Rapid response key to reducing cyber attack damage
Oil and gas companies should heed the warnings from other sectors and focus on speeding up response times to potential attacks on industrial control systems (ICS), Nina Vajda, principal security analyst at Mandiant IT consultancy, said.
Research by Mandiant shows that while 90% of business sector breaches in 2014 were completed in a matter of hours, around 68% of victims took “months or years” to discover the breach, and 59% of breaches took months or years to contain, Vajda said at Upstream Intelligence’s Field Automation Summit 2015.
Especially worrying, from the perspective of those with crucial infrastructure to protect, was that 22% of attacks were initiated by nation-state actors.
In one case, the compromise was only discovered after a total of eight years and two months.
“Everybody has IT departments. Everybody has dedicated resources that are trained to detect and respond to incidents, but we’re not finding them with the staff that we’re paying to do it – and that doesn’t mean our staff are not competent,” Vajda, principal security analyst at Mandiant, told the Denver conference.
“That means that these exploits and these vulnerabilities are complex enough that they bypass the technologies and the analytics tools that we have in place specifically to find them.”
(Credit: Mandiant Consulting)
ICS operators are no longer falling victim to “nuisance threats” such as the defacing of websites, she said. What they are seeing is more damaging: data theft, cyber crime and network attacks – actions committed with the intent to win financial, economic and political rewards, and in extreme cases destroy critical infrastructure.
No silver bullet
Breaches of complex systems architecture cannot be prevented, but they can be mitigated, according to a range of experts that participated in a discussion on cybersecurity.
“The reality is that it’s not if, it’s when. Unfortunately, because of the evolution of complexities that construct malware, it’s infeasible to think that you’re going to get ahead of that curve and predict what the next variant’s going to be,” Vajda said.
“It’s absolutely a given. It will happen. Period. Full stop. And we just need to learn about the risk management,” said Earl Dodd, President of The Society of HPC Professionals, a roof body for organizations with an interest in high-performance computing.
Risk is a function of probability and consequence, added Dave Lafferty, President, Scientific Technical Services.
“The probability, because they’re ahead of us, is going to be harder to control. But the thing we have under our control is the consequence of that act,” he said.
One particular point of concern for oil and gas companies is the use of decades-old software, with cyber attackers writing code specifically to take advantage of software that is no longer serviceable by vendors, the panelists agreed.
“Some little lab system up there is still on DOS, and nobody wants to take it down because nobody wants to rewrite the software that runs on it – yet it’s critical,” noted NexDefense strategy chief Doug Wylie.
A key step in mitigating attacks is to know where one’s vulnerabilities lie, Vajda said, listing flash drives, exploitation of coding weaknesses, and social engineering and phishing campaigns as some of the most successful tactics of cyber attackers.
“The biggest breaches and losses in the industrial control systems environment have occurred because the malware was brought in on a flash drive and interfaced on a machine that then executed the malware. Now, granted, the malware may have been written specifically for a particular set of hardware, but it got in on a flash drive,” she said.
Some 78% of observed phishing emails by actors defined as “advanced persistent threats” were IT or security related, according to Mandiant, with attackers often attempting to impersonate the targeted company’s IT department or an anti-virus vendor. The overwhelming majority of phishing emails were sent between Tuesdays and Saturdays.
Not all bad news
Progress is being made in finding ways to detect and deal with compromises, Vajda said. In 2014, it took a median 205 days to detect the presence of a threat group on a victim’s network, 24 less than in 2013 and 40 less than in 2012.
Better standards have been put in place to mitigate these sorts of issues, she noted, adding that session management and passwords are two areas operators can look to strengthen.
“I fully recognize and accept that there are many devices deployed on the plant floor that simply will not accept long and strong passwords. And if that’s the case then you have to deploy counter measures around them, change them frequently. And I hear you saying: ‘oh my God, we have 14,000 switches in the field; it’s simply not feasible to change them every 30 days’. Well, then, you have to look at the configuration files and at least audit control access."
“What the attackers are doing: they are escalating privileges, and they are taking advantage of weak passwords. Any password less than 12 characters, or any configuration of special characters, numbers, whatever, 12 or less can be broke in less than a day."
Session management is a key for companies, such as those in the oil and gas sector, that use remote terminal units.
“You have to control the sessions,” she said. “You have to have different user credentials for every person or group that needs access to those devices. Don’t just have one; then you have no single point of accountability. And you have no way to know who’s made a change, who has tampered with it, who was there last, and you’ve got to lock them down.”