Last year's Stuxnet and Aurora attacks have shown us that malware development has become a professional job.
These threats targeting the process industry were written by highly intelligent developers, financed by huge investors, and possibly even by governments.
Yet every time a new attack is discovered, experts are left wondering how the malware was developed so quickly. And while the experts are scratching their heads about the attack du jour, cybercriminals are already working on a new, even stealthier attack.
What is even more troubling, the criminals are getting increasingly ambitious, raising the stakes even higher. In the old days, they were satisfied stealing money from bank accounts but now the ultimate goal is stealing data and propriety corporate information. We're not far from a world in which the criminals are trying to gain total control of industrial processes to impose destruction or possibly harm the health of the population.
Protecting the process industry
Stuxnet shows just how plausible a threat scenario is – not just in Iran, where the patching policy might not be as strong it should be – but also in North America and Europe.
Even organizations that implement security measures are vulnerable to attacks.
For instance, in the Dutch process industry, control systems are not attached to the corporate network, providing some protection against a large attack. Yet even though the process systems are on their own “island,” they do have infrastructural connections to “the mainland,” if only through a handful of people who have access to both. While this approach does create a buffer of sorts, it is by no means fail-safe.
In the United States, organizations tend to take a fully networked approach, making a trade-off between productivity and security. As for the threat of malware in process industries, unfortunately, organizations may have to make tough choices between amplifying security and maintaining optimal productivity.
To also properly combat the threat of these attacks, the first step is to fully grasp the urgency of process control systems security. On an individual level, employees who are potential targets should be aware and given safety training, whether they are involved in the process control process or not. The training could be as basic as reminding them to be extremely careful with clicking on links in emails and on social networking sites, or banning USB flash drives from the workplace. These measures can easily be enforced with policy.
However, to really tackle this problem, it will have to be addressed at an international level.
The most practical approach would be for governments to come to an agreement, similar to the way they handled nuclear threats. They should commit to disassociating from developing or financing these attacks. In addition, governments need to commit to procedures to disable further participation, while pledging to investigate and punish responsible parties.
Going even further, corporations should band together, taking a similar approach. For example, with Stuxnet, all corporations that run products manufactured by SCADA (Supervisory Control and Data Acquisition) manufacturer Siemens could share information and protection barriers.
Besides political, police and judicial organizations, the entire international industrial sector should cooperate to minimize the risks of cyberattacks.
Understandably, enterprises are not keen on openly admitting that their systems have been hacked; however, other organizations will benefit from the knowledge and therefore should be encouraged.
When information about a cyberattack is shared at an early stage, other companies can take measures against it.
The industrial sector could also agree to fully cooperate in investigations of cyberattacks, even if this means that the production has to suffer temporarily, or that certain corporate secrets need to be disclosed to investigators.
While the last condition seems like a bitter pill to swallow, the alternative is far worse.