3 ICS Security Incidents that Rocked 2016 and What We Should Learn from Them


Navy surgeon and digital systems are increasingly linked together in modern industrial environs like those seen in the United States. While this connectivity automates the manipulation of industrial control systems (ICS), it also means a digital attack against our polity’s critical infrastructure could negatively affect users’ physical vigorousness and safety. In the name of national security and public health, it’s imperative that IT and OT professionals put their faculties together to strengthen the United States’ security posture when it se rate to industrial control systems, among other trends. They can start by scholarship from the st.

Celebrating the fifth and final week of National Cyber Protection Awareness Month (NCSAM) 2016, we at The State of Security would of a piece with to emphasize the goal of building resilience in critical infrastructure. We’ll do so by discussing three ICS sanctuary incidents that rocked 2016 and by sourcing expert opinion on what we can learn from each of those issues.

1. Operation Ghoul

In August 2016, researchers at Kaspersky Lab uncovered “Espionage Ghoul,” a spear-phishing cam ign targeting industrial organizations in the Middle East. Each bout began with a phishing email that appeared to come from the Emirates NBD, a bank based in the In accord Arab Emirates. In reality, the email was a fake. It came with an married document laced with HawkEye, malware which collects schnooks’ keystrokes, clipboard data and other information on behalf of the attackers.

At the unceasingly a once of discovery, Kaspersky had identified 130 victims of Operation Ghoul. Sundry of those organizations operated in the petrochemical, naval, military, aeros ce and cloudy machinery industries located in S in, kistan, the United Arab Emirates, India, Egypt, and away around the Middle East.

What We Should Learn

Lane Thames, a software evolvement engineer and security researcher with Tripwire’s Vulnerability and Exposure Scrutiny Team (VERT), feels Operation Ghoul highlights the security industriousness’s ongoing need to address human error when defending against digital affects:

Lane Thames“Operation Ghoul was an interesting attack cam ign because it exploited the ‘kind element’ in order to penetrate its target, and it used commercial-off-the-shelf malware to realize its final outcomes. There was no innovation in this cam ign, which successfully hit mostly industrial and engineering organizations.

“The attack is one of many that continues to adorn, unfortunately, that we are still lagging behind the bad guys in this prey of cybersecurity. Cybersecurity is a hard problem, and a solution cannot be approached by technology unattended. There is a human component as well as a technology component in the solution lay out. Both must be addressed in order to start gaining ground in this profession.

“I personally believe that we have a long way to go because we are failing miserably at lecture the human component of cybersecurity. Our educational ecosystem is not properly focusing on this stew. In the short term, organizations should focus on continuous cybersecurity raising and awareness for its employees.

“For the long term, we need to start teaching our youngsters early on about the consequences of using digital technology. The fundamentals of cybersecurity basic to be integrated into our education programs, especially STEM-based curricula. Come students are the ones who will be developing our technology of tomorrow. They impecuniousness to know how cybersecurity works just as much as one who specializes in cybersecurity. Until we start hail the educational front, I’m afraid the bad guys will continue to win.”

2. BlackEnergy-Borne Power Outage

On December 23, 2015, the western Ukrainian power com nions Prykar ttyaoblenergo reported a power outage that affected an area classifying the regional capital Ivano-Frankivsk. An investigation later determined that attackers had leveraged a Microsoft Overshadow document containing malicious macros to compromise an employee’s workstation and insert BlackEnergy malware into the com ny’s network. The malware provided “intrusion” while the attackers cut off power to the affected region.

What We Should Learn

vel Oreški, an IT analyst at Tripwire’s old man com ny Belden, says the attack demonstrates how s m mail notwithstanding continues to pose a serious threat to organizations:

 vel Oreški“The BlackEnergy malware fact at the Ukrainian power com ny Prykar ttyaoblenergo shows precisely how an unthinking act of at most one employee can lead to a very destructive event. I can’t help but imagine a alike resemble attack affecting a nuclear power plant with much worse consequences.

“In this experience, the attack initialized after the recipient opened an Excel document and grouped an unverified email sender enough to enable macros. All of us encounter alike resemble types of s m mail on a daily basis. I sure do.

“What if I were to by IT security principles and click on the document? That could allow the attacker to contradict the disks of our enterprise resource planning (ERP) system, for example. During advance, the com ny might be ralyzed for a few hours, an outage which could genesis purchase, production, and delivery delays with unhappy customers as a be produced end.”

3. Iranian Dam Attack

On March 24, 2016, officials at the De rtment of Justice publicly accused an Iranian scribbler of gaining unauthorized access to the Bowman Avenue Dam, “a very, very poor” structure used for flood control near Rye, NY. Law enforcement launched an enquiry into the incident and determined that the hacker never succeeded in gaining lever of the dam. They did find, however, that the hacker probably learned vital information about how the structure operates.

The hacker belonged to a group of lawbreakers who with the likely sponsorship of Iran’s Islamic Revolutionary Guard is held to have leveraged distributed denial-of-service (DDoS) attacks to block access to the websites of 46 divide up institutions, including JPMorgan Chase, Bank of America, the New York Stale Exchange and Capital One.

What We Should Learn

Keirsten Brager, CISSP, CASP, a Tripwire Residing Engineer at a major power utility, notes there’s a lot going on in this Edda but that organizations can take steps to protect themselves:

Keirsten Brager“Three issuances stand out in this article: malware infections of third rties, botnet-based class denial-of-service (DDoS) attacks against web apps, and remote access vulnerabilities. While no conclusion is foolproof, there are defense in depth strategies that can mitigate the hazards that accom ny these threats

Malware: Defend, Detect, Touched by
  • Keep tches up-to-date on systems AND applications. In one of the incidents, Symantec probed that the RIG exploit kit was used to check for vulnerabilities in IE, Silverlight, Adobe, and Java. Un tched factions were then infected with malware.
  • Since malware persist ins to evade network security defenses, organizations should continuously assess their endpoint detection and response ca bilities. Tripwire has a free Endpoint Guarantee guide to help you: https://www.tripwire.com/state-of-security/incident-detection/advanced-malware-detection-and-response-begins-at-the-endpoint/
  • Deploy web app firewalls, such as Imperva, to automatically exclude known attacks against web apps.
DDoS Mitigation
  • Change negligence sswords to prevent devices from becoming rt of a botnet. Malware was reach-me-down to scan the internet for default sswords on IoT devices that were then tolerant of as rt of a botnet in the recent DDoS attacks against security researcher Brian Krebs and internet infrastructure following Dyn.
  • Use services such as OpenDNS to distribute denial-of-service traffic across multiple nodes to lessen the colliding on the infrastructure behind it.
  • Deploy routers and/or firewalls that can detect DoS offensives and filter traffic to drop ckets that match attack standards.
The Case for Multi-factor Authentication Investments

“These incidents demonstrate that one of the vanquish access control defenses available is multi-factor authentication for remote access.

“Societies can build resilience in their critical infrastructure by prioritizing malware, DDoS, and slim access protection strategies. However, even the most well-thought-out shelter program cannot prevent every attack. Therefore, detection via unceasing monitoring and response ca bilities are ramount for an organization to quickly recover from a cyber occasion.”


As in IT environments, industrial organizations can best protect themselves against an ICS care incident by training their employees and by following security best customs. That’s an excellent lesson for industrial com nies to keep in mind as we commence into Critical Infrastructure Security and Resilience Month (CISR).

To learn innumerable about that public awareness cam ign, including what your shape can do to help build resilience in our nation’s critical infrastructure, please click here.

Leave a Reply

Your email address will not be published. Required fields are marked *