I will be giving a lecture on ICS cyber security risk at the Fraunhofer Institute December 2nd in Germany. In preparation for the lecture, I was looking into the recent HAVEX and BlackEnergy malware attacks and how they can affect ICS cyber risk. Risk is defined as frequency times consequence. There is little information on frequency of ICS cyber attacks. The next issue is how do you define consequence. HAVEX and BlackEnergy have been targeting selected ICS vendor HMIs that could be used to give remote access to the attackers. Even though the purpose of HAVEX and BlackEnergy appears to be exfiltrating information, there is nothing to stop the attackers from taking other actions. (Stuxnet initially was thought to be only about exfiltrating information.) It is possible that attackers could login and send commands to the computer. Once your computer is owned there's not much the attacker can't do. This brings up the question of how consequence is defined.
The Aurora event can be initiated by the remote closing and reopening of breakers by the SCADA HMI. If the attackers “own” the HMIs, there are venues for initiating Aurora events. Aurora has yet to be adequately mitigated by the utility industry. Moreover, much of the classified information on Aurora has been made public by DHS. As the information on Aurora is public and there may be unauthorized access to ICS HMI’s, I would consider this situation to be a significant risk to our critical infrastructures.
Joe Weiss