Saudi Aramco admitted that about 30,000 computers had been infected with malware known as Shamoon. They were quick to point out that “its primary enterprise systems of hydrocarbon exploration and production were unaffected as they operate on isolated network systems. Production plants were also fully operational as these control systems are also isolated.”
If true, this is actually quite impressive, more on this later, and it provides a good chance to review emergency ICS isolation.
We always recommend owner/operator clients have a set procedure for physically disconnecting the SCADA or DCS (Purdue/ISA-95 Model Level 2) from the corporate network (Level 4) and increased restrictions on connecting laptops or USB drives to the SCADA or DCS.
- What are the typical conditions that warrant a disconnection? (a security incident on the corporate network is one)
- Who decides when the physical disconnect takes place?
- Who decides when the physical connection can be reestablished?
The Aramco incident raises another key ICS security point: nothing required for operation of the process should be on the corporate network. Most operations team agree with this from the start, but all too often we find monitoring systems relied on by the control center or even systems capable of control on the corporate network. In the later case, it is usually a system on the corporate network that is used only for non-essential monitoring but is capable of control. Of course, attackers may not self-limit themselves to monitor only.
Now back to the impressive claim of the Aramco’s ICS being unaffected. First, they likely mean isolated in the sense of restricted and minimal connections rather than no communication. One of the definitions of isolation is minimal contact so the statement would be accurate. That said, Aramco’s ICS are almost certainly in a separate zone with a firewall creating the security perimeter.
Most, but certainly not all, organizations do not allow the file sharing ports through the ICS security perimeter, and thankfully I have yet to see a SCADA or DCS that allows inbound email. So the firewall should have done its job of protecting the ICS from Shamoon on the corporate network. However at the time all these computers were getting wiped, Shamoon was an unknown attack that should have triggered the complete ICS isolation.
Even if firewall blocked all Shamoon infected systems, a laptop infected on corporate network and then connected to the SCADA or DCS could have caused Shamoon to spread. ICS are notorious for numerous, wide open network shares — since vendors treat this as an implicitly secure network. This is another good example of why you should have dedicated engineering laptops that never get connected to corporate network or the Internet.
Finally, there are many instances when SCADA and DCS have malware incidents that don’t have an appreciable affect on operations — a bullet dodged. Sometimes the malware lingers for years and is mistakenly accepted because it isn’t causing an impact and it’s hard to clean the pesky worm. It’s possible that Shamoon did infect some ICS computers and still the Saudi Aramco statement would be accurate.
Image by Cake Girl by Hyeyoung Kim