Viruses attacking industrial plants as a threat to physical security
Hello! Today we are sharing an article translated specifically for students of the “Reverse Engineering” course. Go.
We live in a world where more and more production processes are controlled by computers that control robots. It may sound like a safe and efficient way of working, since it excludes the human factor from production, however, what happens if an attacker decides to compromise production servers?
')
Consider other scenarios for stopping workflows: can extortion stop production? Can a botnet take control of production processes and instruct robots to design something else? Do emergency plans consider that multiple systems can be under attack at the same time?
In any case, each of these scenarios is detrimental only to business. What happens when a cyber threat turns into a real physical threat? In the manufacturing sector, it is more likely that malware will damage not only the data and the system, but also the working capacity.
In one of their statements about the industrial sector, Deloitte in March 2019 stated that during the safety analysis, they often heard the following:
Needless to say, security through retreat is no longer an effective strategy, but I’m happy to say this again. Fortunately, Deloitte also noted that the security of Operating Technological (OT) systems has finally attracted much-needed attention.
In the end, the attack should not be targeted to cause great damage. Yes, and threats can come from the internal network; they are not always dependent on internet access.
A recent example, which must have frightened the security personnel of large industrial enterprises, was the assassination attempt of the ransomware virus LockerGoga , which the Norwegian aluminum producer Norsk Hydro underwent. As a result, some of the company's factories were forced to switch to manual control.
If malware disrupts the organization of production and gains control over certain processes, there are some immediate threats to physical security from inside and outside of an industrial enterprise. They include:
The above examples are only extremes, to which the situation can reach. If you want to get an idea of how bad things can really be, you can take a look at this article about an accident with hazardous chemicals. As a result of this accident in China formed a crater.
In the past, there have been many emergency cases caused by a person who incorrectly used the interfaces connected to the Internet. Whether it was an architectural error or simply a mistake of a bored operator, the ex-post fact no longer matters. However, we must take risks into account and try to avoid them.
In order not to complicate the situation even more, it is necessary to prohibit bringing your own devices . Regardless of whether people use their own devices to connect to the company's network or not, their personal devices will be inside the building and can potentially be used as entry points for accessing other systems.
Another issue that is worth paying attention to may be the use of connected devices within the Industrial Internet of Things (IIoT) for existing industrial control systems. IIoT is a network consisting of many industrial devices connected by communication technology. In this way, systems are built that can control, collect, share, analyze and provide valuable information. Sounds like a great target for an attacker who wants to profit from an organization or simply destroy a factory.
Malicious software that can disrupt the production process should not be commercial, like the example of the ransomware viruses that we mentioned above. There are many reasons to assume that malware that was developed similarly to Stuxnet may be "dormant" in factories awaiting a signal to attack.
Malicious software of this type could be hidden using a compromised delivery chain or other more common methods. As long as the malware is not activated, it may go unnoticed for a long time. However, cybercriminals were convinced that they can activate it at will.
Now that we have become acquainted with the family of ransomware viruses, which is aimed at industrial enterprises, it is time to move on to all sorts of scenarios that can occur if an attacker compromises the automated controls of your factory or factory.
Having a backup system is a good idea, in case the control system is suddenly out of order, but when a large-scale attack occurs on all your computers, the backup machine can be as useless as the main machine. At each stage of the process, which, if incorrectly operated, may turn out to be physically dangerous, there should be a fail-safe mechanism that rolls it back to a state in which no external influence can affect this process.
Where possible, it would be easier or wiser to create a manual interception of important processes in order not to stop production when computer systems are compromised.
And the best option is to prevent the penetration of malicious programs and the seizure of controls, respectively. Implement a powerful cybersecurity solution that can block the latest threats and quickly neutralize those that have already entered the system, then your plant will have a better chance of avoiding dangerous scripts initiated by hackers.
Even if you do not have a 100% guarantee of ensuring an adequate level of cyber security, staying one step ahead of the attackers is the best strategy that can save you from many problems.
Stay safe!
We are waiting for your comments, and also report that the traditional free webinar will be held on June 13.
We live in a world where more and more production processes are controlled by computers that control robots. It may sound like a safe and efficient way of working, since it excludes the human factor from production, however, what happens if an attacker decides to compromise production servers?
')
Consider other scenarios for stopping workflows: can extortion stop production? Can a botnet take control of production processes and instruct robots to design something else? Do emergency plans consider that multiple systems can be under attack at the same time?
In any case, each of these scenarios is detrimental only to business. What happens when a cyber threat turns into a real physical threat? In the manufacturing sector, it is more likely that malware will damage not only the data and the system, but also the working capacity.
How does the industry relate to this?
In one of their statements about the industrial sector, Deloitte in March 2019 stated that during the safety analysis, they often heard the following:
- Why would anyone hack us? We are not a nuclear power plant.
