BLACK HAT USA — Las Vegas — The unprecedented ransomware attack against Colonial Pipeline final 12 months reveals that vital infrastructure operators have made little progress in defending their networks 12 years after the invention of Stuxnet. Writer and journalist Kim Zetter gave a scathing rebuke of Colonial Pipeline through the keynote session opening the second day of Black Hat USA, its leaders had loads of warnings that would have prevented the crippling assault.
Zetter, who has coated many main cyber-incidents over greater than 20 years, is author of the book Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon (Crown: 2015). Stuxnet, the malicious worm that safety consultants found at an Iranian uranium enrichment facility in 2010, explicitly focused the Siemens S7-400 system. The invention heralded a new generation of targeted attacks, in keeping with Zetter.
“When Stuxnet was found in 2010, it shed a light-weight on vulnerabilities and significant infrastructure that few had seen earlier than,” Zetter stated. “The safety group largely targeted on IT networks. That they had beforehand ignored what are referred to as operational networks, OT networks, industrial management techniques, all of these techniques that handle pipelines and railways and the electrical grid and water therapy crops and manufacturing, and so many different pivotal industries.”
Stuxnet was extra vital for what it portended than any injury ensuing from it on the time. Launched to a community via a USB drive, Stuxnet consists of worming malware, a Home windows LNK file designed to propagate it, and a rootkit that hides the malicious information.
The invention of Stuxnet should not have come as a shock again then, nevertheless it opened some eyes for the primary time, in keeping with Zetter.
“Stuxnet supplied stark proof that bodily destruction of vital infrastructure utilizing nothing greater than code was attainable,” she stated. “However nobody ought to have been shocked. There have been warnings about using digital weapons to disrupt or destroy vital infrastructure a decade previous to Stuxnet.”
Zetter stated the influence of Stuxnet was vital, pointing to 4 main adjustments it dropped at safety: Stuxnet created a trickle-down impact within the type of strategies and instruments, kicked off right this moment’s cyber-arms race, established the politicization of safety analysis and cyber-defense, and make clear the vulnerability of vital infrastructure.
Coinciding with Stuxnet was the invention of a sophisticated persistent risk (APT) known as Aurora, which uncovered the rising capabilities of nation-state hackers, Zetter famous.
“Lots of you most likely bear in mind this was a widespread espionage marketing campaign by China that hit 34 corporations and focused supply code repositories of Google, Adobe, and Juniper,” she stated. “And [it] included one of many first vital provide chain operations concentrating on the RSA C repository, the engine for its multifactor authentication techniques.”
Dangers Stay Excessive for Industrial Management Techniques
The high-profile assault that locked up Colonial Pipeline, which distributes 45% of gas throughout the US East Coast, pressured it to close down its 5,500 miles of pipeline till it paid over $4.4 million in ransom. Zetter recommended there isn’t any motive final 12 months’s ransomware assault ought to have blindsided the corporate’s high leaders.
“What occurred with Colonial Pipeline final 12 months was foreseeable, as was the rising risk of ransomware,” Zetter stated. “As the corporate CEO advised lawmakers on Capitol Hill months later, though it did have an emergency response plan, that response plan did not embody a ransomware assault — although ransomware attackers had been concentrating on vital infrastructure since 2015, so the indicators had been there if Colonial Pipeline had seemed.”
Zetter pointed to Crucial Infrastructure Ransomware Assaults (CIRA) statistics compiled by Temple University in 2019, simply two years earlier than the Colonial Pipeline assault. The researchers counted some 400 ransomware assaults on vital infrastructure in 2020 and 1,246 assaults between Nov. 2013 and July 31, 2022.
“These weren’t simply assaults on hospitals, which after all had been a giant goal for ransomware actors in 2016,” she stated. “However these had been additionally concentrating on oil and fuel amenities. And the attackers weren’t simply concentrating on IT techniques. They had been already going after the OT networks which might be controlling the vital processes.”
Additional, Zetter famous that in 2020, the 12 months earlier than the Colonial Pipeline assault, Mandiant reported that seven ransomware households had struck organizations that function industrial management techniques since 2017. The assaults created main disruptions and manufacturing and supply delays.
Additionally in 2020, 10 months earlier than the Colonial Pipeline assault, the Cybersecurity & Infrastructure Safety Company (CISA) issued a reminder of the Division of Homeland Safety’s (DHS) Pipeline Cybersecurity Initiative. The trouble, created by DHS in 2018, was a joint effort of CISA, the Transportation Safety Administration (TSA), and numerous federal and personal sector stakeholders.
Zetter indicated that it’s most likely not ironic that DHS announced new cybersecurity requirements for many who personal and function vital pipelines two months after the Colonial Pipeline assault. “I do not imply to beat up on Colonial Pipeline — they’re only a handy instance, as a result of the assault was so vital,” she stated. “However different vital infrastructure is in the identical place or worse.”