What is a zero-day cyber attack?

The name sounds sinister because it’s a hacker’s dream, a secret vulnerability that has no specific defense.

04/11/2014


One of the terms you will hear with regularity if you follow cyber security issues is a zero-day attack or a zero-day vulnerability. The name sounds scary and it should. It designates a vulnerability that a hacker has found in a network or product that can be exploited that nobody else responsible for defending the system knows about.

If Microsoft learns of a vulnerability related to Windows, the company will begin finding ways that the program code can be changed or patched to eliminate the problem. In the meantime, it may publicize the vulnerability so users can determine if they are at risk and take other appropriate actions to set up other defenses until the problem is patched. Until the problem is recognized and users are informed, hackers can make use of the vulnerability. The specific term in this case means that the defenders have had zero days to develop a solution.

Here's a nontechnical example: Let's say many of the electrical cabinets and strategic pieces of equipment in your plant are secured with combination padlocks from Whizzo Lock Company. That company has a good reputation, or at least that's what you believe, so you trust that those locks are effective protection.

But let's say some clever individual with criminal leanings begins to study those locks, going so far as to buy the same model and dissecting it. For the sake of the illustration, he discovers to his amazement that all those locks have a built-in master combination in addition to the normal combination. Whizzo designed them such that company service people can open any lock by using this secret combination. Users aren't aware of this capability and therefore do not try to defend against it, as the company only lets a very select group of people know about it. This is analogous to a PLC with a hard-coded user name and password that have been built into a device but not included in the documentation, effectively a special "back door" for servicing.

Or, as a second possibility, let's say the criminal analyst looks at a group of locks and discovers that the serial number actually gives the combination if you know how to decode it. So if someone trying to break it can get to the lock and read the number, he can put it in a calculator and multiply it by the secret factor and get the combination. Again, this is something that the company doesn't tell the general public for obvious reasons. This is analogous to a server with a hard-coded password that can be derived from the MAC address.

As a third possibility, maybe there is a mechanical weakness that he discovers. After looking at the insides, he finds that the lock can be pried open with a crowbar without too much trouble when the dial is set at 39. This was not intentional; it's just a small design flaw that the manufacturer didn't realize. This is analogous to a programming flaw or hardware peculiarity that allows a hacker to break in or otherwise cause mischief.

There are other attack vectors that aren't strictly zero-day but can get the job done. As a fourth possibility, perhaps the user company buys the locks with all the combinations the same so workers don't have to remember more than one. The criminal watches eBay and buys a piece of equipment sold by the company as surplus with the lock still in place and gets the combination that way. This is analogous to facilities selling used PLCs or other equipment with programming, data, and passwords still intact. This is a very common practice, unfortunately.

All of these represent specific weaknesses that have been found in various types of industrial networking hardware and devices, or user practices. If the criminal is aware of them but the users are not, that is effectively a zero-day situation.

This brings up a larger issue related to security that we have discussed in other contexts. As Matt Luallen discussed in July's cover story on problems related to mobile computing, all defensive measures require some measure of trust. If that trust fails, that defensive measure does not give the protection it is supposed to give. If enough of the defensive measures fail, the bad guy gets the run of the network. When the measure fails because of a zero-day vulnerability, you won't know how he got through your defenses. You can take some comfort in that once those problems are identified after somebody else gets hacked, users can take appropriate measures, or at least they should, before they suffer the same fate. Unfortunately, vulnerabilities that are uncovered but not fixed continue to provide attack vectors.

Peter Welander is a content manager for Control Engineering. Reach him at pwelander(at)cfemedia.com 

This article originally appeared in the August 2012 Control Engineering issue.

ONLINE

Read more about cyber security below. 



No comments
Consulting-Specifying Engineer's Product of the Year (POY) contest is the premier award for new products in the HVAC, fire, electrical, and...
Consulting-Specifying Engineer magazine is dedicated to encouraging and recognizing the most talented young individuals...
The MEP Giants program lists the top mechanical, electrical, plumbing, and fire protection engineering firms in the United States.
Water use efficiency: Diminishing water quality, escalating costs; Lowering building energy use; Power for fire pumps
Building envelope and integration; Manufacturing industrial Q&A; NFPA 99; Testing fire systems
Labs and research facilities: Q&A with the experts; Water heating systems; Smart building integration; 40 Under 40 winners
Maintaining low data center PUE; Using eco mode in UPS systems; Commissioning electrical and power systems; Exploring dc power distribution alternatives
Protecting standby generators for mission critical facilities; Selecting energy-efficient transformers; Integrating power monitoring systems; Mitigating harmonics in electrical systems
Commissioning electrical systems in mission critical facilities; Anticipating the Smart Grid; Mitigating arc flash hazards in medium-voltage switchgear; Comparing generator sizing software
As brand protection manager for Eaton’s Electrical Sector, Tom Grace oversees counterfeit awareness...
Amara Rozgus is chief editor and content manager of Consulting-Specifier Engineer magazine.
IEEE power industry experts bring their combined experience in the electrical power industry...
Michael Heinsdorf, P.E., LEED AP, CDT is an Engineering Specification Writer at ARCOM MasterSpec.