Center for Strategic Assessment and forecasts

Autonomous non-profit organization

Home / Defence and security / / Other
The most high-profile cyber-attacks on critical infrastructure
Material posted: Publication date: 22-06-2017
One of the strengths of our modern developed society is also one of the most important of its drawbacks. In the current interconnected world, developed high-tech societies depend heavily on the work of a number of services that have now become vital.

The infrastructure ensures normal functioning of basic services and production systems in any society. Therefore, the failure of their work due to natural causes, technical failures, or deliberate actions can have serious consequences for the supply of resources or work in critical services, not to mention the security risk.

In recent years all over the world is steadily increasing level of cyber crime.
The development of the Internet and digital transformation of society is a "double edged sword" because it gives certain opportunities for criminals. But what would happen if mission-critical network will become a target for the criminal community?

Anti-virus laboratory PandaLabs company Panda Security has published a white paper entitled "Critical infrastructure: cyber attacks on the foundations of a modern economy" with a chronology of the most high-profile attacks in the world against the information security of critical infrastructure, and recommendations for their protection.

Important sectors and critical infrastructure

Protection of critical infrastructure is an important issue for all countries. High level of development of modern society depends largely on the number of basic and important services, largely provided by a private business.

Infrastructure ensures smooth operation is extremely important for the development of the state's systems and services are: governmental bodies, water supply, financial and tax system, energy, space, nuclear plants and transportation systems, large industrial enterprises.

For critical infrastructure we categorize objects, networks, services and systems, the failure of which in any case will affect the health, safety and welfare of the citizens of the country.

Guaranteed provision of essential services in the face of new threats is not only the responsibility of public authorities but also private companies at national and international levels.

Specifications

Certain technical characteristics and level of vulnerability of critical data in such networks means that their protection is not a trivial task.

New invasion of the cyber-physical system the manufacturing processes running in critical infrastructure, have created the need for new strategies adapted to detect such threats without obstacles in the infrastructure.

Hybrid architecture

Various critical infrastructure based on a hybrid architecture that combines a classical IT network and industrial OT-network, which control components that communicate with physical objects (cyber physical system).

Isolation from the Internet

This aspect deserves special attention, because the increasing interaction between all types of infrastructure also expands the number of available vectors of attack. Control systems for such infrastructure usually isolated from the Internet and is connected within the internal network.

SCADA

However, there are control systems SCADA, which are visible and even accessible through the Internet. Most such systems have no direct connection with the systems that control critical infrastructure, but they can be used as a gateway to the hackers could get confidential information for planning more complex attacks.

Strategic priority problem solution

The modern state faced with numerous challenges relating to national security. In this regard the strategic priorities aimed at protecting critical infrastructure, which may face a number of new threats. To protect it important to have a plan that offers prevention and protection from potential threats, both from the point of view of physical security and protection of technology and communications.

In recent years there have been a number of key events such as 9/11, which became a turning point in global security. Since then the world has created a situation where the failure of certain critical infrastructure may affect the health, safety and welfare of not only individuals, but entire Nations.

I changed the approach to securing such facilities. Previously, the security was the exclusive prerogative of public authorities. Now the critical infrastructure are in the hands of private business, but because it also bears a heavy responsibility for their safety. After the tragedy of September 11, the United States created the Department of homeland security and adopted a number of relevant laws and regulations.

In Europe, a similar initiative came after your key events: March 11, 2004, train bombings in Madrid.

The European Commission has developed a global strategy to protect critical infrastructure ("The European Programme for Critical Infrastructure Protection"), which includes a complex of measures on prevention, prevent and respond to terrorist attacks in Europe.

Among other things, the Directive establishes that the primary and ultimate responsibility for protecting critical infrastructure lies with the member States of the European Union and the operators of such infrastructure, and it urged all EU countries to implement in their national legislation a number of measures and initiatives.

The history of attacks

In General, the public, though subject to certain risks, but believes that in reality we can talk about a small number of cyber - attacks on critical infrastructure. Unfortunately, everything is much sadder: we already know hundreds of documented cases of such attacks worldwide. Attacks on such networks have been conducted for decades, and below You can get acquainted with the history of these attacks.

Siberian oil pipeline

The term "Internet" comes to mind whenever we think about cyber attacks on critical infrastructure.
But the first such cyber-attack occurred before the advent of the Internet in 1982. Then a group of hackers were able to install a Trojan in the SCADA system that controlled the work of the Siberian oil pipeline that led to a powerful explosion. The attack was organized by the CIA, though this was not known until 2004, when former Secretary of the Ministry of defense and adviser to Ronald Reagan, Thomas Reid published his book “At the Abyss: An Insider''s History of the Cold War”.

Chevron

The following incident occurred ten years later, in 1992, when she was dismissed work oil company Chevron, who broke into the computers at the company's offices in new York and San Jose, responsible for alerting, parentrow them on accident since the system startup. This sabotage was not disclosed until, until there was a leakage of poisonous substances in Redmond (California), the system was not given proper notice. As a result, thousands of people were exposed to great risk for 10 hours while the system was disabled.

