Finding Petroleum - Post Stuxnet – expect government hacking

Join | Existing Member Login

You are Home » News » View Article

Post Stuxnet – expect government hacking

Thursday, April 07, 2011 in Feature Articles

After the Stuxnet worm attack which ‘created problems’ for Iranian nuclear centrifuges, every government in the world will be honing up its hacking skills – and testing them out on IT installations with a military value, like oil and gas companies, thinks LogRhythm’s Eric
Knight

After the Stuxnet computer worm, which managed to hack into Iranian nuclear plant, operators of industrial equipment around the world need to be more wary of hacking, thinks Eric Knight, senior knowledge engineer at LogRhythm, a log management and security information event management company.

It is not so much that Stuxnet revealed the weaknesses in industrial IT systems. The point is more that Stuxnet was widely believed to be created by a government organisation – and other governments around the world will want to make sure they have hacking capability which can keep up.

And when they look for industrial centres with high military value to test out their hacking skills on, the oil and gas industry will come high on their list, Mr Knight thinks.

“I would assume that every country that has observed what has happened at Stuxnet will be trying to create their own cyber security offence and defence plans to prevent them becoming a victim of this.”

The oil industry is likely to be first on the list because of its high military value. “I’m sure that in the gas and oil industry they are one of the most crucial infrastructures, in a time of war or otherwise,” he says.

“So the chances are – every industry will have a lot of prodding by people who are government backed.”

“There are potentially hundreds of government sponsored organisations which couldtry to hack into your IT systems to determine the effectiveness of their programs and gathering data for the future in case something transpires.”

Stuxnet

Stuxnet was discovered in July 2010, and was later credited by Iran’s president, Mahmoud Ahmadinejad as managing to “create problems for a limited number of our centrifuges,” according to press reports.

This was the first time a worm has targeted industrial systems, gaining control of the SCADA (supervisory control and data acquisition systems) to locate and infect the centrifuges.

Before then, computer worms had mainly only been developed to gain attention or to make money for hackers, such as to install key loggers and get hold of people’s credit card numbers.

“SCADA systems are lowest value to a hacker. But the military value is extremely high,” Mr Knight says.

SUBHEAD
Evidence for government backing

The amount of effort and organisation involved in building Stuxnet suggests a government backer. Security experts have estimated that it would have taken 5-10 people working for 6 months to build.

The worm simultaneously successfully targeted the Windows operating system (running on PCs behind the automation system); an industrial software program which runs on Windows, and a programmable logic controller in the equipment.

It also included code for faking industrial process control sensor signals so an infected system does not shut down due to abnormal behaviour.

Whoever did it would have needed to know which specific centrifuges were being used in Iran. “It required a tremendous amount of intelligence, time and a large diversity of resources, “Mr Knight says.

Other industrial attacks

There have been other attacks on industrial equipment before, including one in Australia which managed to open up sewage gates. “That one was a fellow was trying to get his job back by creating problems,” he says.

There was another incident where people thought China had infiltrated US equipment for the power grid in order to start collecting information. “They saw the monitoring taking place but no evidence of sabotage,” he says.

LogRhythm tools

To create the best possible defence against hacking, LogRhythm offers a system to continuously analyse equipment audit logs to get the earliest possible warning of something going on.

This means that, if a hacker wants to be undetected, they need to both hack into the equipment and hack into its logging system at the same time, a much bigger hacking challenge.

“It is very difficult if not impossible for him to have both the opportunity to break into the SCADA equipment, and get into the main data center to get into the log management system, to modify specifically the pieces they were looking for,” Mr Knight says.

“This adds so many more levels of protection.”

LogRhythm can receive a continuous stream of logs from the automation systems and scan it for operational anomalies, and provide immediate notice of impending attacks or attack attempts.

For example, the Stuxnet worm needs to reprogram certain microchips in preparation for an attack, and the LogRhythm product could spot this by looking through the logs.

“It can create a forensics view of what transpired,” he says. “You can put together a time line of events that took place.”

The company can also help companies install standards which will help them prevent hacker sabotage, including making sure they are storing the right information about who is doing what on the system.

The system will work with any computer system which can generate a log. “We’ve done everything from Windows type log – down to X-ray machines, door access. The management of the records is really where we’re focussing on.”
“Any type of computerised system with a digital record that can be translated back as a log can be sent back to LogRhythm"he says.

Sometimes you have to analyse logs from different systems to get a better understanding of what is going on. “When you add the business pieces to the common infrastructure pieces – you can create a very robust understanding – not only security but also risk and problems that are taking place inside your organisation,” he says.

The company aims to detect many things from the log analysis, including attacks detected, malware, people misusing equipment, other suspicious behaviour.

Operations logs, such as network traffic usages and volumes, can provide information which is “often very useful for determining –how the overall IT infrastructure is functioning,” he says.