- Attackers of the hack of German federal institutions remained undetected for months due to insufficient IT security technology
- Monitoring results and stability and security audits by Rhebo indicate that networks of critical infrastructure is regularly compromised
- Two case studies outline common cybersecurity incidents
Leipzig, Germany, March 3, 2018 -The recent hack of federal institutions in Germany aggravates the fears that even the most secure networks of critical infrastructures can be infiltrated. Our results from audits and monitoring projects using industrial anomaly detection confirm the warnings.
What are we supposed to think, when one of the most sensitive networks of the country is safeguarded by the state of art IT security and Frank Rieger, spokesman for the Chaos Computer Club, reacts with a dismissive "But it is not good overall, anyway" on the German IT platform Heise-News?
According to recent insights, hackers have been active in parts of the government network of German institutions for months and have been able to steal data. That the attackers even got access to the network, is bad enough and shows that the perimeter barriers such as firewalls & Co. can no longer provide sufficient security. More importantly, the hackers have been able to remain undetected in the network for a very long time.
Among other professional attack strategies, this was due to the fact, that the hackers had learned from the hack of the German Parliament in 2015. Instead of sending large - and conspicuous - volumes of data in the gigabyte range from the network, they kept the data transfers limited. This allowed them to run under the radar of the usual detection mechanisms of common security systems.
The problem though is deeper. It reveals the fundamentally wrong approach to IT security over the last decades: the borders are protected by rigid rules, while within the network jester’s license prevails.
Peter Welchering, a Science journalist focusing on IT security warns quite reasonably at Deutschlandfunk: »It’s not only the government network which is vulnerable, as we just have seen. And it’s not only the communication network of the German Bundestag, where the spies romp around. All our so-called critical infrastructure - power, water, and telecommunications - can easily be attacked and therefore are highly vulnerable.«
This threat, in our opinion, has been a long-lasting status quo in some telecontrol systems of critical infrastructure. And very few operators know about it. The results from our monitoring projects as well as stability and safety audits of industrial companies, network operators and energy companies show that there are already communication patterns that indicate compromises.
Case 1: Communication with servers in Asia
For the audits and long-term monitoring projects, the non-intrusive and passive industrial anomaly detection Rhebo Industrial Protector is used, which decodes and analyzes the entire communication within an ICS or telecontrol system. So instead of only securing the perimeter of a network segment, the inner life is completely monitored. The anomaly detection learns the allowed standard communication patterns and processes within the shortest time. On this basis, Rhebo Industrial Protector reports any deviation (or anomaly). This can be technical, or even a security gap.
For example, network operators repeatedly found connections between individual workstations that freely communicated with servers abroad (including Russia and China) to resolve domain names into IP addresses. The network administrators were always unaware of this undesirable communication. In one case, malicious software was found on a workstation responsible for this suspicious communication. Presumably, the requested DNS server abroad was a Command & Control server, which controlled the malicious software.
Rhebo Industrial Protector shows anomaly as a communication with a server abroad
Case 2: Configuration for system failures
In another case of an energy grid operator, we discovered two switches that kept trying to send DHCP requests. The DHCP communication protocol enables new participants to be integrated into an existing network without manual configuration of the network interface. Necessary information such as IP address, netmask, gateway, name server (DNS) and other settings are assigned automatically.
Within an ICS this automatic assignment of settings is not wanted. In case a DHCP server is introduced to the network - unintentional (e.g. through a maintenance laptop) or deliberately by an attacker - devices might get IP addresses that collide with already assigned addresses. As a result, the accessibility and performance of another device in the network is limited. This restriction of legitimate device’s communication can lead to disruptions in the energy supply or even failures of the entire infrastructure. In the case of the monitored energy grid provider, the new configuration of the switches stopped this faulty communication.
Rhebo Industrial Protector with notices about unwanted DHCP-traffic within the network
Prevent hacks and system failures from scratch
In both cases the industrial anomaly detection Rhebo Industrial Protector recognized the compromise of the network, because of the deviation of the detected communication from the standard pattern. However, it was irrelevant how extensive the data transfer was or whether the suspicious communication pattern was already known to be malicious or not. Crucial to the functionality of the anomaly detection is that an analyzed data packet simply does not belong to the specific communication or behavioral pattern of the respective ICS.
The activities of a cyber criminal as reported with the events of the recent hack of the German federal institutions would become immediately visible with a thoroughly monitored network - making it easier to stop cyber attacks from the beginning.
More cases of disturbance vectors in ICS can be found in our current white paper »Making Disruptions in Networked Production Transparent - Identifying Technical Faults and Cyberattacks in Industry 4.0 before Operating is Disturbed« (currently available in German only).
Rhebo is a German technology company that is specialized in ensuring the operational reliability of industrial control systems by monitoring control communications. Rhebo provides hardware, software and services to secure networked industrial control systems and Critical Infrastructures as well as to increase productivity.
Rhebo is listed as one of the 30 top providers for industrial security in Gartner’s »Market Guide for Operational Technology Security 2017«. The company is member of Teletrust – IT Security Association Germany.