Salt River Project

In August 1994, lane Jarrett Davis managed to crack the network Salt River Project, getting access to information and removing files from the system, which is responsible for monitoring and the supply of water and electricity. He also managed to access personal and financial data of customers and employees.

Airport Worcester

Other key sectors also suffered from targeted attacks. On 10 March 1997, a hacker broke into the control system, used for communication systems of air traffic control in Worcester (USA, Massachusetts), causing a system failure that disabled a telephone connection for six hours. This especially affected the telephone system of the control tower, fire service the airport and the airlines based at the airport.

Gazprom

In 1999, hackers have breached the systems of security of the Russian energy giant — Gazprom. With the help of an insider, they used a Trojan to be able to control the SCADA system that controls the flow of gas. Fortunately, this has not led to serious consequences, and normal system operation was restored in the shortest possible time.

Maroochy Water System

A former employee of Maroochy Water System (Australia) received two years in prison for burglary in 2000, the supply control systems, resulting in millions of gallons of sewage got into the nearest river, which also led to the flooding of the local hotel.

Gas processing plant

Gas processing plant built by an American company, also came under attack in 2001. A 6-month investigation showed that the attack was carried out by one of the suppliers and to conceal his mistakes, he decided to divert attention by cracking three PCs of the company and triggering off the gas supply for home and enterprise customers in one of the European countries.

PDVSA

In December 2002, the oil company PDVSA from Venezuela under attack, in which oil production dropped from 3 million to 370 thousand barrels per day. During the attack, was hacked a few corporate computers.

It was held during a strike of employees to assume their complicity.

Traffic lights in Los Angeles

In 2006, two of the engineer organization of traffic in Los Angeles has tapped into the city's traffic lights in protest. They managed to change the timetable of some traffic lights, placed on important sites, after which they began to burn red, which led to serious traffic jams.

The tram network in łódź

In 2008, 14-year-old student hacked into the system of the tram network in the Polish city of Lodz, with the result that 4 of the tram derailed and 12 people were injured. The student has created an infrared remote control, like TVs, which he was able to control tram intersections.

Saudi Aramco

In 2012, the largest oil company in the world Saudi Aramco was the victim of a targeted attack on its offices. Hackers gained access to the network by the attack on one of the company's employees, who were able to access 30,000 computers in the network. At some point, the hackers managed to delete the contents of all computers, while on the screens were shown burning the American flag.

Responsibility for attack was assumed by a group of hackers who called themselves “Sword of justice”.

Ram Gas

Just two weeks after the attack on Saudi Aramco, the Qatari company RamGas, the world's second largest producer of liquefied natural gas, was attacked by the same malware that was used to attack the oil company from Saudi Arabia. Within a few days of not working internal corporate network and web site of the company.

Metallurgical plant in Germany

In 2014, in Germany the victim of the attack became one of the metallurgical plants. Using social engineering, hackers have managed to access the computer of one employee, with which they were able to access the internal network management system. As a result, it became impossible to shut down one domain, which caused huge damage to the enterprise.

Ukraine's Electricity Grid

At the end of 2015 Ukraine suffered a cyber-attack on our national power grid, causing more than 600,000 residents were without electricity.

The first ever cyber attack against the Internet infrastructure

Despite the long list of incidents, the first ever cyber attack on the Internet infrastructure occurred on 27 April 2007, when Estonia attacks brought down the websites of various organizations, including the Parliament, ministries, banks, Newspapers and various media, etc.

However, the attack was also aimed at the particular non-public addresses, including a national system of processing of orders financial and telecommunication services. Urmas Paet, Minister of foreign Affairs of Estonia, publicly accused the Russian authorities of involvement in the attacks, although he was unable to provide any evidence of this.

The most famous case of cyber-attacks on critical infrastructure, Stuxnet

In 2008, we witnessed one of the most infamous cases in history cyber-attacks on critical infrastructure: Stuxnet. It is now known that it was a coordinated attack Israeli and American intelligence agencies aimed at disrupting Iran's nuclear program.

They have created a worm that has infected computers controlling uranium centrifuges at Iran's plant in Natanz, with the result that they began to run at full speed, while the engineers on their monitors observed normal mode. This has caused physical damage to all uranium centrifuges at the plant. After this incident, the public learned about this kind of threats.

Attacks at other companies have also addressed the critical infrastructure

In addition to the attacks, carried out especially for the damage this type of infrastructure attacks such as those faced by other companies may adversely affect critical objects, and sometimes the consequences were just as serious. Such problems mainly started in the end of the last decade, since worms are distributed in the Networks themselves.

For example, the case for a leading U.S. factory for the production of food, when a viral infection caused damage to thousands of dollars. One employee remotely connected with home PC, which was infected with the Nimda virus. As soon as he walked into the corporate network, the worm spread to all of the control system.

