BlackEnergy (aka Sandworm) malware is another ICS game changer. It could be another watershed event like Stuxnet, highlighting the nightmare scenarios faced by modern industrial enterprises: loss of control/view reconnaissance, data exfiltration, and latent attack. How did we get here? BlackEnergy attacks GE Cimplicity, Advantech, and Siemens WinCC Human Machine Interfaces (HMIs) by leveraging vulnerabilities in Windows and vendor software. The attack vectors are primarily network-based, but air-gapped or perimeter-protected networks can be penetrated via removable-media.

What are some of the obvious discussion points? The HMIs are quite simply exposed to communications networks that are far too open! Patching is always problematic in ICS, which makes the software on these HMIs difficult to keep updated, especially when ICS vendor certifications of the patches are required. The testing cycles are lengthy and system downtime is disruptive. Once a successful attack is in play what can we do to prevent communication back to command and control (C&C) servers under the control of the attackers? What can we do to mitigate this general class of problems? The obvious first step is to make the ICS devices disappear from view. Not an air gap, but a trust map. We must retrofit high assurance communications into ICS networks to “cloak” ICS devices from everything, except between trusted peers. Trust must be based on something much stronger than IP addresses, MAC, protocols, and ports. Network “trust relationships” must be defined cryptographically, but packaged in such a way to function at scale without breaking existing networks.

The hack of today is energy companies compromised by BlackEnergy. Notice how common these stories are becoming? We used to talk about hack of the year; then hack of the month. If you don’t see a disturbing trend, then you need to pay closer attention. The industry must step up to the challenge and disrupt this trend. It’s imperative that we raise the bar as high as possible to stop new infections and neutralize existing infections, while maintaining operational integrity and availability.

--David Mattes, Co-Founder and CTO

Thursday, November 13, 2014 By David Mattes