Yet every time a new attack is discovered, experts are left wondering how the malware was developed so quickly. And while the experts are scratching their heads about the attack du jour, the cyber criminals are already working on a new, even stealthier attack. What’s even more troubling, the criminals are getting increasingly ambitious, raising the stakes even higher. In the old days, they were satisfied stealing money from bank accounts, but now the ultimate goal is stealing data and propriety corporate information. We’re not far from a world in which the criminals are trying to gain total control of industrial processes to impose destruction or possibly harm the health of the population.
Attacks on the rise
In early 2010, the networks of several Fortune 100 companies, including Google China, were hacked by what was later called the Aurora attacks. More than 30 large companies fell victim to the attack, even though they were running their networks with security and intrusion prevention software. This illustrates just how sophisticated the attack was.
Aurora was able to penetrate these networks through an unpatched security leak in Internet Explorer (or so-called zero day leak) that – up until then – had not been discovered. Of course, by the time the malware was finally detected, the targeted corporate information was already stolen. At the time, security experts described Aurora as ‘the most sophisticated malware ever’ – although it turned out to be more of an inconvenience than an attack with devastating consequences.
But it wasn’t long before Aurora was supplanted by Stuxnet in late 2010. The Stuxnet developers far exceeded Aurora in one key aspect. Unlike its predecessor, Stuxnet did not rely on one zero day leak, it used no less than four. This malware wasn’t meant to attack many individual computers – it was meant for a networked group of them. To do this, however, the malware needed to make physical contact with the devices through USB sticks, scanners, or shared printers. Despite this limitation, Stuxnet succeeded in infecting dozens of industrial enterprises all over the world. There are indications the main target was nuclear reactors in Iran. Considering this, even though the malware was detected in the nick of time, its potential for destruction could have been devastating.
Protecting the process industry
Stuxnet shows just how plausible a threat scenario is – not just in Iran, where the patching policy might not be as strong it should be – but also in North America and Europe. Even organizations that implement security measures are vulnerable to attacks. For instance, in the Dutch process industry, control systems are not attached to the corporate network, providing some protection against a large attack. Yet even though the process systems are on their own “island,” they do have infrastructural connections to “the mainland,” even if only through a handful of people who have access to both.
While this approach does create a buffer of sorts, it’s by no means fail safe. In the United States, organizations tend to take a fully networked approach, making a trade-off between productivity and security. As for the threat of malware in process industries, unfortunately, organizations may have to make tough choices between amplifying security and maintaining optimal productivity.