In 2003, the oil company from the United States affected by the SQLSlammer worm, which penetrated to the internal network. Although this did not lead to the production stop, but he affected the internal communication.

Had to spend a few days for the complete removal of the worm from the network and update systems to prevent further attacks. By the way, this worm was one of the most devastating for companies.

For distribution, he used a vulnerability in your database servers (SQL standard tool in corporate networks). The vulnerability was patched by Microsoft in January 2003. By the way, another American oil company started to upgrade all their items immediately after the appearance of this patch to protect themselves from this worm. However, to complete the update, had to restart the servers on which this patch was installed, while some of them were on oil platforms, where there was no dedicated IT staff. I had to send in a helicopter. And before they could arrive, the worm has penetrated into some of the corporate system and infecting those who have not yet had time to update.

In the same year, 2003, one of the largest automakers in the U.S. also suffered from attacks by the SQLSlammer worm, which quickly spread at its 17 plants. The total damage for the company amounted to 150 million US dollars. Although the patch have been available for six months, the it managers still do not have it installed.

In the same year from a malware infection (the malware was not public) suffered a computer operated by Air Canada, responsible for flight information, fuelling, etc. as a result of infection of 200 flights were delayed or canceled.

In 2005 in Japan, the computer of an employee of Mitsubishi Electric was infected with malware that led to the leak of confidential documents about the inspection of two nuclear power plants owned by the company.

In 2006, two computers in the hospital (UK), responsible for the management of complex radiation therapy for cancer patients of people have been infected with malware. As a result, we had to postpone the treatment of 80 patients. Two years later, three more hospitals in the UK were infected with a variant of the Mytob worm, and then had to disconnect all computers from the network for 24 hours to resolve the incident.

In 2013 was infected 200 computers Department of roads and transport in cook County (Illinois, USA). These systems are responsible for maintaining hundreds of miles of roads in the suburbs of Chicago. The attack had to disable the network for 9 days to cure all the computers.

This list of incidents shows that the danger of cyber attacks on critical infrastructure is real, and today the governments of all countries know about these risks.

Extra protection for critical infrastructure

Given the reality we observe and in which we live, it is necessary to regulate the protection of critical infrastructure to secure a higher level of protection against all types of threats.

In may 2016 after a meeting of energy Ministers of the G7 countries, adopted a joint Declaration in which, among other things, places special emphasis on the importance of creating a fault-tolerant power systems (including gas, electricity and oil) in order to respond effectively to emerging cyber threats and to maintain the normal operation of essential services.

To improve measures to prevent and respond to logical attacks, governments are implementing a number of measures at the global level. These measures are aimed at the creation of centers for gathering all the necessary information to improve the protection of critical infrastructure. As a result, have developed a comprehensive strategy to address this problem, which should be included in the national legislation of these countries.

It is not easy to answer the question of how the security of the critical infrastructure currently adequate, since known information or techniques that can be used by cyber-criminals, and therefore you cannot be 100% safe. What can be improved is protection from known attacks, to prevent which it is necessary to apply a series of effective measures:

  1. Check systems for vulnerabilities, especially those systems that have already been fixed the security hole and they have been known for some time.
  2. Adequate monitoring networks used for the control of such critical infrastructure, and if necessary, their complete isolation from external connections that will allow you to detect an external attack and prevent access to systems managed from the internal network.
  3. Control over removable devices, which is important in any framework, not only because they are the direction of such attacks, as in the case of Stuxnet. In the protection of such critical infrastructure, it is imperative that malware does not penetrate to the internal network via removable devices, which can also bспользоваться and to steal confidential information.
  4. Monitoring PC connected to programmable logic controllers (or PLC). These Internet-connected devices are the most sensitive, because they can give hackers access to critical control systems. Even if they can't get control over the system, they will be able to obtain valuable information for other attack vectors.

The decision

The solution is to protect against advanced threats and targeted attacks, which should also allow to detect unusual or suspicious behavior. The system, which should provide data confidentiality, protecting the assets and reputation of the company.

Intelligent platform that can help security professionals critical infrastructure to respond quickly to threats and to obtain all necessary information to prepare an adequate response.

The Adaptive Defense solution 360 — the system enhanced it security that combines the latest security technology and modern technology to detect and respond to attacks ability to classify 100% of running processes.

Adaptive Defense 360 klassificeret absolutely all the active processes on the computers, protecting against known malware and attacks zero-day, constant advanced threats (APT) and targeted attacks.

The platform uses contextual logic to detect malicious patterns of behaviour and generate an improved action information to protect against known and unknown threats.

The solution analyzes klassificeret and compares all collected data about cyber-threats, to carry out tasks for the prevention, detection, response, and recovery.

The decision determines how and by whom was accessed to the data, and also controls leaking of data caused by the malicious programs or actions of employees.

The solution detects and eliminates system vulnerabilities and holes in the installed programs and also prevents the use of unwanted applications (toolbars, adware, add-ons, etc.).

Source: https://habrahabr.ru/company/panda/blog/316500/


RELATED MATERIALS: Defence and security