Yahoo News reported this week that an Iranian mole recruited by Dutch intelligence helped the United States and Israel sabotage Iran’s nuclear program by planting the Stuxnet malware on computers inside a nuclear facility.
The attack was uncovered in 2010, but the insider reportedly first delivered the malware in as early as 2007.
The Stuxnet malware and its several versions have been analyzed by many researchers and it has been known that the worm was likely delivered via a USB drive, but it has only now come to light exactly how the attack took place.
Industry professionals have commented on the report, including on whether it would be more difficult to pull off the Stuxnet attack today, now that organizations are more aware of the risks posed by cyber threats to industrial systems.
And the feedback begins…
Evgeny Goncharov, Head of ICS CERT, Kaspersky:
“Stuxnet is considered a milestone at the time that cybersecurity risks existed for ICS environments. After Stuxnet, many industrial customers tried to build their own industrial cybersecurity approach. However, back in 2010, industrial companies only had typical corporate IT security tools and best practices available in the marketplace. Implementation of these tools to ICS environments brought a lot of problems with compatibility, stability and other issues and actually slowed down the deployment of cybersecurity measures to industrial networks.
Fortunately, there are now enough products and services dedicated to industrial cybersecurity on the market. However, protection from the insider threats are still not that easy. According to our recent survey, 35% of industrial organizations said sabotage or other intentional physical damage by external actors is a major area of concern. Modern protection measures from cyber threats can help decrease the likelihood of a successful insider attack: they can detect anomaly activity, unauthorized devices and network connections that can be initiated by an insider.
However, to eliminate this threat, an organization must have specific technical and organizational measures in place including strict cybersecurity policies, monitoring and control, which the majority of organizations simply cannot afford. The problem is not the cybersecurity technology itself, but the price an organization is willing to pay for its security. Security measures being implemented to prevent insider actions, including those that are motivated, planned and organized by the state-level actors, would probably dramatically decrease the whole enterprise operations efficiency. That might be acceptable for some critical infrastructures such as the ones that are a part of nuclear power industry, but would not for the vast majority of other industrial organizations. But even these measures cannot guarantee protection against attacks like Stuxnet as it was extremely sophisticated.”
Sergio Caltagirone, VP of Threat Intelligence, Dragos:
“Industrial control attacks are difficult, and the operations are expensive and complex, which may require an insider or “insider-like” access to achieve their effect. Regardless of delivery mechanism (network, USB, insider) defenders can detect these threats after an operation is penetrated. Defenders are just beginning this long journey and they’re much better off than they were a decade ago during Stuxnet but still have a long way to go. Too many professionals focus on the “cloak-and-dagger” aspects of cyber-attacks when the basic defensive steps of visibility, identification, and response will always continue to mitigate even the most expensive and “shady” methods.”
Liam O’Murchu, director of development for the Security Technology and Response division at Symantec:
“Insider attacks are still some of the hardest attacks to protect against. Compartmentalization of resources has become a more popular topic with the rise of ideas such as zero trust networking which can mitigate a lot of the insider threat risk by only allowing insiders to access the resources they specifically need to do their job. However, zero trust networking and other such security conscious postures are still emerging and are not the default stance for most organizations.
The average attack is far less likely to succeed in general and more companies than ever are taking their security seriously. However, for a sophisticated targeted attack such as this, the chances of success are still quite high. The attack surface is still very large especially in the Industrial Control Systems world, in fact we have seen other attacks since Stuxnet that targeted ICS plants and succeeded in infiltrating them.
I believe most industry professionals know about Stuxnet and understand the risks that attacks like these pose, but moving to a more secure stance especially for large organizations can be a long painful journey. This is especially true for organizations that are providing ongoing services that cannot be disrupted while security is increased, such as electricity supply plants.”
John Hultquist, Director, Intelligence Analysis, FireEye:
“Close access operations are just one of many options adversaries have for penetrating the most sensitive and isolated networks. Because they require a willing human element, they are rare when compared to the other cyber espionage operations we regularly observe.
In many cases we have seen the most sensitive networks penetrated because they were ultimately not as isolated as they should have been allowing an attacker to gain access through adjoining networks. We’ve also seen tools, like Stuxnet, with the capability to propagate across the airgap when carried by an unwitting party on removable media as well as the capability to function autonomously once in its target location.”
Phil Neray, VP of Industrial Cybersecurity, CyberX:
“It’s easy to see how in 2007, you needed an insider with a USB drive to penetrate an air-gapped control network with targeted malware. In today’s world, however, it’s a lot easier for adversaries to get into your industrial control network because the air-gap has disappeared in virtually all environments except perhaps nuclear facilities, driven by business initiatives like Industry 4.0 and IIoT that require increased connectivity between OT networks, IT networks, and the Internet. It’s a lot easier today to send a phishing email to an employee or 3rd-party contractor who has remote access to the control network — and then steal their credentials to conduct cyber espionage to identify the specific manufacturers and model numbers of devices in the environment, followed by remotely inserting custom malware specifically designed to compromise those devices. We’ve seen this approach used successfully in several recent attacks, including the TRITON attack on the safety systems in a petrochemical facility and the Industroyer attack on the Ukrainian electrical grid.”
Tim Erlin, VP, product management and strategy, Tripwire:
“While we like to focus on the technical aspects of cyberattacks, it’s important to remember the role that people and social engineering play. From nation-state espionage to routine ransomware, human beings are often part of the attack chain, and an invaluable part of any defense strategy.”
Robb Reck, CISO, Ping Identity:
“Insider threats are still at the top of most organizations’ risk register, and that’s not likely to change. The fact is, insiders have access to sensitive data just to do their jobs, and trust comes along with that. There are numerous defenses in place to help with this risk, but none are fool-proof, and there is no set-and-forget technology that solves this problem. An effective insider threat program requires involving security, legal and HR to set, communicate and enforce policies. These policies will vary based on the role and risk of the insiders. For example, it’s much more important to monitor the behavior of employees with access to your nuclear centrifuges than those who can only alter your corporate intranet site. It’s essential that the insider threat program identify those high-risk positions and apply additional diligence to them.
Insider threat programs often forego considering contractors and other third parties as threats, but this research shows that it has been an attack vector in the past, and is likely to be again. When considering what roles you have that are high risk, make sure you include third party access in your calculations.
Finally, even for those high risk roles, not all behavior is worth triggering an alert. Identify what corporate assets you are most concerned about, from an insider threat perspective, and align your preventative and monitoring controls around those. If you turn on alerting for too many systems you’re likely to be overwhelmed by the alerts, and become ineffective at managing any of them.”
