Another week, another IT security scare. This week it was the turn of Industroyer to take the spotlight, after researchers at security company ESET analysed the malware and said it was highly likely to be behind the attack on the Ukrainian power grid that robbed the country’s capital Kiev of power for one hour in December 2016.
In a blog post, ESET’s Anton Cherepanov dubs Industroyer “the biggest threat to industrial control systems since Stuxnet”, in reference to the malicious worm that attacked Iranian nuclear power plants in 2009.
Industroyer, he explains, attacks electricity substations and circuit breakers using industrial communication protocols standardized across the critical infrastructure systems that supply power, water and gas and transportation control. Lacking modern encryption and authentication, the security of these control protocols has relied largely on them being sequestered on networks not directly touching the internet – and in many cases, they’re no longer isolated in that way.
Read more: Entropy: a shot in the arm for IoT security?
“The problem is that these protocols were designed decades ago and back then industrial systems were meant to be isolated from the outside world,” Cherepanov explains. “Thus, their communication protocols were not designed with security in mind. That means the attackers didn’t need to be looking for protocol vulnerabilities; all they needed was to teach the malware to ‘speak’ those protocols.”
The December attack on Kiev was a pretty small-scale affair, to be sure – but may have been a ‘dress rehearsal’ for a wider Industroyer attack. Either way, Cherepanov says, the attack “should serve as a wake-up call for those responsible for security of critical systems around the world.”
It’s as scary as it sounds, with implications for every organization that relies on critical infrastructure, says Andrew Clarke, EMEA director at security firm One Identity.
“First, [Industroyer is] very difficult to detect, because it uses known and allowable code, yet in nefarious modes. In addition, we’re not talking about stealing some incriminating photos from some celebrity’s cloud storage location. This is controlling the power grid. It means that hospitals could lose power mid-surgery. Or traffic lights cut out causing accidents. The ability to alert citizens to bad weather halts.”
New normal, new responses
At Tenable Network Security, however, federal technical director John Chirhart argues that this situation of constant security scares should be be viewed with some perspective.
“With all of the buzz around Industroyer being ‘the next Stuxnet’, you’d think it was one of the most sophisticated threats out there, but with no zero days in the Industroyer payload, the significance of this malware as a standalone event is small.”
But, he added, malware like Industroyer or WannaCry represent the “new normal” of today’s security environment and require a new approach to match. “There’s no way to be strategic about your security if you’re always reacting to the threat of the day.”
“As cloud and IoT break down the distinction between operational technology like ICS/SCADA and information technology like laptops and mobile devices, most security vendors have failed to innovate at the rate of change, so the convergence of modern IT and OT [operational technology] computing assets is leaving customers struggling to discover and secure all the devices on their networks.”