Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Is Malware Hiding in Your Industrial Security Network?

Recent malware attacks reveal the extent to which critical infrastructure facilities are vulnerable to cyber threats. Here's how to protect your industrial network from the next attack.

Most industrial organizations still consider their industrial control system (ICS) networks to be safe from common cyber threats that mainly target IT networks. However, two recent cryptocurrency mining incidents demonstrate that ICS networks are not "sterile" from unwanted software.

Moreover, the fact that these cyber incidents took place at critical infrastructure facilities in Europe and Russia shatters the myth that ICS or operational technology (OT) networks (as opposed to their IT counterparts) are "air-gapped" and that the Windows machines and other devices in those networks are shielded from malware and other cyber threats.

Two cryptocurrency mining incidents in a nutshell

Cryptocurrency Mining Malware Discovered at European Water Utility

The first incident involved the discovery of cryptocurrency mining malware in the network of a water utility provider in Europe. Based on reports, this attack is the first public discovery of an unauthorized cryptocurrency miner impacting ICS or supervisory control and data acquisition (SCADA) servers.

The malware found on the utility's server was mining Monero cryptocurrency. The investigation indicates that the cryptocurrency mining malware was likely downloaded from a malicious advertising website. This suggests that an operator at the water utility was able to surf the internet, reach a risky website and click on a link that triggered the installation of mining code on the system. 

The actual system that was initially infected by the malware was the human machine interface (HMI) for the SCADA network. The HMI was running on a Microsoft Windows XP operating system, which was end-of-lifed in April 2014 and therefore not properly patched. It's worth noting that the use of outdated and unpatched operating systems is common in SCADA environments, which prefer to avoid OS updates and patching due to operational stability concerns.

The main impact of Bitcoin mining schemes, which consume substantial computing resources, is degradation of system performance. An additional risk is that malware could spread from the initial point of infection to other systems on the ICS network and consume additional resources.

Malicious Insiders Abuse Supercomputer in Nuclear Facility

The second report came out of Russia, where several scientists working at a top-secret Russian nuclear warhead facility were arrested in early February for allegedly mining cryptocurrencies. According to reports, these trusted insiders tried to use one of Russia's most powerful supercomputers to mine Bitcoins, a process that requires huge computational and energy resources. This was detected only when the scientists attempted to connect the supercomputer to the internet, which raised an alert at the nuclear center's security department. The security policy prohibited such an internet connection in order to eliminate the risk of intrusion.

Security implications for industrial organizations

1. Industrial control networks are reachable

Ten years ago, the air-gap sounded like a fool-proof strategy: create a physical gap between the ICS network and the rest of the world so there is no way for cyber threats to infiltrate. 

This strategy is no longer relevant. Industrial organizations have adopted new connected technologies, like IIoT (industrial internet of things) devices, to enable predictive maintenance and increase manufacturing efficiency. These technologies are blurring the lines between IT and OT networks, while increasing the exposure of ICS networks to cyberattacks.

Moreover, even if you manage to completely isolate the ICS network, there are still threats from within. These types of threats range from malicious insiders, as in the Russian incident, to a careless employee connecting a malware-infected mobile device or USB drive to a Windows machine.

The “general purpose” (i.e., not ICS-specific) malware discovered in the water utility's network demonstrates, yet again, that ICS networks are easily reachable. Gone are the days when a state-sponsored campaign (e.g., Stuxnet) is needed to compromise industrial networks.

2. Industrial control networks are not governed well enough

Given the risks involved, one would imagine that industrial control networks would be well-governed and "sterile" of unwanted software. On the ground, however, we often encounter situations in which this assumption couldn't be further from the truth.

To improve network hygiene, industrial organizations should conduct periodic vulnerability assessments, as well as patching and inventories of software installed on Windows machines.

3. Due to lack of protective measures, industrial networks are at imminent risk

While patching Windows-based machines is a standard best practice in the IT world, that isn't always the case when it comes to ICS. Operator workstations may be involved in continuous processes that can't be interrupted. Take for example oil and gas companies – it's not easy to shut down a pipeline or turbine in order to patch supporting systems. System stability and safety are also major concerns. 

The inherent security risk is that unpatched operator and engineering workstations running on Windows platforms will be exploited by a malware attack. Compromised workstations could then be used to send malicious instructions to controllers, disrupt production operations, and limit visibility into the processing.

That said, when it comes to compromising an ICS network, hacking the Windows machines is actually more difficult than gaining access to the controllers, which are not typically protected with authentication, encryption, authorization or other standard security mechanisms. For that reason, we believe that ICS-specific threats, such as Triton malware, will become more common going forward.

The need for better visibility and control

In order to protect their ICS networks against sophisticated cyberattacks, and to ensure that unwanted software doesn't find its way into Windows machines, critical infrastructure and industrial organizations require better visibility into their asset inventory.

To build an effective security strategy, you need to know the manufacturers, models, firmware versions, latest patches and current configuration for each and every asset in your network. This includes the automation controllers – programmable logic controllers (PLCs), remote terminal units (RTUs), or distributed control system (DCS) controllers – responsible for managing the physical processes, as well as Windows servers used by operators. A comprehensive asset inventory based on automated asset discovery is crucial for identifying the vulnerabilities that might put an asset at risk and installing the required security updates.

By combining automated asset discovery with proactive detection and analytics tools, industrial organizations can protect their ICS networks from external and internal cyber threats.

To learn more about strategies for improving visibility across your ICS environment, see our Tenable.ot whitepaper, “Industrial Cybersecurity in the New Era of Distrust.”

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training