I recently had the opportunity to review the entire
testimony of Adm. Michael Rogers, director of the National Security Agency
(NSA) and head of U.S. Cyber Command, to the House Intelligence Committee
hearing, available at C-SPAN. It seems the purpose of the testimony
was to support an information-sharing bill. Now, I prefer to focus on intrusion
prevention rather than sharing information about already-detected intrusions, but
still I found that the admiral said a number of interesting things relevant to modern
intrusions and the capabilities of our adversaries.
For example, Admiral Rogers said, among other
things, in response to a question about the capabilities of “trojan horses”
found on industrial control system (ICS) networks:
“There shouldn’t be any doubt in our
minds that there are nation-states and groups out there that have the
capability to do that – to enter our systems, to enter those industrial control
systems, and to shut down – forestall our ability to operate – our basic infrastructure.”
This statement was big news, given that the admiral
is the highest-ranked individual in the American administration to have admitted
that our critical infrastructure could be hacked. But to people working in the
critical infrastructure cybersecurity field, this is not news at all. Common
wisdom has it that any site can be hacked if an adversary is given enough time,
enough money and enough talent to do the hacking – and nation-states generally
have all three in abundance.
The growing threat of nation-states
What was more interesting to me was when Admiral
Rogers elaborated on this statement. The headlines that followed his testimony
were all about China having the ability to shut down critical infrastructures,
but the Admiral’s comments were clear – several nation-states have this
capability and others are developing it, and other
groups and even individuals are doing the same. For example,
Admiral Rogers said that his agencies are seeing criminal gangs starting to use
the tools and techniques that have historically been attributed only to
nation-states. It would appear that some nation-states are outsourcing their
cyberattacks. Organized crime has a long history in the cyber-security world
and is responsible for the majority of malware and botnets which plague all
computers connected to the Internet. The question we’d all like to see answered
is, “what else will these criminal groups use these types of attack techniques
for, and when?”
Admiral Rogers repeatedly gave the example of the
Shamoon malware, which erased 30,000 computers on the Saudi Aramco corporate
network. Erasing hard disks on a control system network is a comparatively
low-tech attack, but it is unfortunately very likely to be an extremely
effective attack. Modern infrastructure generally cannot be operated without
human oversight, and control system computers are essential in providing such
oversight. Erase enough control system hard drives and the physical critical
infrastructure – the power plant or pipeline – must be shut down.
How long will it take to bring back up? The Admiral
was vague here, and for good reason. How long a site takes to recover from a
Shamoon-style attack on control system computers very much depends on the
physical industrial process in question, and the recovery time depends on how
thorough and how well-practiced our disaster recovery plans are. Do we have
current back-ups for every part of the control system? Were any programmable
logic controllers (PLCs) or other devices attacked and erased? Do we have
back-ups of that equipment?
Information sharing alone is
insufficient
Now, the focus of the Admiral’s testimony was the
current information-sharing bill, and so “information sharing” was the remediation
that he returned to time and again when questioned. I believe that information
sharing is a good thing, but it is far from sufficient in terms of preventing a
widespread outage of critical infrastructures. Information sharing only works
after we have discovered the characteristics of a compromise so surviving
infrastructure sites can try to detect similar compromises before they, too,
are crippled.
Information sharing does little to prevent
widespread, simultaneous compromise. Imagine, for example, a bit of malware
disguised as a device driver security update-checking program. The program
looks harmless – it reaches out to a plausible-seeming website periodically to
check for updates. (For the record, there should be no route from control
computers to the Internet to begin with, but that rule of security gets broken
more often than not.) Of course, the website is a sham, and when this bit of
malware downloads and runs a particular update, suddenly hundreds or even
thousands of infrastructure sites malfunction simultaneously. Did information sharing
save us?
There is obviously a time and a place for
information sharing, but for most critical infrastructure ICS networks, strong
intrusion prevention is more important than information sharing. Furthermore, since
it is theoretically impossible to reliably ask some firewall or other intrusion
detection software to differentiate “good software” from “bad software” (or
even “good messages” from “bad messages”), hardware-enforced Unidirectional Security Gateways at critical infrastructure cyberperimeters are
one of the few very effective tools we have at our disposal to defeat these
modern threats and persistent, remote attack patterns.
Applying new cybersecurity best practices
Strong cyberperimeter protections must be part of
the security response to these critical ICS threats. Unidirectional Security
Gateways are the new industrial cybersecurity best practice, most recently
included in the new ANSSI cybersecurity guidelines. Information sharing is a worthwhile program, but
it will not save us if all we have protecting our critical networks is
software.
Want to hear the latest news impacting industrial
security? Follow Waterfall Security on Twitter: @WaterfallSecure.
