BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Spear phishing poses threat to industrial control systems

From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Fri, 27 Sep 2013 19:01:42 -0600
http://www.csoonline.com/article/740396/spear-phishing-poses-threat-to-industrial-control-systems

While the energy industry may fear the appearance of another Stuxnet on the
systems they use to keep oil and gas flowing and the electric grid powered,
an equally devastating attack could come from a much more mundane source:
phishing.

Rather than worry about exotic cyber weapons like Stuxnet and its big
brother, Flame, companies that have Supervisory Control and Data
Acquisition (SCADA) systems -- computer systems that monitor and control
industrial processes -- should make sure that their anti-phishing programs
are in order, say security experts.

"The way malware is getting into these internal networks is by social
engineering people via email," Rohyt Belani, CEO and co-founder of the
anti-phishing training firm PhishMe, said in an interview.

"You send them something that's targeted, that contains a believable story,
not high-volume spam, and people will act on it by clicking a link or
opening a file attached to it," he said. "Then, boom, the attackers get
that initial foothold they're looking for."

In a case study cited by Belani, he recalled a very narrow attack on a
single employee working the night shift monitoring his company's SCADA
systems.

The attacker researched the worker's background on the Internet and used
the fact he had four children to craft a bogus email from the company's
human resources department with a special health insurance offer for
families with three or more kids.

The employee clicked a malicious link in the message and infected his
company's network with malware. "Engineers are pretty vulnerable to
phishing attacks," Tyler Klinger, a researcher with Critical Intelligence,
said in an interview.

He recalled an experiment he conducted with several companies on engineers
and others with access to SCADA systems in which 26 percent of the spear
phishing attacks on them were successful.

Success means that the target clicked on a malicious link in the phishing
mail. Klinger's experiment ended with those clicks. In real life, those
clicks would just be the beginning of the story and would not necessarily
end in success for the attacker.

"If it's a common Joe or script kiddie, a company's [Intrusion Detection
Systems systems will probably catch the attack," Klinger said. "If they're
using a Java zero-day or something like that, there would be no defense
against it."

In addition, phishing attacks are aimed at a target's email, which are
usually located on a company's IT network. Companies with SCADA systems
typically segregate them from their IT networks with an "air gap."

That air gap is designed to insulate the SCADA systems from the kinds of
infections perpetrated by spear phishing attacks. "Air gaps are a mess
these days," Klinger said. "Stuxnet taught us that."

"Once you're in an engineer's email, it's just a matter of
cross-contamination," he added. "Eventually an engineer is going to have to
access the Internet to update something on the SCADA and that's when you
get cross-contamination."

Phishing attacks on SCADA systems are likely rare, said Raj Samani, vice
president and CTO of McAfee's EMEA.

"I would anticipate that the majority of spear phishing attacks against
employees would be focused against the IT network," Samani said in an
interview. "The espionage attacks on IT systems would dwarf those against
SCADA equipment."

Still, the attacks are happening. "These are very targeted attacks and not
something widely publicized," said Dave Jevans chairman and CTO of Marble
Security and chairman of the Anti-Phishing Work Group.

Jevans acknowledged, though, that most SCADA attacks involve surveillance
of the systems and not infection of them. "They're looking for how it
works, can a backdoor be maintained into the system so they can use it in
the future," he said.

"Most of those SCADA systems have no real security," Jevans said. "They
rely on not being directly connected to the Internet, but there's always
some Internet connection somewhere."

Some companies even still have dial-in numbers for connection to their
systems with a modem. "Their security on that system is, 'Don't tell
anybody the phone number,'" he said.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.
Previous By Date Next
Previous By Thread Next

Current thread: