BLACK HAT USA — Las Vegas — The unprecedented ransomware assault in opposition to Colonial Pipeline final 12 months exhibits that vital infrastructure operators have made little progress in defending their networks 12 years after the invention of Stuxnet. Creator and journalist Kim Zetter gave a scathing rebuke of Colonial Pipeline through the keynote session opening the second day of Black Hat USA, its leaders had loads of warnings that might have prevented the crippling assault.
Zetter, who has coated many main cyber-incidents over greater than 20 years, is writer of the guide Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon (Crown: 2015). Stuxnet, the malicious worm that safety specialists found at an Iranian uranium enrichment facility in 2010, explicitly focused the Siemens S7-400 system. The invention heralded a brand new era of focused assaults, based on Zetter.
“When Stuxnet was found in 2010, it shed a lightweight on vulnerabilities and significant infrastructure that few had observed earlier than,” Zetter stated. “The safety group largely targeted on IT networks. They’d beforehand ignored what are referred to as operational networks, OT networks, industrial management methods, all of these methods that handle pipelines and railways and the electrical grid and water remedy crops and manufacturing, and so many different pivotal industries.”
Stuxnet was extra important for what it portended than any harm ensuing from it on the time. Launched to a community through a USB drive, Stuxnet consists of worming malware, a Home windows LNK file designed to propagate it, and a rootkit that hides the malicious recordsdata.
Additionally in 2010, the invention of a complicated persistent menace (APT) referred to as Aurora uncovered the rising capabilities of nation-state hackers, Zetter famous.
The invention of Stuxnet should not have come as a shock again then, but it surely opened some eyes for the primary time, based on Zetter.
“Stuxnet supplied stark proof that bodily destruction of vital infrastructure utilizing nothing greater than code was doable,” she stated. “However nobody ought to have been shocked. There have been warnings about the usage of digital weapons to disrupt or destroy vital infrastructure a decade previous to Stuxnet.”
Zetter stated the impression of Stuxnet was important, pointing to 4 main adjustments it delivered to safety: Stuxnet created a trickle-down impact within the type of methods and instruments, kicked off immediately’s cyber-arms race, established the politicization of safety analysis and cyber-defense, and make clear the vulnerability of vital infrastructure.
Coinciding with Stuxnet was the invention of Aurora, Zetter underscored. “A lot of you most likely keep in mind this was a widespread espionage marketing campaign by China that hit 34 firms and focused supply code repositories of Google, Adobe, and Juniper,” she stated. “And [it] included one of many first important provide chain operations concentrating on the RSA C repository, the engine for its multifactor authentication methods.”
Dangers Stay Excessive for Industrial Management Programs
The high-profile assault that locked up Colonial Pipeline, which distributes 45% of gas throughout the US East Coast, compelled it to close down its 5,500 miles of pipeline till it paid over $4.4 million in ransom. Zetter prompt there isn’t any cause final 12 months’s ransomware assault ought to have blindsided the corporate’s high leaders.
“What occurred with Colonial Pipeline final 12 months was foreseeable, as was the rising menace of ransomware,” Zetter stated. “As the corporate CEO advised lawmakers on Capitol Hill months later, though it did have an emergency response plan, that response plan did not embody a ransomware assault — despite the fact that ransomware attackers had been concentrating on vital infrastructure since 2015, so the indicators have been there if Colonial Pipeline had seemed.”
Zetter pointed to Essential Infrastructure Ransomware Assaults (CIRA) statistics compiled by Temple College in 2019, simply two years earlier than the Colonial Pipeline assault. The researchers counted some 400 ransomware assaults on vital infrastructure in 2020 and 1,246 assaults between Nov. 2013 and July 31, 2022.
“These weren’t simply assaults on hospitals, which in fact had been a giant goal for ransomware actors in 2016,” she stated. “However these have been additionally concentrating on oil and fuel amenities. And the attackers weren’t simply concentrating on IT methods. They have been already going after the OT networks which are controlling the vital processes.”
Additional, Zetter famous that in 2020, the 12 months earlier than the Colonial Pipeline assault, Mandiant reported that seven ransomware households had struck organizations that function industrial management methods since 2017. The assaults created main disruptions and manufacturing and supply delays.
Additionally in 2020, 10 months earlier than the Colonial Pipeline assault, the Cybersecurity & Infrastructure Safety Company (CISA) issued a reminder of the Division of Homeland Safety’s (DHS) Pipeline Cybersecurity Initiative. The hassle, created by DHS in 2018, was a joint effort of CISA, the Transportation Safety Administration (TSA), and varied federal and personal sector stakeholders.
Zetter indicated that it’s most likely not ironic that DHS introduced new cybersecurity necessities for individuals who personal and function vital pipelines two months after the Colonial Pipeline assault. “I do not imply to beat up on Colonial Pipeline — they’re only a handy instance, as a result of the assault was so important,” she stated. “However different vital infrastructure is in the identical place or worse.”