Monday, December 15, 2014

Here’s the Smoking Gun

Bloomberg published a very good story over the weekend about a 2008 oil pipeline blast in Turkey that was definitely due to a cyber attack[i].  It caused well over $1Bn in losses, as well as a large spill.  My $.02 on this:

  • This and Stuxnet are the only two well documented successful cyber attacks on ICS that caused major physical damage (and I imagine the dollar loss for Stuxnet was much less than for this one, although it did also set Iran’s uranium enrichment program back a year or so.  For a great summary of Stuxnet a couple years after the fact, see this article by Ralph Langer).
  • However, I think this attack should be much more chilling for North American infrastructure owners (including power), since this was done by the “bad guys”.  As we all know, Stuxnet was perpetrated by the “good guys”, and was specifically targeted at the Iranian nuclear program.  Of course, the worm did end up propagating here and elsewhere, and it was expensive for some companies to clean it off their systems – but it never actually attacked other targets (and I don’t know of any successful “copycat” attacks).
  • We have all read that foreign entities, probably including nation-states, are doing reconnaissance of critical infrastructure in the US (including pipelines and of course the power grid).  The attackers in Turkey had also done their reconnaissance of the BTC pipeline and knew that the Windows system controlling the security cameras had vulnerabilities.  They exploited these vulnerabilities to attack other systems, as well as to disable many of the security cameras themselves during their attack.  What’s there about this scenario that couldn’t happen in North America?
  • The fact that this was a cyber/physical attack just confirms what we’ve heard many times this year – that combining the two types of attacks allows the greatest amount of damage to occur.  Metcalf was a purely physical attack, and – while it was certainly quite serious – it never came anywhere close to causing the amount of disruption that a cyber/physical attack could have.  The Metcalf attackers are frequently pointed to as being very knowledgeable and “professional”, but they don’t hold a candle to the attackers of the Turkey pipeline, and the destruction they caused is pocket change compared to what was caused in Turkey.
  • I thought the conclusion of the story was quite interesting: The bombs the Russians dropped on another section of this pipeline during the war with Georgia (which started three days after the cyber attack) all missed the target.  But the cyber attackers didn’t miss!
  • The moral of my story: Nobody can say now that there hasn’t been a successful large-scale cyber attack – by genuinely evil people – against critical infrastructure.

The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Honeywell.

[i] Sean McBride of Critical Intelligence, the subject of a recent post of mine, pointed out in his excellent blog that he had reported the incident to his customers in 2009.  He then says “If you don’t want to hear about ICS security events five years later, subscribe to the Critical Intelligence Core ICS Intelligence Service.”  Touche!

No comments:

Post a Comment