Cyber Attack Task Force - Final Report - NERC
Cyber Attack Task Force - Final Report - NERC
Cyber Attack Task Force - Final Report - NERC
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Appendix J: Case Studies<br />
Appendix J: Case Studies<br />
Breaking Air Gap Myths About Control System Inaccessibility - Stuxnet<br />
Just because there is an “air gap” doesn’t mean a control system is inaccessible to adversaries.<br />
Stuxnet is a great example. A USB thumb drive can be transported from an infected host<br />
machine and inserted into the target network that is air-gapped. Then stuxnet can propogate<br />
on the local target network via multiple exploits. That propagation results in forming a hostile<br />
Peer to Peer (P2P) network which operates on the probability of finding resident hosts with<br />
indirect or direct internet accessibility. It then utilizes these hosts to establish an indirect<br />
Command and Control (C2) bridge for hostile control. In sum, USB served as not only the<br />
delivery mechanism but also to establish a network of hostile P2P relationships within the<br />
target network.<br />
Another Example, Breaking Air Gap Myths About Control System Inaccessibility – Buckshot<br />
Yankee<br />
SIPRNET is Department of Defense’s (DoD) Secret-level network. This network is commonly<br />
perceived as completely air-gapped, yet in 2010 Deputy Defense Secretary William Lynn<br />
publicly disclosed a 2008 worm infestation on the network. The DoD response to this<br />
infestation was called Buckshot Yankee. Also in 2010, well-known former counter terrorism<br />
official Richard Clarke released a book entitled “<strong>Cyber</strong> War.” Clarke gave a more detailed<br />
account of Buckshot Yankee. The delivery mechanism was USB insertion, much like stuxnet, but<br />
its C2 method was novel. Instead of P2P C2, Buckshot Yankee relied on sneaker-net C2. The<br />
infected thumb drive payload carried not only the malware worm but also a data file. This data<br />
contained requests and responses which serve as a C2 channel to the next internet connected<br />
devices the USB is inserted into. The result: USB creation of an effective hostile sneaker-net C2<br />
channel across the perceived air gap which “secures” the target network. The bottom line: USB<br />
established a delivery mechanism within an air-gapped network and then sneaker-net<br />
connectivity enabled by repeated usage of USB devices between both air-gapped and non-airgapped<br />
networks.<br />
TAKE AWAY, what these examples say about <strong>Cyber</strong> <strong>Attack</strong> awareness…<br />
Techniques such as utilizing USB devices as delivery mechanisms to enable hostile penetration<br />
of targeted “secure” control networks is widely known. Approaches of establishing hostile C2<br />
channels across the gap using techniques such as P2P or sneaker-nets are less well known.<br />
Techniques like these mean that defensive measures limited to reliance on air gaps need to be<br />
evaluated skeptically. Other advanced and novel means of hostile penetration, and the means<br />
to offer effective layered defense against them, must be considered to achieve true control<br />
network and device security and true risk management. These observations point towards<br />
integrated consideration of policies, procedures, system design, operational approaches,<br />
intrusion detection, anomaly, monitoring and awareness technologies which deliver a capability<br />
<strong>Cyber</strong> <strong>Attack</strong> <strong>Task</strong> <strong>Force</strong> <strong>Report</strong> 71