- Our operating systems are not even connected to the Internet, what to worry about?
Needless to say, security through retreat is no longer an effective strategy, but I’m happy to say this again. Fortunately, Deloitte also noted that the security of Operating Technological (OT) systems has finally attracted much-needed attention.
In the end, the attack should not be targeted to cause great damage. Yes, and threats can come from the internal network; they are not always dependent on internet access.
A recent example, which must have frightened the security personnel of large industrial enterprises, was the assassination attempt of the ransomware virus LockerGoga , which the Norwegian aluminum producer Norsk Hydro underwent. As a result, some of the company's factories were forced to switch to manual control.
What is the danger?
If malware disrupts the organization of production and gains control over certain processes, there are some immediate threats to physical security from inside and outside of an industrial enterprise. They include:
- Extreme high temperatures . High temperatures can be a direct condition of the production process or its side effect. In both cases, the heat must be controlled, since an elevated temperature can be maintained only in those premises that are intended for this. If the controls fail or the heat is outside a specially equipped room, there may be fires, reflow or other serious consequences.
- Radioactivity . We are constantly being convinced that nuclear power plants are safe, but tell people who lived near Fukushima and Chernobyl about this. In June 2017, the Laka Foundation published a list with reports of almost 1000 incidents and accidents (or situations close to emergency) (https://www.laka.org/nieuws/2017/laka-releases-iaea-list-with-near- accidents-in-nuclear-power-stations-7144) at nuclear power plants and other nuclear facilities. Such reports have been collected by the International Atomic Energy Agency (IAEA) since 1990.
- Hazardous chemicals . Chemicals are used in many industrial processes. They must be applied in the exact amount or ratio for proper operation. Using the wrong amount of one or another component can lead to uncontrolled reactions. The hazards commonly associated with chemicals are explosions, fires, toxic emissions, acids, and corrosivity. You should also consider the danger of suffocation, which can occur in the case when the presence of another gas does not leave enough oxygen in the air. In addition, oxidizing chemicals in principle can destroy vital parts of production.
The above examples are only extremes, to which the situation can reach. If you want to get an idea of how bad things can really be, you can take a look at this article about an accident with hazardous chemicals. As a result of this accident in China formed a crater.
Internet connection
In the past, there have been many emergency cases caused by a person who incorrectly used the interfaces connected to the Internet. Whether it was an architectural error or simply a mistake of a bored operator, the ex-post fact no longer matters. However, we must take risks into account and try to avoid them.
In order not to complicate the situation even more, it is necessary to prohibit bringing your own devices . Regardless of whether people use their own devices to connect to the company's network or not, their personal devices will be inside the building and can potentially be used as entry points for accessing other systems.
Another issue that is worth paying attention to may be the use of connected devices within the Industrial Internet of Things (IIoT) for existing industrial control systems. IIoT is a network consisting of many industrial devices connected by communication technology. In this way, systems are built that can control, collect, share, analyze and provide valuable information. Sounds like a great target for an attacker who wants to profit from an organization or simply destroy a factory.
Other viruses
Malicious software that can disrupt the production process should not be commercial, like the example of the ransomware viruses that we mentioned above. There are many reasons to assume that malware that was developed similarly to Stuxnet may be "dormant" in factories awaiting a signal to attack.
Malicious software of this type could be hidden using a compromised delivery chain or other more common methods. As long as the malware is not activated, it may go unnoticed for a long time. However, cybercriminals were convinced that they can activate it at will.
The time has come
Now that we have become acquainted with the family of ransomware viruses, which is aimed at industrial enterprises, it is time to move on to all sorts of scenarios that can occur if an attacker compromises the automated controls of your factory or factory.
Having a backup system is a good idea, in case the control system is suddenly out of order, but when a large-scale attack occurs on all your computers, the backup machine can be as useless as the main machine. At each stage of the process, which, if incorrectly operated, may turn out to be physically dangerous, there should be a fail-safe mechanism that rolls it back to a state in which no external influence can affect this process.
Where possible, it would be easier or wiser to create a manual interception of important processes in order not to stop production when computer systems are compromised.
And the best option is to prevent the penetration of malicious programs and the seizure of controls, respectively. Implement a powerful cybersecurity solution that can block the latest threats and quickly neutralize those that have already entered the system, then your plant will have a better chance of avoiding dangerous scripts initiated by hackers.
Even if you do not have a 100% guarantee of ensuring an adequate level of cyber security, staying one step ahead of the attackers is the best strategy that can save you from many problems.
Stay safe!
We are waiting for your comments, and also report that the traditional free webinar will be held on June 13.
Source: https://habr.com/ru/post/455592/
All Articles