Critical Infrastructure Security, Vulnerability Management

Worried about logic bombs? You should be

In 2006, a disgruntled UBS system administrator planted a "logic bomb" that, had it been successful, would have driven UBS's stock price into the ground. In late 2008, a contract engineer launched a logic-bomb attack after Fannie Mae terminated him. Had his attack not been thwarted, it could have wiped data off of more than 4,000 servers. And in another 2008 attack, a laid-off tech support worker at Wand Corp., a restaurant technology and management company, initiated a partially successful attack that crashed 25 computers and cost thousands of dollars to clean up.
These are only the most publicized incidents. There have been others. There will be more.
Scarier still, logic bomb concepts are getting more and more detailed and threatening. A November 2009 episode of "60 Minutes" showed a test attack, called Aurora, that hacked into the control system of a power generator and caused it to self destruct.
If you're like most people, you're thinking to yourself, “I'm not working for a big utility, so this isn't something I need to worry about.” Think again.
Perhaps you're in an organization that has little by way of heavy duty equipment at all. Surely, you won't be targeted, right?
Stop a minute and think about how many things are attached to computerized control systems everywhere. Look around your building. The fire suppression systems, security cameras, alarms and battery backups could all be compromised: Any device with an IP address is fair game.
Logic bombs and cyberespionage

Logic bombs have been suspected in several cyberespionage attacks. The hack into the U.S. electrical grid, the Google penetrations and the Bugat trojan that hit financial wire transfer services all had characteristics similar to logic bombs.
In these incidents, the intent wasn't to cause immediate physical damage – although the power grid hack may have left behind malicious payloads that could cause future damage. Instead, these attacks were designed to steal either money or information.
The power grid and Google penetrations highlight one of the scariest aspects of these new attacks: Many are coordinated by state-sponsored entities. The list of known state-sponsored cyberattacks is itself a long one, with China's alleged attacks on Google and the U.S. power grid only the most recent examples. Others include Russian attacks on Georgia and Estonia, and U.S. cyberwar efforts in Iraq and Serbia.
The United States isn't solely a victim when it comes to cyberwarfare. Our government has admitted to previous cyberattacks. Two involved Iraq. One targeted the cell phones of insurgents involved with roadside improvised explosive devices, while another was intended to take down the Iraqi banking system during the invasion. The banking attack never got beyond the planning stages for fear of it spreading beyond Iraq's borders and affecting allies. A third rumored penetration supposedly kept the power on in Baghdad during the invasion.
Earlier, during the Kosovo War, U.S. intelligence penetrated and monitored several Serbian factories. The U.S. discovered the factories were being used basically to line the pockets of cronies of President Slobodan Milosevic and later used that information as the foundation for an internet-based psy-ops campaign.
The threat to U.S. businesses

Cyberespionage inspires fear-based headlines, but what does this have to do with the business community? Quite a lot actually. Cyberextortion is nothing new, and even if the organization you work for is not a high-value target like a government, a utility or a leading search engine, all it takes is one disgruntled employee to wreak havoc on your company.
Attacks are inevitable and the time to start thinking about them is now. Most U.S. industries are already under regulatory pressure to modernize and safeguard their IT security systems. Most large organizations have a compliance program in place.

However, while testing various applications, servers and networks, most of these same compliance programs ignore the outdated PC sitting in the corner controlling things like security cameras or mechanical equipment. You likely won't pay a price come audit time for ignoring these systems, since most auditors ignore these too.
You are upping your risk profile and leaving yourself vulnerable. Today is a good day to run a network vulnerability scanner. Send me an email at [email protected] to get started.

Five things you must do now to protect yourself

1. Take an inventory of critical control systems. Security, fire suppression, battery backups, key mechanical equipment and alarm systems could all cause serious damage if breached. The first step is to orient yourself to the scope of the problem.

2. Broaden your vulnerability assessments.
Inevitably, your manual inventory will leave something out, which is why you need to automate this process. Automation must be done properly, though, or you'll still be at risk. Traditional vulnerability assessment tools scan for networking equipment, servers and PCs. Vulnerability scanners find and profile anything with an IP address, including such things as unauthorized wireless routers, smartphones, printers, faxes, scanners, web cams and more.
However, an automated vulnerability scan doesn't obviate the need for a manual inventory. You may have something somewhere that is not attached to your network. Perhaps it still has a separate dial-up connection. Perhaps it isn't attached to the public internet at all.
Just because it isn't on your network doesn't mean it can't be breached. Ethernet cables get plugged back in, not every connection to the internet is an authorized one and even disconnected computers can be damaged through USB-drive attacks.
3. Integrate nonserver security into compliance. You'll probably have to instruct auditors to actually audit your nonserver assets. The temptation will be to skip this step, keep the knowledge to yourself and audit yourself. Resist this temptation.
What happens, for instance, when you are too busy to run your own audit? What about if you are promoted out of your job and security-related compliance isn't your immediate concern? Will your replacement know to look for non-server assets?

4. Put policies and procedures in place to deal with sensitive data.
One thing we haven't touched on is the prevalence of intellectual property theft. This is one of your biggest risks.
The exact extent of the damage is impossible to pin down, since so few companies report these incidents. The U.S. Chamber of Commerce estimates the cost at $250 billion annually.
That disgruntled employee you worry about may hit you with a destructive logic bomb or instead walk away with your sensitive IP assets and sell them to a competitor.
If you don't have data security policies in place and you don't enforce them, you may have a tough time convincing a judge that your sensitive IP is indeed sensitive.
5. Secure nonserver assets. When your high-octane security scan turns up all sorts of devices and vulnerabilities you weren't expecting, get busy with remediation. You may deem the outdated PC controlling your battery backups a low priority, and that's fine. Just make sure you get to it.
If that control PC is forgotten and remains outdated and unpatched, don't be surprised when your organization goes dark during the next power outage.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.