25. April 2012 16:08
Hackers are using social media and less obvious technical exploits to target a wider variety of computer systems
In 2004, the SQL Slammer virus infected over 75,000 computers in the first ten minutes after a 17-year-old hacker unleashed it on the world from his bedroom. Many of those computers happened to be in critical infrastructure facilities, but it did not specifically target industrial control systems (ICS).
Six years later, the Stuxnet virus was discovered and wiped away any remaining illusions about the security of ICS or "security by obscurity."
Cyber security threats facing SCADA and other industrial control systems continue to evolve and hacking techniques have shifted from frontal assaults to more stealthy approaches. That's the outlook from Jonathan Pollet of Red Tiger Security, and an instructor at SANS.
"Denial-of-service attacks are less common now," explained Pollet.
Instead, hackers now look to quietly plant bugs that remain on computer systems below the security radar so that they can collect more information about the target system and construct more sophisticated attacks.
They are also making increasing use of new technologies as well as good old fashioned social engineering to gain information about the systems they want to infiltrate.
One test conducted by security researchers used a stock photo of a pretty model and a bogus profile to build a network of high-ranking military and government figures. Within two months "Robin Sage" had not only built a formidable number of friends but was also able to get many of them to share sensitive information about the systems they worked with.
"Robin" was a guy, by the way—a small irony in a much larger story, but it points to the capacity for deception that lies in social media networks.
Pollet outlined a few best practices (e.g., white listing, device-level firewalls and simply using the authentication capabilities that come with the given system). These can at least keep ICS safe from novices hacking after school. But he also suggested ICS operators go on the offensive and start collecting information not only on cyber security threats and software loopholes but also on the groups who might seek to do them harm.
No system is entirely secure, but as cyber security threats continue to evolve in tandem with the technologies we use in our daily lives, it makes sense that ICS operators would want to move toward a more pro-active posture.