In late 2012, there was a severe, targeted malware cyber-attack on a number of oil & gas facilities using what became known as the Shamoon virus. This Windows-based malware differed from other types of attacks, which typically involved attempting to steal money or information, in that it was designed to aggressively seek paths across networks, seizing any hard disks it might find, wiping out all information, and rendering the hardware useless.
This attack was known for years as the “biggest hack in history,” although of course that dubious honor was bound to be overshadowed at some point. In addition to forcing the oil & gas companies to buy thousands of new hard drives for all of the corrupted machines, they also disconnected all of their operational systems from external connections in an attempt to limit the damage.
However, once they managed to get up and running again, they quickly realized that they needed a way to safely and securely restore business continuity (data flow) between their plant operations and their corporate networks.
The affected organizations had three primary requirements for resuming business continuity:
- Implement a method for secure remote monitoring – data sent outside the plant network, so external business users can access the data for analytics and maintenance.
- Ensure that only “known and trusted” monitoring data would be allowed out of the plants into the central corporate network.
- Segment and isolate the plant network from all external access – no network connection or data transfer allowed into the plant.
Software firewalls were not sufficiently secure to meet the absolute segmentation requirements to isolate the plant network as they are inherently two-way communication devices. Even if they are configured to be one-way, they can be hacked and/or reconfigured again to operate in a two-way manner. In fact, there were already firewalls in place when the first attacks occurred.
However, data diodes are physically enforced with a hardware-based security mechanism: light travelling one-way from an LED to a photo receiver. Authorized data travels one way – for remote monitoring – but not in the other. Neither changes to the security policy nor software reconfiguration nor hacking/malware can cause a non-existent hardware component to appear. This is why they made for the ideal solution to this cybersecurity problem.
In addition Owl’s data diode solutions implement a non-routable protocol break between the networks. All data moving across the diode solution has no source or destination IP addresses within the packet header. Thus removing threats caused within some Zero Day attacks as self-propagating virus attacks cannot traverse the Owl diodes. This security feature ensures that the source and destination network IP addresses are not know to each other. This provides for 100% confidentiality between the networks.
Data diodes could allow the plant operators to transfer a variety of data types out of the secured plant network, including files, Syslog and Modbus, SNMP trap data and emails, HMI screen replication, OPC data, and historian database replication, such has OSIsoft, GE, Yokogawa, Honeywell and others. The company could then use this data in their corporate network for business continuity, including any number of analytics, performance monitoring, alarms/alerts, physical security/video, and other uses.
Today in the Middle East region, data diodes are now deployed not only in oil and gas, but in desalination water facilities, power generation sites, petrochemical operations, and various government agencies. Since the Shamoon virus attacks in 2012 (and again in 2016 and 2017), data diodes have been trusted and deployed by many asset owners at hundreds of sites in the region.
With the continuing threats of malware and cyber-attacks, Owl continues to work with asset owners to secure their critical infrastructure and help to prevent such a devastating attack from ever happening again in any organization.
Thank you for reading the post, as part of the DHS Cybersecurity Awareness Month campaign, we are opening the conversation and would like to hear about what challenges that you are having in your efforts to become more cybersecurity ready. Get in touch or chat us up on twitter via #SecureTogether
About The Author
Dennis Lanahan is the Director of International Sales at Owl Cyber Defense. Dennis brings an extensive and rich experience in cybersecurity in Europe and the Middle East regions. His deep understanding of the geo-political situations and threat landscape provides an unmatched benefit to customers in assessing cybersecurity risks in their organizations.