The first cyber attack to a Critical Infrastructure ... revisited

When do you think that first cyber attack to critical infrastructure happened?

Many will say quickly "2010, Stuxnet!!" In fact, it was the attack that told to the world that automation control systems were connected and security was something critical to be seriously addressed by the whole industry, from technologists to end users.

According to RISI Incident Database, you will see many incidents before and number one in the list goes to 1982.

It was said to be the biggest non-nuclear explosion, even visible from outer space.

In that moment it was just considered as a espionage/counter espionage & sabotage action, but it is very interesting to recall and revise it with actual risk scenarios. Please read it with these actual topics in mind... "supply chain risk" "embedded systems risks" "skills gap" "cyber informed engineering" and "deception technology"

It started with Agent?“Farewell” (French labelled him), Colonel Vetrov who served as one of the heads of the KGB Directorate tasked with stealing Western technology. In 1981, angry at the KGB and the Soviet Union for being banned from doing foreign field work, Vetrov suddenly sent French Intelligence, la Direction de la Surveillance du Territoire?(DST) – a collection of over 4,000 pages of highly classified Soviet documents pertaining to industrial espionage ventures. It was immediately clear that the intelligence was vital. The data included the names of 250 KGB agents (located abroad and well covered), tasked with stealing Western technology, but the most useful item was a “wish list” the technologies?most?sought by the Soviet intelligence.

The CIA then decided to leak many of the items on the wish list to the Soviet agents, carefully doctoring them to be ultimately useless or even hazardous. The technology was wide-ranging, and included stealth, attack aircraft, space defense, and even the design of a discarded space shuttle model from NASA.

It was in 1996 when the CIA disclosed a document explaining the "affair". It was named "The farewell dossier - duping the soviets" by Gus W.Weiss

There were different targets and one was the Urengoy-Pomary pipeline (first part of the actual Urengoi-Pomary-Uzhhorod pipeline). It was a big project where the Soviets where trying to acquire western technology from countries as France, Great Britain, Italy, Germany or Canada (turbines, compressors, control systems, etc) but were being blocked by US sanctions

One of the few accounts of the “Farewell Affair” was authored by Thomas Reed, former Secretary of the Air Force (1976-77) and national defense advisor to the Reagan Administration. In?At the Abyss: An Insider’s History of the Cold War, released in 2004, Reed explains

To automate the operation of valves, compressors, and storage facilities in such an immense undertaking, the Soviets needed sophisticated control systems… Russian pipeline authorities approached the US for the necessary software, [but] they were turned down. Undaunted, the Soviets looked elsewhere; a KGB operative was sent to penetrate a Canadian software supplier in an attempt to steal the needed codes. US intelligence, tipped by?Farewell, responded and – in cooperation with some outraged Canadians – “improved” the software before sending it on… the pipeline software that was to run the pumps, turbines, and valves was programmed to go haywire, after a decent interval, to reset pump speeds and valve settings to produce pressures far beyond those acceptable to the pipeline joints and welds. The result was the most monumental non-nuclear explosion and fire ever seen from space. At the White House, we received warning from our infrared satellites of some bizarre event out in the middle of Soviet nowhere

It is not known if the explosion caused deaths and, moreover, the soviets denied everything, so impossible to know.

Colonel Vetrov was arrested, and, in the ensuing investigation, his espionage activities were discovered. In August 1983, Vetrov was charged with treason. He confessed to handing over 4,000 documents that were classified as top secret to the French, including resolutions from KGB chairman Yuri Andropov, and notes from Leonid Brezhnev.

He was found guilty of treason, and in 1985, he was shot to death.

Now let's think, how different are new times? we are again observing sanctions among countries and it is clear that we are returning to two geopolitical blocks, we cannot say we are in the Cold War era, but maybe approaching to a Hot peace, personal impression.

If this was possible more than 40 years ago, would an attacker need Nation state capabilities to achieve it nowadays? or just to discover bad configurations in 3rd party perimeter -no matter CPDs or cloud- to access repositories and modify them?. Do we remember Solarwinds attack in 2020? One of the few times that the attack is remembered for the victim and not for the attacker or cyber arm -Nobelium- and although it revealed great abuse of russian APT over cloud infrastructures, the message is that the attackers were able to modify Solarwinds repositories with altered software versions and to contact end users for their download and install.

