Address the weak link in a cyber security plan

There is no unplanned cyber attack. Before an attack happens, the hackers know exactly what to take and what to do with the results. End-users should have a serious security plan in place and understand the weakest link and address it.

By Gregory Hale, ISSSource July 11, 2015

A malicious and largely unknown targeted attack focused on oil tankers emerged and has been going on since August 2013. First discovered in January 2014, the motive in the ongoing attack is to steal information and credentials scamming oil brokers, according to researchers at Panda Security. Despite suffering a compromise in this cyber attack, which Panda called "The Phantom Menace" after the 1999 Star Wars film, none of the dozens of affected companies have been willing to report the invasion and risk global attention for vulnerabilities in their IT security networks, the researchers said.

Questions then arise that could affect any industry, especially manufacturing automation. Could this happen in any industry and are end-users that reluctant to report details?

"I haven’t seen this (type of attack) in any other industry, but I have to admit that they are not likely to report it for so many reasons," said Joel Langill, an independent security researcher, consultant, and creator of SCADAhacker.com. "I was recently with a client who was actually hit with a destructive targeted industrial control system (ICS) malware and they chose not to report it to anyone. Just shows that things are actually a lot worse than many perceive."

Langill added the attackers knew exactly what they were doing. "The vectors of ‘Menace’ are not that sophisticated and with numerous open-sourced tools, fairly easy to execute. In terms of ISA 62443, this makes the attacker profile in line with Security Level 1," he said. "So, given the fact that the attack was successful means these companies must have lacked some pretty basic countermeasures. In other words, it appears there was little defense-in-depth used to correct for the fact the primary controls (mail filters and anti-virus) were unable to detect the threat.

"The skill in Phantom Menace comes from the knowledge of ‘what to take’ and ‘what to do with it’—an attribute many people fail to accept and include in their security risk analysis," he said. "In other words, many fail to admit their adversaries may know as much, or even more, about their business than they themselves do. These attackers used what I consider simple means to exfiltrate data and then knew what data to use and how to use it to make it of value."

With technologies available today, getting in and nosing around a system while lulling the watchdog AV detectors to sleep is very possible.

"There is a lot of very powerful stuff you can do with remote execution privileges on a laptop where the user has admin rights," said Dan Schaffer, business development manager, networking & security at Phoenix Contact. "And the less overtly-malicious you are, (searching files and ftp’ing them for example, versus deleting, modifying or corrupting them) the less likely that an AV or IPS software is going to flag you."

Langill said, "Many fail to admit their adversaries may know as much, or even more, about their business than they themselves do. These attackers used what I consider simple means to exfiltrate data and then knew what data to use and how to use it to make it of value."

While the amount of money pilfered in the oil tanker scam is not available, each attack brought in between $50,000 and $100,000, Panda Security research showed. With monetary levels rising, that means bad guys will continue to step up their efforts.

"The sophistication of attack will only increase as the motives and benefits offensively trump the defensive capability," said George Wrenn, cyber security officer (CSO) and vice president cyber security at Schneider Electric. "The other component is also manifest in the banking and financial industry where cyber intrusions are often not reported as the brand damage and negative press can exceed the value of the damage quickly. This is true even in the case of insider attacks, they prefer to ‘dismiss’ without stated cause individuals thought to be involved."

Wrenn continued, "It is a safe bet that similar scams are happening in other industries but they are likely related to ransomware on supervisory control and data acquisition (SCADA) systems as a primary lever against the company under duress. As long as we have a ‘code of silence’ around these incidents we as a society will continue to remain vulnerable and victimized by these types of attacks, only when a few strong companies lead with disclosures will this start to get others to report and stop these attacks."

In terms of victims reporting the incident, "The ’embarrassment’ factor can be pretty high," Schaffer said. "And it would absolutely have commercial ramifications for the victim. Even more so, if the victim figures out they’ve been hit—as well as some of their competition—they may choose to stay quiet and uncooperative as a way to gain a competitive advantage. That is, if they figured out how to stop the theft of their documents and the other maritime transporters haven’t."

It comes down to end-users having a serious security plan in place and understanding the weakest link and addressing it.

"Companies need to have a defense in depth strategy that should have a comprehensive employee awareness part," said Graham Speake, vice president and chief product architect at NexDefense, Inc. "People are the weakest link in this and must be continually informed about different ways attackers and malware can be propagated. Security control will never be perfect and attacks will become more sophisticated over time."

Gregory Hale is the editor and founder of Industrial Safety and Security Source (ISSSource.com), a news and information website covering safety and security issues in the manufacturing automation sector. This content originally appeared on ISSSource. Edited by Joy Chang, Digital Project Manager, CFE Media, jchang@cfemedia.com.

Original content can be found at www.isssource.com.