(by Yugo Neumorni, Cybersecurity Council Chairman, European CIO Association)
When the financial institutions were defeated by the cyber-attacks in the early years of the 21st century the industrial sector was not so much concerned. It was obvious that the cybercriminals were looking for money and credit cards details, and they had little or no interest in the operational field of heavy industry. Why would a hacker invest energy, time and resources into learning PLC language, MODBUS and other proprietary protocols, or SCADA architecture, to demolish an industrial facility, expecting nothing in return? Moreover, the industrial facilities were usually built disconnected from the corporate network and from the Internet, which made the entry point virtually impossible.
Then, in 2007, we witnessed a digital attack against Estonia, the most digitised country in the world, organised by a nation state, followed in 2008 by attacks against Georgia. For more than three weeks, Estonian citizens were brutally disconnected from the Internet due to a series of Distributed Denial-of-Service attacks, and they temporarily ceased to exist as a digitised country. We recall this as the First Cyber War between nation states that triggered superpower nations to reconsider the importance of network security in modern military doctrines. The Internet, a totally unregulated environment, became the Wild West battlefield for state actors. Meanwhile, the industrial companies continued to migrate their systems to the Ethernet and TCP/IP, and the convergence between IT and OT emerged.
Then Stuxnet, the first so-called “cyber weapon”, was discovered in 2010 after a virus severely affected an Iranian nuclear plant. Stuxnet, a masterpiece malware combining five zero-day vulnerabilities and a lot of specific PLC and SCADA knowledge, was created in nation states laboratories and was implanted through a purposely infected memory stick. It was a shocking moment when we all realised that an industrial control area could be penetrated with severe damage and that the ICS / SCADA environment could not hide any longer in the Internet isolation proprietary protocols and specific industrial hardware devices.
We also realised that, contrary to a conventional military weapon, a cyber-weapon would not be destroyed on target but could also be captured, decrypted, reengineered, improved and spread back on the Internet. Needless to mention that a cyber-weapon can also affect your allies, since Stuxnet worm can still be found today in industrial plants that use Step-7 Siemens. The zero-day vulnerabilities appear to become a luxury commodity that is more valuable if publicly undisclosed and is traded by cybercrime and state actors.
In 2015, we recorded the first ever successful cyber-attack against an electric power grid: the Ukraine power grid collapsed, after having been partially disconnected from abroad. Then we understood that the human society could be in serious danger.
The Ukraine power grid incident showed us several things. The entry point was the corporate IT network and the method was a classic phishing email attack combined with well-known unpatched Microsoft Office macro vulnerabilities. The convergence between the corporate network and the plant network allowed the attackers to penetrate the OT after they collected the administrative credentials from the Active Directory corporate IT network and the VPN accounts to access the ICS remotely.
Attackers developed malicious firmware for the serial-to-Ethernet converters blocking the possibility to operate the substations remotely after the attack and the UPS firmware stopping the Ukrainian personnel from operating after the attack. All of this was combined with a telephone denial‐of‐service attack on the call center and the use of a modified KillDisk to erase the master boot record of the systems.
The serial-to-Ethernet converters like Moxa NPort 6110, a common piece of hardware device that populates all the critical infrastructures across the world, are the huge risk that nobody was aware of. They contain several serious vulnerabilities that allow a remote attacker to retrieve sensitive information from the device and to push new firmware into the converter, thus giving the attacker full control over it. Actually, once an attacker has gained access to the power grid network, the game is almost over.
Sadly, these types of serial-to-Ethernet converters are widely used across industries like energy, gas, hospitals or even aviation. Moreover, the possibility to fix those devices by applying a patch will not solve the problem, as they were never meant to be connected to the Internet.
But serial-to-Ethernet converters are not the only vulnerabilities from the industrial control systems. Hardware equipment, machinery and equipment from various other field that populates critical infrastructures could be damaged online. In 2007, an experiment from the Idaho National Laboratory showed that it only took twenty-one lines of software code to destroy physically a power generator widely spread across the U.S. power grid. Experts who analysed the Ukrainian incident concluded that the attackers might have done physical damage to the grid, making power restauration impossible for an extended period. But the attackers’ main purpose was just to send a geopolitical message.
Unfortunately, the SCADA systems and other ICS devices that control critical infrastructure environment have design vulnerabilities, as they were not meant to operate being connected to the Internet, through the corporate IT network. SCADA systems became a symbol for the “insecure-by-design” syntagma.
It came as no surprise when the Department of Homeland Security repeatedly reported that “foreign military intelligence agencies had infiltrated the control rooms of power plants across the United States and that, in theory, it could enable them to remotely take control of parts of the grid”. The fear that malware was implanted in various U.S. utilities networks was also raised by the NSA chief who stated in 2016: “it is a matter of WHEN not IF they will attack”.
However, in 2019, the U.S. claimed that they had penetrated Russia’s Power Grid and deployed cyber-tools as a countermeasure of Russia’s cyberattacks, raising significant concerns of the risk of escalating the Digital Cold War.
Despite of the visible cyberwar we are living in, the society is moving rapidly towards what we call the Industry 4.0. Billions of devices are connecting to the Internet, digitising all the aspects of our lives. With artificial Intelligence, blockchain, virtual reality and all the other trends, IT is bringing enormous progress for humanity in healthcare, automotive and other industries. “Humanity will change more in the next 20 years than it has in the past 300 years,” claimed futurist Gerd Leonhard. At the same time the power grids–the motionless monsters designed in the last century as pure analog systems–are dragged into the new digital world order, filled with moles, malware and cyber tools planted to explode when state actors so decide.
Mark Elsberg explained in his book Blackout the consequences of a total collapse of the power grid on a large geographical scale due to a massive cyberattack in Europe. In less than two weeks the liberal democratic societies will turn into medieval anarchies. Although only a science fiction book, Elsberg generated a scary but realistic scenario in the Energy sector.
Several days ago, the U.S. Government announced a surprising move to secure power grids by using “retro” technologies. Meaning isolating the power grid from the Internet and using “analog devices” to control it. We either recognise that we failed to protect our critical assets in front of cyberterrorism or that digitisation is moving too fast.
Cybersecurity is a matter of people, processes and technology. While over 90% of breaches still occur due to unpatched IT systems and unchanged or weak passwords, humans remain the weakest link in the cybersecurity chain. The Ukrainians from Kyivoblenergo could have avoided the disaster if their employees had not been so easily socially engineered, if they had had proper intrusion detection and prevention tools; and we would probably never have heard about Iranians from Natanz if they had not carelessly plugged a memory stick into their network.
It is our role as IT professionals to educate society for cyber hygiene and increase IT security awareness, and it is our duty to clear up all the moles from the critical infrastructures before they are detonated.
The International Cybersecurity Forum (FIC) in Lille–perhaps the most important cyber event in Europe –is the ideal place where you can enlarge your cybersecurity experience, find the latest technology and meet the right people to exchange testimonials and case studies.
Mr. Yugo Neumorni, CISA, EMBA is Board member and Chairman of the Cybersecurity Council of the EuroCIO, President and founding member of CIO Council Romania, the Association of IT Managers in Romania, former President of ISACA Romania and a member of the FIC Advisory Board.