker can gain legitimate access to a control system, the various ‘insecure-by-design’ problems become very large vulnerabilities.

If the control system had been directly breached as well the problems become much worse. The shut down and start-up of a chemical control system, particularly with continuous chemical processes like refineries, is not something that is done lightly or quickly. And searching control systems for logic bombs, back-doors, and forms of re-programing is a much more time consuming task than for an IT system of comparable size. The larger the number of PLCs involved the more difficult the task becomes.

Physical Insecurity

One set of computer data files that no one wants to see released are physical security plan files. Password and log-in credentials can be changed fairly easily, but making significant changes to a site security plan are very expensive and time consuming. The public availability of site security plans would make the facility much more susceptible to physical attack or theft of chemicals.

While there are some people that claim that the Sony attackers had at least some physical access to the corporate computer system that would not necessarily mean that that access included detailed information about the site security plan. Most folks entering a facility are aware of only a small part of the over-all security plan for the facility.

For many chemical manufacturing facilities a major source of security concerns can be found in the computer systems of the order handling folks. The timing and sourcing of inbound and outbound chemical shipments makes them that much more vulnerable to off-site attack. Those attacks may allow for inbound shipments to be intercepted and converted to a method of attack (VBIED) or simply diverted to some other nefarious or illegal end.

The Big Picture

The major take away from this attack is that this was no longer a hack to deface a web site, steal money or credentials. This was a full scale attack on a company with the intent of seriously harming the company for some as of yet unknown reason. The scope and scale of the attack is unlike anything we have seen in the corporate world. Unfortunately, as with all things cyber, it will undoubtedly set the new gold standard for serious attacks as it give other groups and hackers ideas about what can be accomplished with a successful cyber attack.

1 comment:

BCF said...

So, I like the theme and intent of this post, but I'd like to disagree with the IP/data comparison. Modern hackers exploit ICT's (cyber systems) to take advantage of business value chains to alter value or create other value for their own use. In the case of Sony, the value produced by the value chain *is* IP and data-centric. In the case of Chemical Plants, the value produced is physical, by way of data. An equivalent hack to Sony is one where the hackers would have gone after physical (or potentially physical) results, where the IT and data would have been lumped in with ICTs as a means to an end.

This might seem like splitting hairs, but not making this distinction hides/obscures the actual risk being faced by us from thoughtful, adaptable, persistent threats.

/* Use this with templates/template-twocol.html */