During his keynote address at RSA 2002 – and long before Anthem, Target and Sony Pictures —former White House official Richard Clarke famously said, “If you spend more on coffee than on IT security, then you will be hacked. What’s more, you deserve to be hacked.”
At the recent S4x17 ICS cybersecurity conference, Clarke described how you might persuade
your VP/Operations or CFO to allocate more budget to mitigate against modern ICS hacking scenarios – even if they’ve never happened before.
A former top counter-terrorism advisor who later served as the first White House cybersecurity czar, Mr. Clarke spent thirty years in the United States Government, including an unprecedented ten continuous years serving three consecutive Presidents (George H.W. Bush, Bill Clinton, and George W. Bush).
“It’s Never Happened Before”
Many management teams are still skeptical when it comes to the risk of ICS cyberattacks. Sure, they’ve all heard about Stuxnet and the German steel mill attack. And they’ve probably heard that US critical infrastructure was compromised by overseas attackers in 2014 using a variant of the BlackEnergy malware, according to ICS-CERT.
But many decision-makers are still reluctant to spend more on tighter security controls to reduce ICS risk.
Fukushima nuclear meltdown was predicted by experts
Clarke lists numerous examples of major disasters that were clearly predicted by experts but ignored by decision-makers. These include the subprime mortgage crisis of 2008, the Fukushima nuclear meltdown, the Madoff investment scandal, and several mine disasters. In each case, no one acted upon the expert predictions.
According to Clarke, past predictions were ignored because (1) decision-makers could always say afterward that “it never happened before” and (2) the magnitude of the problem was simply too big for decision-makers to get their heads around it.
Clarke points out that ICS cybersecurity is similar to these disasters because the cost of dealing with the disaster is disproportionately higher than the cost of mitigating it beforehand.
7 Cyber Scenarios That Never Happened Before
So the next time you hear “we’re not going to spend more on ICS cybersecurity because it’s never happened before,” rattle off the 7 examples below to show how dramatically the world of cyber has changed in the past 12 months:
1. Ukrainian grid attacks. Before December 2014, no one had ever used a targeted cyberattack to turn off electric power in the middle of a cold winter.
And it happened again in December 2016, according to Ukrenergo, the electric utility for the Ukrainian capital of Kyiv.
2. Attack on SWIFT Global Banking System. Clarke describes how, in the runup to the Iraq invasion, US generals proposed hacking Saddam Hussein’s bank and stealing all his money. But President Bush was persuaded not to hack the bank because of the perceived damage it would bring to the world’s trust in our international banking system.
And yet, in 2015 and 2016, the SWIFT banking system was hacked three times (by North Korea) — making it the first known incident of a state actor using cyberattacks to steal funds.
Illustration: The Daily Beast
3. NSA’s Top-Secret Cyber Weapons Posted on the Internet. NSA Cyber Command is considered the best in the world. Yet in August 2016, the agency’s top cyber tools and techniques were posted on the Internet, giving any script kiddie unfettered access to the world’s most sophisticated cyber weapons.
Released by the Shadow Brokers was a huge cache of specialized malware, including dozens of backdoor programs and 10 zero-day exploits, two of them targeting vulnerabilities in widely-used Cisco routers.
Courtesy: Heimdal Security
And on January 16, 2017, the mysterious group released 61 malicious Windows executables, only one of which was previously known to antivirus vendors.
The latest tools include a plugin for tampering with Windows event logs that incident response experts rely on during investigations. (Some believe the Shadow Brokers are Russian operatives or people working on behalf of the Russian government.)
4. Data Breach Impacts $4.8B M&A Transaction. No one ever conducted cyber due-diligence in advance of major M&A transactions in the past. Nobody thought it was important. But the breach of more than a billion Yahoo accounts in 2013 has put Verizon’s $4.8B acquisition on hold — perhaps permanently.
5. Zombie Botnet Army Brings Down the Internet. On October 21, 2016, America’s Internet was brought down by 450,000 IoT devices that had been assembled into a massive botnet army. The unprecedented DDoS attack prevented users from accessing Twitter, Spotify, Netflix, Amazon, Tumblr, Reddit, PayPal and other sites. The attack targeted DYN’s managed DNS service, a major element of our critical infrastructure.
Original illustration: Wired
6. No One Would Ever Attack a Hospital. Under the Geneva Conventions, hospitals are protected from attacks. Yet in 2016, ransomware stopped many hospitals from being able to care for their sick.
That’s because modern hospitals simply can’t function without the computer systems needed for lab work, pharmaceutical orders, and even the emergency room.
7. DNC Cyberattack Attempts to Interfere with US Presidential Election. Whatever your views on who did it and why, the theft and leak of 19,000 embarrassing emails and sensitive election strategy documents from the Democratic National Committee was the first time a targeted cyberattack was used in an attempt to influence the outcome of a US Presidential election.
It all started with this innocuous-looking phishing email sent to Hillary Clinton’s campaign chairman, John Podesta.
At the very least, the emails published by WikiLeaks led to massive distractions and negative publicity for the DNC, along with the resignation of four top DNC officials including its Chair, CEO, CFO and Communications Director.
CyberX Research VP Describes Unusual IIoT Botnet at S4
Months before Mirai malware was found to be infecting IoT devices, CyberX’s threat intelligence research team discovered RADIATION.
Targeting surveillance cameras commonly used in industrial environments, the RADIATION malware is much more sophisticated than Mirai because it exploits a zero-day vulnerability in IIoT devices rather than open ports and default credentials that can easily be addressed.
We’ve since identified 25,000 Internet-accessible devices compromised by RADIATION — and found that cybercriminals are now providing DDOS-for-Hire services using this massive botnet army.
And of course, IIoT devices with Remote Code Execution (RCE) vulnerabilities can one day be used as launching points for more targeted attacks on industrial environments — with the goal of disrupting operations or stealing corporate IP — even “if it’s never happened before.”
If you missed the S4 technical stage presentation by David Atch, CyberX’s Research VP, you can download our threat intelligence research report here.