The Stuxnet campaign used a Dutch mole posing as a mechanic to penetrate the air-gapped facility and collect configuration information about devices in the facility — and subsequently insert the malware via a USB drive.

Yahoo News published a story last week by Kim Zetter (author of “Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon“) and Dutch journalist Huib Modderkolk with previously unpublished information about how US and Israeli intelligence forces inserted the Stuxnet malware into Iran’s highly secured uranium-enrichment plant in Natanz.

The story describes how the US and Israel collaborated with Dutch, French, German and possibly UK intelligence forces to execute the operation — and how they used a Dutch mole posing as a mechanic to penetrate the air-gapped facility and collect configuration information about the devices in the facility. The mole then manually inserted the malware into a Siemens programming station via a USB drive.

In today’s world, it’s a lot easier for adversaries to get into your OT network because the air-gap has disappeared in virtually all industrial control environments.

So how does this relate to today’s cyberattacks on industrial and critical infrastructure?

  • It’s easy to see how in 2007, you needed an insider mole with a USB drive to penetrate an air-gapped control network with targeted malware.
  • In today’s world, however, it’s a lot easier for adversaries to get into your industrial control network. That’s because the air-gap has disappeared in virtually all environments (except perhaps nuclear facilities), driven by business initiatives — like digitalization, Industry 4.0, Smart Manufacturing, IIoT, etc. — that require increased connectivity between OT and IT networks and the internet, thereby increasing the attack surface and risk.

CyberX’s “2019 Global ICS & IIoT Risk Report” found that 40% of industrial control networks have direct connections to the internet, based on analyzing traffic from 850+ production networks worldwide.

  • Today’s simpler approach would be to to send a phishing email to an employee or 3rd-party contractor who has access to the control network — and then steal their credentials (or grab privileged credentials via Mimikatz, etc.) to gain remote access to the control network.
  • At that point, adversaries can simply scan the OT network to identify the specific manufacturers and model numbers of devices in the environment —without being noticed — and then remotely insert custom malware specifically designed to compromise known vulnerabilities in those devices.
  • In fact we’ve seen this approach used in several recent attacks, including the TRITON attack on the safety systems in a petrochemical facility and the Industroyer attack on the Ukrainian electrical grid.
No alt text provided for this image

 

So what can be done?

“If you’re a critical infrastructure provider, you will be targeted. And if you are targeted, you will be compromised.” Andy Bochman, Senior Grid Strategist for National & Homeland Security at the Idaho National Laboratory (INL)

CISOs realize you can’t prevent a determined and sophisticated attacker from eventually getting in — sooner or later, attackers will find an unwitting employee (or open RDP connection) that gives them the access they need to insert ransomware or destructive malware.

So the INL recommends the following approach:

  1. Identify Your Crown Jewel Processes: Critical functions or processes whose failure would be so damaging that it would threaten your company’s very survival — like a critical production line that, if compromised, could cause a major safety incident or loss of revenue.
  2. Map the Digital Terrain: Map all the digital pathways that would be exploited by adversaries to compromise your “must not fail” processes. This includes all the assets, communication paths, vulnerabilities, and supporting people and processes (including 3rd-party suppliers) involved in causing a high-consequence events.
  3. Illuminate the Likely Attack Paths: Identify the most likely paths attackers would take to reach the targets identified in step 1, ranked by risk.
  4. Generate Options for Mitigation and Protection: Identify options for engineering-out highest-consequence cyber risks. For example, by implementing micro-segmentation/zero-trust policies, you can minimize the number of digital pathways to your crown jewel assets. And NIST recommends implementing continuous monitoring with behavioral anomaly detection (BAD) technology to immediately detect unauthorized or suspicious activity in your OT network — so you can stop the attackers before they blow up or shut down your plant.

NIST recommends implementing continuous monitoring with behavioral anomaly detection (BAD) technology to immediately detect unauthorized or suspicious activity in your OT network — so you can stop the attackers before they blow up or shut down your plant.

You can read more about the recent Stuxnet news here.

No alt text provided for this image