Malware like NotPetya and Triton highlight the vulnerability of companies to cyberthreats that stem from incursions on operational technology networks.
SAN FRANCISCO -- It was June 27, and a group of chief information security officers had assembled to learn about the vulnerability of companies’ critical infrastructure networks.
Suddenly CISOs’ phones lit up around the room. Galina Antova—who led the workshop and is the cofounder of a company that focuses on securing industrial networks—realized that “something pretty significant was happening.”
That something was NotPetya.
NotPetya (also known as Nyetya) was malware that made its debut via a software update to M.E.Doc, which is accounting software used extensively in Ukraine. But what began as a software exploit that infected enterprise IT networks spread pervasively to disrupt companies’ operational technology (OT) networks. At Chernobyl, a Russian nuclear plant, operators had to revert to older technology after radiation monitoring systems shut down.
The White House deemed NotPetya the most destructive and costly cyberattack in history, causing a reported $900 million in losses. Unofficially, though, a senior U.S. intelligence official disclosed that the dollar amount was likely much higher—to the tune of billions of dollars. Further, NotPetya demonstrated a new kind of attack: the incursion of individual and nation-state actors into critical infrastructure, not only causing financial loss but also threatening human life.
OT networks support infrastructure, such as manufacturing, utilities and defense, as well as building infrastructure that operates key facility systems such as lights, elevators, and heating and cooling systems. OT systems monitor and ensure the safety of these operations. An OT network, for example, may monitor a switch and trigger a shutdown if a certain value is exceeded. While OT systems run critical infrastructure, they paradoxically often run on aging software and obsolete hardware, which makes them difficult to patch and highly vulnerable to exploits by malicious actors.
The Cisco Talos team, a threat and intelligence research team at Cisco Systems, determined that the NotPetya hackers had gained access to administrator credentials at Intellect Service, the makers of M.E. Doc. The stolen credentials were then used to propagate the virus rapidly. Talos worked with M.E. Doc analysts to mitigate the spread of the NotPetya malware and keep constituents informed about details of the malware and impact.
Cyberthreats like NotPetya demonstrate a new “focus on destroying the last line of defense in safety,” said James Lyne, head of R&D at the SANS Institute at the RSA 2018 conference.
What makes NotPetya and its ilk of cyberattacks all the more concerning is that OT networks are increasingly connected to enterprise IT networks that house critical company data. As Internet of Things (IoT)-connected sensors and other smart devices proliferate and become part of running businesses, OT networks and IT networks have converged even more—often because of costs or the need for data sharing.
This convergence makes businesses vulnerable to attacks not only on data and IT systems but also on key operational and safety infrastructure.
NotPetya was such an event. Antova noted that the inability of security teams to peer into activities on OT networks made the situation hazardous.
“You do have industrial networks, and they are invisible to your security teams,” Antova cautioned during a session on risk to OT networks at the RSA 2018 conference. She underscored the warning after about 15% of attendees identified themselves as responsible for industrial networks.
As Antova noted, the NotPetya attack also indicated that even if companies secure IT systems and data, their business crown jewels remain vulnerable. “It tells you something about the cybersecurity posture of companies like Merck and FedEx where they are spending millions of dollars on their IT cybersecurity,” Antova noted.
Antova further emphasized that cyberattacks like NotPetya would persist unabated until IT security teams better understand the differences between IT networks and industrial networks. "Something as simple as patching is not so simple in the OT world,” Antova said. “In a lot of cases, you can’t patch [OT networks] because they have dependencies on legacy software that runs on them or because of uptime requirements.”
In December 2017, another cyberattack on OT networks further revealed the vulnerability of enterprises to industrial network attacks.
In the case of Triton malware, it targeted OT networks directly. The attackers, surmised to be a nation-state (later thought to be Iran), managed to gain remote access to an engineering workstation in Saudi Arabia. The attack exploited flaws in security procedures and, ultimately, an unknown vulnerability in Schneider's Triconex Tricon safety system firmware.
The attackers intended to manipulate emergency shutdown protocols so the system would continue to run without alerts about a safety breach while giving attackers the ability to burrow deeper into the system. The incursion was discovered only by accident, after the malware accidentally triggered emergency system shutdowns. The identity of the attackers and the full intention of the attack remain unknown.
But what is known is that these kinds of cyberattacks are becoming more common, with brazen actors testing the limits of industrial networks, often targeting key safety systems.
“We have seen tremendous expansion of attacks on critical infrastructure,” Antova said. Further, she urged, while initially attacks on safety systems focused on reconnaissance, today “nation-state attackers are moving into a new phase. Now attacks are taking position in [industrial control system] networks, and you can only imagine the implications of that,” she warned.
Antova made several recommendations for enterprises to prepare against cyberattacks on OT networks.
Lauren Horwitz is the managing editor of Cisco.com, where she covers the IT infrastructure market and develops content strategy. Previously, Horwitz was a senior executive editor in the Business Applications and Architecture group at TechTarget;, a senior editor at Cutter Consortium, an IT research firm; and an editor at the American Prospect, a political journal. She has received awards from American Society of Business Publication Editors (ASBPE), a min Best of the Web award and the Kimmerling Prize for best graduate paper for her editing work on the journal article "The Fluid Jurisprudence of Israel's Emergency Powers.”