Triconex isn't a watershed moment... it's just one more forgettable attack
The media is quick to cry out about the TRITON attack at Triconex, calling it a “watershed moment” for cyber security. Nonsense. Remember Stuxnet? Whatever happened with that? Did we stop using off-the-shelf Windows for critical infrastructure? Did we stop transferring files to airgapped machines using USB drives? Did we stop hard-coding default passwords? Did we start monitoring communications between PLCs and their controllers? Hell, did we even take a second to try to understand what the normal operations for our critical IT infrastructure looked like?
Or how about CryptoLocker? How do we measure the money and man-hours lost due to an encrypted drive that needs to be rebuilt? How many of us went out and set up TimeMachine, Crashplan, iCloud backups, tape drives, anything after ransomware came out? How many of us back up every single machine? How many organizations still run their NAS on Windows and connect to it from Windows, providing the perfect vector for the spread of worms?
WannaCry. 200,000 victims. The NSA discovered an exploit but kept it to itself instead of letting Microsoft know so they could patch. The consequence was 200,000 victims of WannaCry, and hundreds of hours of paid consulting work for people like me (thanks for the nice Christmas bonus!) cleaning it all up. And once it was done, you had… a few more rules in your SIEM. A new IPS signature. And you feel safe because it hasn’t come back, right?
Then Petya. The same god damned thing as WannaCry, the attack you all feel safe from now because you paid hundreds of thousands of dollars to “fix it”. And you’re strung out in the cold again because of a new attack that was “totally unpreventable”. Then NotPetya, after you were all trained to pay the ransom and check the box in your business continuity plan like good little victims… **surprise! **NotPetya doesn’t actually decrypt your files after you pay! Suckers!
Again, the attacks came through Windows. But Mac is too expensive, and Linux is too hard to use, right? If I just ignore every other option that exists, I can pretend there are no other options. There’s absolutely nothing we can do to stop it. Just accept that you’re already dead, because it’s slightly more convenient, and besides, IT infrastructure is a sport, right? Gotta root for your favorite team!
Bu-bu-bu-but Target! Aaaaaand.. Home Depot! But Equifax!
All changed nothing in the security world. Cards are still getting skimmed. Payment machines are still running on Windows. Equifax had their incident response website breached while the incident they were responding to was still happening, and then they got breached again after that.
So why the hell would anyone call TRITON a “watershed moment”? What exactly is so different about this one? What makes us change if all these recent attacks haven’t? Because it’s a nation-state? So was Stuxnet and Flame and Duqu. No one gave a shit. Because it shut down critical control systems? Anyone remember the 2015 attacks that shut down the power grid in Ukraine? No? That’s okay, it was apparently so forgettable that Wikipedia doesn’t even list the name of the malware, BlackEnergy.
You want to know why TRITON will be forgotten? Why it’s as far from a “watershed moment” as you can get? Because all of those other attacks happened and nothing changed. Nothing happened. We’re still doing exactly what we did before, only now we’re giving more money to security consultants who write rules looking for exactly that one attack, and when the next one happens and it’s slightly different, we all lose our collective shit because “no one could foresee this happening!”
What will it take to reach the real “watershed moment”? Deaths. Not just one, likely multiple. And not just any deaths. Media-friendly deaths. Something we can all relate to. The headline will read “Hackers holding daycare hostage after pwning their IoT smart locks”, the nation watches in fear as the timer for the ransom ticks down. All streamed live to your Android 2.3 phone, because “iPhone sux lolol” but Samsung never released an update after you were locked into a two-year contract.
Then, and only then, will anyone care about preventing cyber attacks before they happen.