Did Iran really detect a planned "massive cyber attack" against its nuclear facilities, as reported by Reuters last week? And, have they really “taken [the] necessary measures” to contain it? Or has their posturing been affected by the revelations in “Confront and Conceal: Obama’s Secret Wars and the Surprising Use of American Power” (Confront and Conceal), the new book by the New York Times writer David E. Sanger. Furthermore, what does this have to do with ICS and SCADA Security?

In a recent blog (Stuxnet Warfare – The Gloves are Off), we discussed Mr. Sanger's book. At that time, we noted that Mr. Sanger’s statements that the U.S. and Israel were behind Stuxnet “made it difficult for the U.S. Administration to deny it was behind the Stuxnet attacks”. Indeed the Reuters article seems to treat the attribution of Stuxnet to the U.S. and Israel as fact, indicating the impact of Sanger’s disclosures on how the world is now interpreting sophisticated advanced persistent threats such as Stuxnet and Flame.


Iran's president, Mahmoud Ahmadinejad, visiting the Natanz Uranium Enrichment Facility Photo: AP

In our earlier blog article, we also stated that:

“This means that the gloves are off. Cyber warfare has moved from 'you don’t ask and we don’t tell' to open aggression between countries.”

Open aggression is how Reuters characterizes Iran’s statement that its “arch enemies the United States and Israel, along with Britain, had planned the [massive cyber] attack.”

Scary Simulations Highlight How Hard it is to Protect ICS and SCADA Systems

Since our first blog article on “Confront and Conceal” I have read the entire book and been startled by a lot of what it says. I am going to outline here some of the remarkable points it makes that pertain to cyber warfare, and more importantly to industrial cyber security.

The book describes two cyber attack simulations that the U.S. government has conducted. One was at the cyber-emergency center in Idaho Falls1. On the edge of town a simulated chemical company was created and its equipment was connected to controllers built by Honeywell, Siemens, and other major manufacturers. Two teams were set up; an attack “red team” and a team of defenders.

“It wasn’t a fair fight, or a lengthy one. In cyberattacks, all the advantages lie with the attacker – the element of surprise, the ability to hit multiple weak spots at once, the mystery of where the attack is coming from. A team of ‘defenders’ trying to protect the mock chemical company was quickly overwhelmed; when you walked downstairs, a small automated chemical factory appeared to be in chaos, with liquid spills occurring all the time, mixing machines shaking, black smoke pouring out for effect. The operators were unable to shut any of it off because the attackers had taken control of the electrical system too.”


In a second government simulation, a hacker turned off the lights of New York City. Photo Courtesy Matt Apps

Another simulation, done in March 20122 was “a vivid demonstration of what it might look like if a dedicated hacker – or enemy state - decided to turn off the lights in New York City.” The attack started when a power utility worker clicked on a link in an email that appeared to be from a trusted friend. It was a “spear phishing” attack and it duped the authorized user into letting cyber invaders into the computer systems that run New York’s electric grid. Since the simulation included a heat wave, it took a while for operators to realize it was not an ordinary blackout. Then, no one could figure out where the trouble originated, which is the first step to restoring power. 

The goal of this second demonstration was to press Congress into passing a bill to require that critical infrastructure companies “bend to national standards, and national supervision, to secure their networks.”

Why Libya was not Suitable for Cyber Attack

When the U.S. was considering what role it should play in supporting the uprising in Libya, a cyber attack of Qaddafi’s air defenses was considered. However, this approach was not taken because there was not enough cyber intelligence available about the Libyan air defense systems. 

Remember that in the case of Stuxnet, the malware was actively listening and learning for years before an attack was made. “Beacon” code3 was inserted into Natanz that “phoned home” to describe “the structure and rhythms’ of the enrichment plant… to understand how the centrifuges were connected to what are called [PLCs]”.

Earlier this year the Flame virus was discovered and it has been called “the most powerful espionage tool ever to target countries”, by the International Telecommunications Union, the United Nations agency responsible for information and communication technologies. It issued a formal warning telling member nations that Flame “could potentially be used to attack critical infrastructure”.

Kaspersky Lab’s figures show that Flame’s infection sites were spread across the Middle East with 189 attacks in Iran, 98 incidents in the West Bank, 32 in Sudan, 30 in Syria plus attacks in Lebanon, Saudi Arabia and Egypt. Other reports indicate that specific targets of Flames’ data collection activities are AutoCAD drawings.

It seems that the U.S. could be using Flame to collect intelligence for future cyber attacks on industrial systems.

What are the Lessons for ICS and SCADA Security?

What the cyber offensive moves of the U.S. tell us, is that information about control systems matters. The old thinking of “security by obscurity” is deader than a doornail now.

Second, it is clear that cyber attacks against control systems take time. The U.S. was able to attack Natanz because it had the time. It was able to quietly infect the control network with its “beacons” and run reconnaissance for years. Conversely, it could not use cyber attacks against Libya, because it did not have enough time. So don’t expect attacks on SCADA to suddenly show up tomorrow – they could take years. And the longer they take the more devastating they could be.

Bottom line - if you think your facility has not been infiltrated; you might want to look harder. If you notice any unusual behaviour on either the IT side or on the automation side of things, you should do a thorough analysis of it. Be sure your evaluation considers the possibility of cyber intelligence “beacons” or a staging of minor disruptions that could lead to larger ones.

How will your team and the executives in your company react if a cyber-reconnaissance effort is detected? What if it had progressed from beaconing to attacking? Perhaps doing some simulations yourself is not be a bad idea.

Finally, Sanger’s book says that Obama and his administration have been very quiet about their cyber warfare initiatives because they did not want to spur attacks on the U.S. Based on last week’s Reuters article, the quiet period is over and attacks, whether from nation states, hackers or criminals will be increasing. Particularly if you are located in the U.S., now is the time to renew and possibly redouble your cyber security efforts.

What do you think of the U.S. move into cyber offense? How does it affect your thinking for protecting your plant?

1Confront and Conceal, Kindle location 3335, Chapter 8 2Confront and Conceal Kindle location 4190, Chapter 10 3Confront and Conceal Kindle location 3115, Chapter 8

Related Links

Reuters.com Webpage: Iran says detected "massive cyber attack:" state TV
Amazon.com Webpage: Confront and Conceal: Obama’s Secret Wars and the Surprising Use of American Power
Telegraph.co.uk Webpage: Barack Obama 'ordered Stuxnet cyber attack on Iran'

Telegraph.co.uk Webpage: Flame virus most powerful espionage tool ever, UN warns
Blog: Stuxnet Warfare: The Gloves are Off
Blog: Flame Malware and SCADA Security: What are the Impacts?
Blog: New SCADA Security Reality: Assume a Security Breach
Blog: Defense in Depth is Key to SCADA Security - Part 1 of 2
Blog: Defense in Depth: Layering Multiple Defenses - Part 2 of 2

© Tofino Security 2012 | All Rights Reserved | Tofino Security is part of Hirschmann, a Belden Brand