What is a zero-day cyber attack?

The name sounds sinister because it’s a hacker’s dream, a secret vulnerability that has no specific defense.

04/11/2014


One of the terms you will hear with regularity if you follow cyber security issues is a zero-day attack or a zero-day vulnerability. The name sounds scary and it should. It designates a vulnerability that a hacker has found in a network or product that can be exploited that nobody else responsible for defending the system knows about.

If Microsoft learns of a vulnerability related to Windows, the company will begin finding ways that the program code can be changed or patched to eliminate the problem. In the meantime, it may publicize the vulnerability so users can determine if they are at risk and take other appropriate actions to set up other defenses until the problem is patched. Until the problem is recognized and users are informed, hackers can make use of the vulnerability. The specific term in this case means that the defenders have had zero days to develop a solution.

Here's a nontechnical example: Let's say many of the electrical cabinets and strategic pieces of equipment in your plant are secured with combination padlocks from Whizzo Lock Company. That company has a good reputation, or at least that's what you believe, so you trust that those locks are effective protection.

But let's say some clever individual with criminal leanings begins to study those locks, going so far as to buy the same model and dissecting it. For the sake of the illustration, he discovers to his amazement that all those locks have a built-in master combination in addition to the normal combination. Whizzo designed them such that company service people can open any lock by using this secret combination. Users aren't aware of this capability and therefore do not try to defend against it, as the company only lets a very select group of people know about it. This is analogous to a PLC with a hard-coded user name and password that have been built into a device but not included in the documentation, effectively a special "back door" for servicing.

Or, as a second possibility, let's say the criminal analyst looks at a group of locks and discovers that the serial number actually gives the combination if you know how to decode it. So if someone trying to break it can get to the lock and read the number, he can put it in a calculator and multiply it by the secret factor and get the combination. Again, this is something that the company doesn't tell the general public for obvious reasons. This is analogous to a server with a hard-coded password that can be derived from the MAC address.

As a third possibility, maybe there is a mechanical weakness that he discovers. After looking at the insides, he finds that the lock can be pried open with a crowbar without too much trouble when the dial is set at 39. This was not intentional; it's just a small design flaw that the manufacturer didn't realize. This is analogous to a programming flaw or hardware peculiarity that allows a hacker to break in or otherwise cause mischief.

There are other attack vectors that aren't strictly zero-day but can get the job done. As a fourth possibility, perhaps the user company buys the locks with all the combinations the same so workers don't have to remember more than one. The criminal watches eBay and buys a piece of equipment sold by the company as surplus with the lock still in place and gets the combination that way. This is analogous to facilities selling used PLCs or other equipment with programming, data, and passwords still intact. This is a very common practice, unfortunately.

All of these represent specific weaknesses that have been found in various types of industrial networking hardware and devices, or user practices. If the criminal is aware of them but the users are not, that is effectively a zero-day situation.

This brings up a larger issue related to security that we have discussed in other contexts. As Matt Luallen discussed in July's cover story on problems related to mobile computing, all defensive measures require some measure of trust. If that trust fails, that defensive measure does not give the protection it is supposed to give. If enough of the defensive measures fail, the bad guy gets the run of the network. When the measure fails because of a zero-day vulnerability, you won't know how he got through your defenses. You can take some comfort in that once those problems are identified after somebody else gets hacked, users can take appropriate measures, or at least they should, before they suffer the same fate. Unfortunately, vulnerabilities that are uncovered but not fixed continue to provide attack vectors.

Peter Welander is a content manager for Control Engineering. Reach him at pwelander@cfemedia.com 

This article originally appeared in the August 2012 Control Engineering issue.

ONLINE

Read more about cyber security below. 



Anonymous , 04/21/14 05:38 PM:

Nice imformation congratulations
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Controller programming; Safety networks; Enclosure design; Power quality; Safety integrity levels; Increasing process efficiency
Additive manufacturing benefits; HMI and sensor tips; System integrator advice; Innovations from the industry
Robotic safety, collaboration, standards; DCS migration tips; IT/OT convergence; 2017 Control Engineering Salary and Career Survey
Featured articles highlight technologies that enable the Industrial Internet of Things, IIoT-related products and strategies to get data more easily to the user.
This article collection contains several articles on how automation and controls are helping human-machine interface (HMI) hardware and software advance.
This digital report will explore several aspects of how IIoT will transform manufacturing in the coming years.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Infrastructure for natural gas expansion; Artificial lift methods; Disruptive technology and fugitive gas emissions
Mobility as the means to offshore innovation; Preventing another Deepwater Horizon; ROVs as subsea robots; SCADA and the radio spectrum
Future of oil and gas projects; Reservoir models; The importance of SCADA to oil and gas
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me