So how concerned are users about cloud security? 96% of responders to Fortinet 2024 Cloud Security Report are moderately to extremely concerned about cloud security

And analysing how data leaks continue to evolve, what is the essence of traditional espionage but changing microcameras and microfilms for encrypted and obfuscated files by means of steganography, how many disciplines should be put together to tackle efficiently the threat? we need to think about skills gap that users are more concerned... Cloud security, Identity and Access management, Governance, Security Monitoring, Threat Intelligence and Technical security Skills score really high in the same report.

According to 2024 Fortinet Skills Gap Report, 70% of respondents agree that the cybersecurity skills shortage creates additional risks for their organizations

Let's think of embedded systems security. Recently it was published that Stuxnet also started with malware installed in a hydraulic system skid, just a pumping system for the acquirer, but a complex system with Controller, HMI, storage and communication capabilities, it performed its function, but many more as well, not "necessarily" required by the customer. Many sectors are starting to stablish programs for Third Party Risk Management (TPRM), even some sectors have started with mutually agreed certification programs as automotive with TISAX. These initiatives are needed, but this will establish mechanisms for continues security improvement, but not necessarily will give assurance of all products that are released from the assembly lines where "Secure by Design" should guide product security improvements. Interesting to follow EU-CRA initiative to raise levels for IoT but more specifically, ISA/IEC 62443 4-1 (Product Security Lifecycle) & 4-2 (Product Security Requirements) to address this critical aspects for devices intended to be part of critical infrastructures, recommended to read ISA IIoT component Certification based on 62443,

In fact, the increasing complexity of embedded systems and how they interact with processes, networks, clouds and the supply chains has motivated a very interesting initiative by Mitre to develop a threat model called Emb3d. It is something very interesting to follow and to link to TPRM and PSIRT (Program Security Incident Response Team) initiatives.

By the way, anyone in the room still thinking that these things are not possible? Attending to Fortinet's 2024 State of Operational Technology and Cybersecurity Report, more than half of respondents confirm that intrusions are impacting productivity, revenue, compliance requirements and physical safety. As well, there is a great increase in the number of respondents that observe impact on brand degradation.

Recent cyberattacks and new legislations (SEC in the US or NIS2 in the EU) are opening broad discussions within the businesses where the key concept for understanding criticality of assets is its impact to process. and one useful methodology for such is cyber informed engineering. This methodology will assist in understanding process relationship with assets and networks, so that it becomes an input for industrial risk assessment and determination of zones and conduits according to ISA/IEC 62443 3-2

How security projects have improved in OT/ICS networks and systems cybersecurity attending to the same report? Some improvements, there is a relationship among concerned users and their journey to improve defenses, however but still far from 100% respondents.

And last but not least, let's think of Deception Technology, if you read the original dossier, the act of allowing the exfiltration of a deliberately altered software was named a deception operation. The concept exists since then but it is very interesting to raise nowadays.

Let's recall, when the dossier came "to the victim", more than "250 spies were inside the perimeter", shouldn't we associate this to the philosophy of "assume the breach"? Would have it been better to close all communications, isolate all systems, investigate all people inside, or on the other hand, reinforce defenses against most critical assets while allowing access to others, not real but seeming to be real, to discover more information of the threat agent and even going further with granular response actions?

It is not about not to continue with the established initiatives, but to understand that it is very difficult to accelerate them for the whole company, moreover with high levels of outsourced services, and it can be really interesting to choose the option of deception as a way to prioritize the defense of critical processes by allocating similar systems or files to the aimed by the attackers to impulse advanced detection and response capabilities, but differently from traditional honeypots, easily deployed, scalable but specially thought for your internal networks, where the attackers already are for months.

As a conclusion, traditional attacks continue to give us many lessons to revisit our cybersecurity strategies as attackers will leverage tools and opportunities in growing attack surface but not change the foundational strategies, so let's think of new approaches thanks to new methodologies and applied technologies to balance the play with our limited resources.