The lack of comprehensive investigation and sharing of lessons from industrial control system incidents will continue to leave others as sitting ducks.

This past week news has surfaced about cyber-attacks directed against German industry. In particular about a suspected case of cyber espionage at ThyssenKrupp (1) (2). The announcement that a German steel maker was cyber attacked reminded me about the 2014 German Federal Government IT Department’s (BSI) report of a cyber-attack at an unidentified steel mill which resulted in some unspecified damage. Earlier we heard the Director of the IAEA announce in public about a cybersecurity incident at an unspecified nuclear power plant at an unspecified time in the past 2-3 years (3). This also followed news of some unidentified viruses at some unidentified nuclear plant in Germany. (4) The publically available information about these incidents succeeds in raising some anxiety but offers no practical guide on how to prepare for a similar attack.

I think to myself. If I was the cyberspace version of Sherlock Holmes (5) or Arkady Renko (6) I would really want to find out what is behind these incidents. Would start by asking some questions: are the incidents linked? Who is doing it? Is it the work of one team or are there separate teams acting independently? Who is directing the activity: a government, a criminal organization, or a socially motivated hacktivist? How are the attacks developed and executed and who is involved? What are the lessons-learned? How to address these dangerous cyber-attacks in the future?

Judging from what is publically disclosed about these incidents any investigations that are conducted are not done in a way that would be of useful to either victim or future victims of such attacks. It would be better if an official investigation led by the affected plant and aided by experts representing a community of interest (coming from more than one country or institution) were to be conducted. These incidents provide an opportunity that could produce some valuable lessons learned and serve the interests of other concerned operators of critical infrastructure. Too often, when there are indications that an investigation is performed, actionable detailed information and derived lessons are kept within a closed circle leaving little to help the next victim. One interesting model worth considering would be the “Conficker Cabal”. An ad hoc international community of interest that recognized the potential dangers of the “Conficker” malware that banded together to respond in time before governments could become organized. Nice book was written about this effort with a slightly inflammatory title: “Worm: The First Digital World War” by Mark Bowden (7).

In the case of cyber-criminal activity, the possibility to conduct such a multi-institutional and international investigation does exist. The cybercrime unit of Interpol for example does have this capability but unfortunately, they drop the case once they discover evidence of state supported activity (8). This is a real shame for there appears to be no other international organization with the capability to address the more sophisticated and far more dangerous cyber-attacks perpetrated by states or those they sponsor which I referred to above. Needed is an organization, whether it be an Ad Hoc grouping or a formally accredited international organization that can organize the effort to investigate these serious incidents. This collected expertise is required to come up with a description of what happened and how future incidents can be prevented. Most importantly, this information is to be shared within an established community of interest. Otherwise, offense will stay two steps ahead of defenders who will continue to be isolated from each other and sitting ducks for the next attack.

References

1. Riley, M., Robertson, J., “Cyberspace Becomes Second Front in Russia’s Clash With NATO”, Bloomberg October 14,2015.

2. https://www.bloomberg.com/news/articles/2015-10-14/cyberspace-becomes-second-front-in-russia-s-clash-with-nato . Accessed December 13, 2016.
3. Constantin, L., “Cyberspies stole secrets from industrial giant ThyssenKrupp”, Dec 8, 2016 , http://www.csoonline.com/article/3148704/security/cyberspies-stole-secrets-from-industrial-giant-thyssenkrupp.html , accessed December 13, 2016.

4. Shalal, A., “IAEA chief: Nuclear power plant was disrupted by cyber attack” .Mon Oct 10, 2016 http://www.reuters.com/article/us-nuclear-cyber-idUSKCN12A1OC Accessed December 13, 2016.

5. Ibid.

6. https://en.wikipedia.org/wiki/Sherlock_Holmes .

7. https://en.wikipedia.org/wiki/Arkady_Renko .

8. Sadauskas, A. “Inside Interpols digital crime centre“ , October 21, 2015, http://www.itnews.com.au/news/inside-interpols-digital-crime-centre-410768?eid=3&edate=20151021&utm_source=20151021_PM&utm_medium=newsletter&utm_campaign=daily_newsletter , accessed on December 13, 2016 .

http://scadamag.infracritical.com/index.php/author/vytautas/

NOTE: The views expressed within this blog entry are the authors’ and do not represent the official view of any institution or organization affiliated thereof. Vytautas Butrimas has been working in cybersecurity and security policy for over 30 years. Mr. Butrimas has participated in several NATO cybersecurity exercises, contributed to various international reports and trade journals, published numerous articles and has been a speaker at conferences and trainings on industrial cybersecurity and policy issues. Has also conducted cyber risk studies of the control systems used in industrial operations. He also collaborates with the International Society of Automation (ISA) on the ISA 62443 Industrial Automation and Control System Security Standard and is Co-chair of ISA 99 Workgroup 16 on Incident Management and member of ISA 99 Workgroup 14 on security profiles for substations.