The year of the hack

2011 is being remembered as the Year of the Hack, and some of the biggest threats that have emerged specifically target plants and other industrial facilities. Nitro and Stuxnet are just two examples of the risks plant operators face today. In the past, plant and maintenance managers haven’t always taken the cyber threat seriously. But make no mistake, cyber threats are real, they are escalating, and they can be financially devastating. It is therefore critical for plants and other industrial facilities to review some basic security measures, immediately, that will protect them against these attacks.

***To better explain the nature of these cyber threats and how to protect plants, I’ll explain them in the context of the two most significant threats recently reported: Nitro and Stuxnet.

Nitro

From July to September 2011, 29 Fortune 100 chemical companies were attacked in a cyber-espionage scheme to steal data on formulas and manufacturing processes. The attack was called ‘Nitro’ by Symantec.

What’s disturbing about Nitro is that, like many attempts at economic espionage, it was not a sophisticated attack — a 20-something Chinese man sent a fake email to company employees under the guise of a meeting invitation or a security update. When the employees opened the attachment, the company became infected with a special type of tool known as a Trojan that lets the hacker gain remote access to the company’s internal files and confidential data. This is the type of attack most plants will experience, up to several hundred times a year. It can be very damaging to chemical processing plants or any other facility or company that loses its intellectual property or other sensitive data. The cost of a cyber-espionage attack could range from tens of thousands to millions of dollars in lost intellectual property, tougher competition, damaged client relationships, litigation or other legal costs and insurance.

Security response

Segment your networks and information so that a successful cyber attack cannot spread laterally across the entire network. Check with your IT team to make sure they’ve deployed robust perimeter defenses. They should be protecting the network from both intrusions and data exfiltration. This is something you should regularly test.

Scan the plant’s facilities to make sure there are no Wi-Fi networks that are connected to the main network, as this makes the network more vulnerable to attack. Work with your IT team to have a recovery/response plan in place for when the network is compromised.

Employee training is a simple solution most companies and industrial operators want to turn to, but plants can’t depend on their employees to keep them safe. A manager’s time will be better spent by taking the steps listed above to prevent threats from reaching employees or isolating the damage when they occur

Stuxnet

Stuxnet is a highly advanced and physically destructive computer worm that targets industrial control systems and was used to shut down Iran’s nuclear program for several months. Stuxnet was designed to take over programmable logic controllers (PLCs) — the devices used to control certain machinery processes — to make machinery systems physically break. How much could a Stuxnet-like infection cost a plant? It depends on how far the infection progresses. If a plant identifies it early, its costs will run in the thousands, for remediation and removal or for replacement of PLCs, for example. If an attack like Stuxnet is allowed to disable the PLCs and cause physical damage, the costs could run in the tens of millions due to total plant shutdown and employee injuries or fatalities.

Security response

Upgrade all password access codes. Do not keep manufacturer default passwords, and periodically change customized passwords to new ones. Prohibit third-party USB flash drives from being used on the plant’s network. Robustly enforce an air-gap rule for all industrial control systems. That means there should be no actual wires connecting the Internet to the industrial control system. The ICS is too vulnerable; it must be isolated.

Devise a reaction/recovery plan for what the plant must do if it suffers this type of attack. This is important to limiting costs and human injuries. Be proactive. Engage with your local law enforcement office to bring your team fully up to speed on the threat and how to respond. Each region has a group that will meet to discuss these sorts of threats. In Miami, it’s the Miami Electronic Crimes Task Force, run by the Secret Service. In many places, it’s InfraGard, run by the FBI.

Unfortunately for industrial plant operators, we live in a world without certainty in the reliability or security of the IT devices we rely on. The industry as a whole faces considerable challenges ramping up IT security to where it needs to be.

Dave Aitel is president of Immunity (www.immunityinc.com) and a former computer scientist for the National Security Agency (www.nsa.gov). He has co-authored several books, including “The Hacker’s Handbook,” and appeared on CNBC and CNN. Contact him at (786) 220 0600 or [email protected], or follow him on twitter, @daveaitel.