Some of the more startling revelations were:
- A program to systematically penetrate and map air-gapped systems;
- Malware operating at the firmware level that enabled discovery of encryption keys, cracking encryption algorithms and that could remain in place through an operating system reinstall;
- Malware that replaced hard-drive firmware to create a secret storage area on a hard disk that would survive drive reformatting;
- Some of this malware has existed since around 2001 and has gone undetected until now.
What is new in this report is the extent to which these tools were aimed at non-IT assets. Much of the report details efforts to penetrate air-gapped systems and other industrial control and critical infrastructure systems.
These findings raise some interesting, and troubling questions for the CyberSecurity industry, and specifically for those of us developing the systems used in industrial automation, factory control and other critical operations. Chief among them is; what are we doing to protect our systems?
Cyber warfare: a harsh reality
Even if we accept the implication that the malware discovered by Kaspersky Labs was created by the NSA that does not imply that the critical infrastructure systems within the US and our ally nations are safe from attack. There is little doubt that China, Russia, and Iran have large, dedicated and active cyberwarfare groups. If the US has developed sophisticated cyberware technology there is little doubt that other countries either already have or soon will develop comparable technology.
Much of the technology described in the report from Kaspersky Labs is more than a decade old. Even if other countries are a decade behind the US, which is unlikely, then they would now have equivalent technology to infiltrate air-gapped systems, discover encryption keys, and remain undetected by standard security technologies.
Anyone building industrial control systems, or critical infrastructure devices must take a new look at security.
Air-gaps are a myth. Not only did the Kaspersky report detailed methods to compromise them, many customers fail to maintain a strict air-gap. Additionally, insider threats must be considered. Hardware enabled secure boot is a requirement. Security by obscurity must be abandoned as the relic that it is. The investment must be made to build security into the foundations of every device being utilized within critical infrastructure.