From science fiction to reality

Honeywell Process Solutions
By Eric Knapp, Global Director of Cyber Security Solutions and Technology, Honeywell Process Solutions
Monday, 20 October, 2014


In films, cyber incidents have long been able to cross the divide from the digital to the physical. We’ve seen fictional code destroy everything from top secret government facilities to invading alien spaceships. We’ve seen criminals ransom companies, cities and even nations under the threat of some impending cyber catastrophe. Just a few years ago, these scenarios were confined to the realm of science fiction. Now, they’re an unfortunate part of history. Like many technologies introduced to us through science fiction, malware has evolved to a level where these types of threats are not only possible, some of them have actually been realised.

Malware has grown up.

Decades ago, the creeper malware was popping up on computer screens, challenging users to ‘catch me if you can’. Today, malware is a bit more sophisticated. It’s modular, intelligent and highly adaptive - able to recognise the systems on which it’s installed and change its behaviour accordingly. It’s sneaky, capable of hiding its tracks, burrowing into legitimate processes and - if it is discovered - mutating, surviving reboots and remaining frustratingly persistent.

The first highly publicised example of fiction turning to fact happened over four years ago, when a nuclear facility was effectively sabotaged via a custom, targeted cyber weapon. Cyber incidents have resulted in physical consequences even earlier but never before using such sophisticated and focused malware, specifically targeting industrial control systems. Words like ‘military-grade malware’ and ‘weaponised cyber’ and ‘cyber war’ were seen in headlines around the globe.

In the past years, the trend has continued at an alarming rate. We’ve seen examples of coordinated cyber-espionage campaigns such as Night Dragon, DuQu and more recently, Dragonfly. We’ve also seen increasingly complex malware, such as the Flame virus, which represents over 20 megabytes of modular, commercial-grade malware. Its capabilities included everything from eavesdropping on Skype conversations to stealing data from nearby Bluetooth devices; a new generation of cyber espionage. The most recent cyber-espionage campaign is still ongoing: the Havex RAT (Remote Access Toolkit) is another example of a complex and persistent malware. Through the clever use of trojanised vendor updates, it was able to infect very targeted users in the energy industry. Once infected, Havex scanned for OPC servers and began to enumerate industrial systems. What will happen next? We can only speculate. Anything that we might guess at this point would be … fiction.

Instead of speculating, we can look at the trends of evolving cyber capabilities. By understanding how malware has evolved, and how it continues to be created, we can better understand the threat that it represents. Malware today is an industry. Like the software industry, the quality and complexity of the product varies, but malware can be (and often is) a commercial-grade product. Why is malware created? For the same reasons that any other product is created: for profit. To launch a successful cyberattack, one needs to have both motive and means. The means, or in this case the malware, can be purchased online. So what about motive?

Again, we can draw on history to guide us. According to the 2013 Verizon Data Investigations Report, 20% of incidents are now targeting energy, transportation and critical manufacturing organisations. In addition to DuQu and Flame, we’ve seen new examples of targeted cyberattacks. Saudi national oil company Saudi Aramco was hit hard by the W32.Disttrack virus, also known as Shamoon. The attack was one of the most destructive cyber strikes in history, stealing data and overwriting the boot sectors of infected machines, effectively decommissioning over 30,000 computers.

In early 2013, several Saudi Arabia government websites were temporarily disabled after a series of cyberattacks. Even more recently, a politically motivated group of hackers called AnonGhost threatened to launch cyberattacks on energy companies Adnoc and Enoc, among others, globally. They claimed to be protesting the use of the dollar by these companies to trade oil.

It might read like science fiction, but it’s not. And understanding the reality of the situation is the first step towards effective cyber defence. For vendors, it means understanding how a cyberattack might impact both components and systems, and making changes to mitigate that risk. It means implementing a secure development life cycle (SDLC), with threat modelling, static code analysis and iterations of reviews, tests and even certifications to ensure that every new product is as secure as it can be, out of the box. It means investing in new technologies, to provide additional layers of security, safety and reliability to both new and legacy industrial control systems. It means changing the way they think about cybersecurity.

For asset owners, it also requires a cultural shift. Cybersecurity can no longer be explained away as unlikely, or improbable. As a target, you need to think like a target: where could an attack come from? What could be compromised? How, and why? What would happen if a cyberattack succeeded? From one perspective, it’s a prescription for paranoia. From another perspective, it’s a rational exercise in risk assessment, to determine what the real risk of a cyber incident might be so that appropriate countermeasures can be implemented. It’s a very subtle shift in thinking that will result in a massive improvement in our overall cybersecurity posture.

So watch those science fiction movies, read some mystery novels and start to think like a bad guy. If we can understand the threat, we can model it, predict it and - with some luck - stop it. Because there’s not much difference between a virus that can destroy an industrial centrifuge, the one in the movies that destroyed the mothership of an invading alien space fleet, and the next one - the one that hasn’t happened yet, and the consequences of which we can only imagine.

Related Articles

Anticipating maintenance problems with predictive analytics

By utilising predictive analytics, process manufacturers can predict failures, enhance...

Air-gapped networks give a false sense of security

So-called 'air-gapped' OT networks can still fall victim to cyber attacks, so what is the...

Maximising automation flexibility: the ISV-driven approach

Vendor lock-in has long been a significant barrier to innovation in the industrial sector, making...


  • All content Copyright © 2024 Westwick-Farrow Pty Ltd