Optimization / Industrial Ethernet / Cybersecurity

Evolving response beats mutating cyber threats

Dynamic cooperative response by suppliers and users can mitigate cyber threats and attacks

By Jim Montague, executive editor, Control

HUG 2015Banner

Cybersecurity threats and attacks are always mutating, so protective measures must be equally vigilant and adaptive. Luckily, process manufacturers and other industrial organizations have many partners, such as Honeywell Process Solutions (HPS) and Intel, who can help them coordinate protection of their systems.

A living example of this cooperation on cybersecurity was delivered today by Raj Samani, CTO for Intel Security's Europe, Middle East and Africa division, and Eric Knapp, director of cybersecurity solutions and technology for HPS, at the 2015 Honeywell User Group Americas conference in San Antonio, Texas. They presented "Botnets and Zombies—Managing Risk in a World of Uncertainty."

Their coordinated response on cybersecurity is good news because not only are cyber threats, malware and attacks evolving and multiplying, but the criminals that launch them are growing increasingly sophisticated, elusive and well-funded, Samani said. "In the past 12 to 18 months, Intel Security worked with several law-enforcement agencies to eliminate the criminal infrastructure responsible for the Beebone botnet," Samani said. Traditional enforcement is no longer viable in these situations because, even though Beebone was completely taken down in April 2015, there were still about 12,000 systems infected by it. That number has since swelled to 36,000. At first, most were thought to be in the U.S., but then even more infected systems were found in Europe, the Middle East, South America and Southeast Asia, notably Iran, Peru, Indonesia, Vietnam and several former Soviet republics.

Mutations 35 times a day

"In the past, malware like the Zeus Trojan sent 20-millsecond post requests every 53 seconds, so it was easy to see when a computer had been infected," explained Samani. "Beebone W32/Worm-AAEH, on the other hand, was constantly modifying itself about 35 times every day." The worm had been running since 2009, so had six years to infect PCs worldwide, usually via removable drives. "Its aim is to avoid detection, and it was clever enough to actively block efforts to clean it," Samani said.

Consequently, Beebone was not easy to crack. But Intel Security worked with the FBI, the U.S. Dept. of Justice, Europol and the Dutch National High Tech Crime Unit. Samani reported that Intel created successive domain generation algorithms (DGAs) to understand patterns in Beebone's changing message destinations; learned it was sending data to a series of time-checking websites; seized these domains and created a "botnet sinkhole" to divert some Beebone traffic into a secure infrastructure; and secured authorization from European authorities to shut down the sites' physical locations.

"The reality of cyber threats is usually very different from even experts' perceptions. We thought there were far fewer infected devices than there were," said Samani. "These attacks and threats can infect and obfuscate at will across the world and stay a step ahead of law enforcement. That's what we're up against." Intel worked with the U.S. Dept. of Homeland Security and the U.S. Computer Emergency Readiness Team to develop Beebone remediation tools and made them available to everyone on those websites. However, less than 3% of those that could use it to clean their systems actually did so, Samani said. "This is another challenge.

"In the past 12 months, there have been more takedowns, but the criminal infrastructure is fighting back hard. In fact, anyone can become a cyber criminal by using freely available tools or by engaging hacking as a service. There are about 20 to 30 cyber crime organization available for hire."

Active defense required

To combat these cyber threats and attacks, prescriptive solutions aren't enough because the threats are dynamic and mutate so quickly, added Honeywell's Knapp. "This is why a risk-based approach to cybersecurity is so important. You have to first identify what's important to you and monitor what's going on in your applications and systems, so you can be as dynamic in your protection as your adversary."

Samani echoed this sentiment, noting that cyber threats actually provide many opportunities to manage and mitigate risk and bring them down to acceptable levels. "Three years ago, I was in the Middle East at a digitally controlled oilfield that had remote management of its offshore facilities. They were eliminating gaps between IT and operational technology (OT), and this meant they could do more remote maintenance instead of sending individuals out to do it. All kinds of brownfield and greenfield plants are automating response in these ways, and this can be very useful."

Knapp added that HPS demonstrated remote substation monitoring about three years ago, and that this solution can address threats mostly automatically. "Cybersecurity used to mean less communication, but this solution shows it may actually mean more communication," said Knapp.

To manage risk and bring cyber threats down to acceptable levels, Samani added that HPS and Intel still advise users to adopt defense-in-depth strategies, use blacklisting and whitelisting tools, and implement sandbox technologies to improve their security. "The first step is to create a baseline and enforce it," added Samani. "Then establish a whitelist. The oil field I visited used network filtering and segmentation, as well as blacklisting and whitelisting."

"Intel is also adding hardware attestation right down to the silicon and operating systems to help detect advanced threats," Samani said. "We're also working on active-management technology to integrate cybersecurity right down the stack."