Director Michael Mann’s cyber-thriller Blackhat was panned by critics when it opened in 2015. “Like watching software run itself”, wrote the New Yorker. “Heat without the heat”, said the Chicago Reader (referring to Mann’s 1995 scenery-chewing Al Pacino vehicle).
Yet its main premise – that a hacker can remotely cause a nuclear power plant to explode – was ostensibly plausible and continues to scare security professionals; with research out today (April 18) showing how widespread such concerns are in the energy and oil & gas sectors.
Tripwire’s survey of 151 IT and OT workers in the energy industry found a massive 70 percent are concerned that a successful cyberattack “could cause a catastrophic failure, such as an explosion.”
The alarm is understandable: Honeywell last year reported that 53% of industrial facilities have experienced a breach. And last year multiple security groups published findings on malware built specifically to attack industrial equipment.
“Energy companies have accepted the reality that digital threats can have tangible consequences,” said Tim Erlin, vice president of product management and strategy at Tripwire. “This perception is perhaps heightened by recent attacks that were specifically designed to affect physical operations and have proven capable of doing so.”
The Worm Turns
Stuxnet, uncovered in 2010 by Kaspersky Lab, caused substantial damage to Iran’s nuclear programme. Other such weapons have since followed fast.
Grid-hacking tool Industroyer, or Crash Override, was revealed by the security firms ESET and Dragos Inc in mid-2017 and is believed to have caused a blackout in Kiev at the end of 2016, following an attack on Ukrainian electric utility Ukrenergo.
Triton, discovered by the firm FireEye and Dragos meanwhile, was identified in late 2017 and reported to be an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers. (“It could prevent safety mechanisms from executing their intended function, resulting in a physical consequence”, FireEye said.”)
Tripwire’s survey, conducted by Dimensional Research and focussing on industrial control system (ICS) security in the energy industry, also found that a huge 97 percent of respondents were concerned that attacks could cause operational shutdowns, and 96 percent believe they could impact the safety of their employees.
Just under 60 percent said their companies had increased security investments because of ICS-targeted attacks like Trisis/Triton, Industroyer/CrashOverride and Stuxnet.
With not a musclebound Hollywood superhero in sight to help, Tripwire said: “It is widely recommended that organisations properly secure their critical infrastructure ICS with a layered approach, commonly referred to as Defense in Depth. In the survey, only 35 percent of respondents said they implement a multilayered approach to ICS security. Thirty-four percent said they focus primarily on network level security, and 14 percent said ICS device security.”