Cyber security of critical and industrial infrastructure, WannaCry, STUXnet and our dark future!
Cyber security is the hot topic issue for nearly every company and government at the moment. There have been some very high profile hacks of late, including the NHS as the most recent example, that have crippled critical systems and compromises sensitive or personal information. Cyber warfare is a whole new anonymous battle ground for criminals, activists and governments to tear chunks out of each other. However as we’ve seen these cyber-attacks have far reaching consequences that go beyond just economic damage and can cost lives as undoubtedly the recent infection of the NHS has caused. So what is a cyber-attack and how do we prevent them?
As mentioned there are three types of cyber attacker; criminals, who want to profit or steal information from the public (this is actually what has infected the NHS), activists who want to destabilise government functions and private enterprise for ideological purposes and finally nation states who are interested in espionage and sabotage. The type of attacker often defines the complexity of the attack but does not limit the damage that can be caused, however fundamentally they are all done in a similar way. Malware is designed to enter your system through various channels, this could be via email or USB for example with the number of ways it can spread defining the aggressiveness of the programme, but will often require the target to allow it access through trickery or just plain stupidity. Then, dependent upon the aim, the Malware will message its maker through a command and control channel and asks them what they would like it to do. Then it is free to steal or delete information, freeze or ransom the system entirely, spread itself to other parts of the network or simply cause everything to go haywire.
So as I have mentioned already we have seen what a simple piece of Malware can do when it gets into a networked government system like the NHS. This Malware was unlikely designed to target the NHS, as that target would be too noisy and extremely unlikely to pay the ransom demanded, it was far more likely that it was designed to attack individuals with limited capability to fix the problem and a personal need to keep their information private. Most government systems should be air gapped, which means they are on their own network and not attached to the internet, this makes entry difficult but nowhere near impossible as there are still numerous other methods of infection and some Malware that have zero day protocols so even the most advanced anti-virus has zero days protection. However, through whatever means, it managed to enter the system and has caused millions in damage and likely taken a fair few lives with it. This prospect should be terrifying to everyone as WannaCry, the malware in question, wasn’t designed to cause this kind of problem it’s just a knock on effect of having all your data automated and the actions necessary to halt further infection.
WannaCry is a solid example of a criminal malware run amok but there is a whole other level to Cyber-warfare, nation states. When these guys get coding you better start worrying about the future because they have an aim. Examples of nation state sponsored cyber-attacks include Iran’s attacks on Saudi Aramco and Bank of America where huge swaths of data were deleted or stolen and cost the US economy billions in lost revenue. However this was in retaliation for the most advanced and potentially dangerous cyber-attack of all, STUXnet. This Malware was co-designed by the NSA, CIA, US Cyber Command, GCHQ, Mosad and Unit 8200 (Israel’s cyber warfare division) and was designed to destroy uranium enrichment centrifuges in the Iranian nuclear facility in Natanz without alerting the Iranians that the US or Israel were involved. How STUXnet did this was simple, it would affect PLCs.
A PLC, programmable logic controller, is a piece of technology that converts digital signals into physical motions based on programmed commands and they are used in almost every aspect of modern life from manufacturing, to infrastructure and even in cash machines/ATMs or Voting machines. They control rail signals, traffic lights, food & drink production, the production of clean water, oil & gas, energy … hell even your mail. So clearly they’re important but at the end of the day are susceptible to attack and influence. In the case of STUXnet it caused the centrifuges to self-destruct by spinning them to 4 times their designed speed and then hard stopping them all while feeding back inaccurate information to the engineers through the SCADA. This was a very specific attack and there were fail safes built in to stop it but it shows just how susceptible to influence these systems are. Natanz is most heavily guarded and secure nuclear facility in the world, built in the middle of a desert and surrounded by anti-air turrets, but its air gap was easily compromised which should tell you everything you need to know about the resourcefulness of people who want to cause chaos and how secure your systems really are.
So what does this all mean? Yet again we’re in a new world with this, there are no rules, if you can get away with it then there’s little repercussion. It is not beyond the realms of imagination that if a criminal, ideologue or nation state was committed enough they could influence every area of life in both ways that are obvious and ways that aren’t. This is very scary as it casts doubt into a system set up for ease and accuracy and those of importance where their effect on society is only truly felt when they are absent and suddenly there’s no water or power.
So what do we do? There’s little that can prevent an industrious attacker, there’s always a back door or way in, so the only option for most people and private industry is to try and stay as up to date in terms of cyber security as possible. On the other hand, much like MAD, another way of defending is to go on the offensive and strike back just as hard, if not harder, making the risk or the level of subterfuge necessary to perform the attack, untenable. This is the tact of most nation states and is how they justify continuous cyber warfare against one another. From a personal perspective, defence is relatively easy… don’t be stupid! Don’t allow anything onto your computer that you aren’t already aware of, don’t let it make changes to your computer and your data should be fine. It is however when you entrust your data to someone else that things get risky, be that bank servers, medical records etc. Decentralising how we store this data probably the best option as a move away from clouds and data hubs will make going after customer data harder as instead of it all being in one place it’s spread across the entire network. This is a whole new way of doing things though and there are physical, economic, social and ethical barriers that need to be broken before decentralised data can work… so for the moment hold on to your hats, things going to get bumpy!