Technological developments have brought automation, monitoring, and remote operation to the myriad systems our businesses, communities and nations rely on. But that same enhanced connectivity can also enable hostile groups or individuals to gain access, steal data, take control – or even shut down operations altogether. Any interruption has the potential to endanger lives and economies. Dr. Jan Noordhof gives us some serious food for thought.
Let’s start by looking at the nature of the threat. For example:
A cyber attack on December 23 caused a power outage in western Ukraine impacting 225,000 customers. The attackers remotely tripped breakers after installing malware, thereby bringing down the power grid. They also clogged the utility’s service center with spam calls to block genuine calls from affected customers.
2013, NEW YORK
Iranian hackers infiltrated the operations center of the Bowman Avenue Dam, a small flood control dam in New York, by means of a broadband cellular modem that connected the dam to the Internet. While the dam controls were not accessed, the facility was apparently targeted by a wider network scan for industrial control systems exposed to the Internet.
The Stuxnet computer worm penetrated an ICS at the Natanz Iranian nuclear facility via a portable USB drive. It infected the Siemens Simatic S7 programmable logic controllers that managed the centrifuges used for fuel enrichment, speeding them up until they self-destructed.
2005, UNITED STATES
A report for the Idaho National Laboratory (a US Department of Energy National Laboratory) detailed 120 cyber security attacks on US control systems*.
An incident report recently issued by a US government agency tasked with tracking ICS security threats in the US noted the trend from 2010-2015:
In the US and elsewhere, it is likely that many cyber attacks go unreported, which would make the upward trend in security incidents significantly steeper.
WHAT IS AN INDUSTRIAL CONTROL SYSTEM?
An industrial control system monitors and controls a set of industrial equipment. You might find an ICS controlling an electricity distribution network, a field of oil rigs, refinery processing equipment, or a factory assembly line.
Data (meter readings, status reports) are sent from a remote or local site to a control center where – by human or automatic intervention – commands can be sent back to change the operation of the physical equipment. As well as being remotely monitored and controlled, operation can be modified, turned on, or off.
Some dangerous assumptions
Facing up to cyber attacks is an ongoing, and constantly evolving challenge. To assume that a security retrofit is good enough, fails to grasp the complexity and dynamic nature of security. In particular, legacy equipment is responsible for some dangerous assumptions, which blind operators to the vulnerability of their systems.
X An ICS is safe if it is not connected to the Internet.
X Attacks come from outside the ICS rather than inside.
X Firewalls will protect an ICS from all attacks.
X The proprietary communications protocols used by an ICS can help protect it.
X Cyber attacks are generally targeted, so a low-profile ICS will not be targeted.
X Security can be retrofitted to an ICS on an “as required” basis.
The Stuxnet attack on the Iranian centrifuges knocks over the first four assumptions, since the Iranian ICS was not connected to the Internet, and had military grade firewalls. (The attack vector was an infected USB drive plugged into a workstation within the ICS, which targeted the proprietary Siemens PLC.)
And the Bowman Avenue Dam event upsets the fifth assumption as the hackers apparently did not specifically target the facility, but picked it up in a wider network scan for unprotected Internet-connected ICS.
The assumption that security can be simply retrofitted to existing ICS is dangerous because it contains an element of truth that can mislead an ICS operator to think that they have done enough to protect their system. Any extra security is better than none, but security improvements that can be retrofitted are severely constrained by the limitations of legacy equipment, and may not even meet regulatory requirements. They will provide far less protection than security that has been designed into the ICS from the start.
The only assumption you can safely make is that your network is not safe.
What makes an ICS vulnerable?
For years, security experts have been sounding alarms about susceptibility to attacks. Here are five vulnerabilities that operators must be aware of:
- Mandated network performance
Many of the devices or facilities managed by an ICS should run without interruption – with strong economic or regulatory penalties to discourage operational downtime. So maintenance tasks or upgrade installations which might interrupt operation become a major issue. Retrofitting security, applying firmware patches and updates, or replacing legacy equipment can fall into the ‘too hard’ category.
- Legacy equipment
Early industrial control systems were designed for reliability rather than security, since there was no Internet to complicate the picture. Even modern, IP-ready field equipment or web-based control center applications may still be connected to a SCADA or DCS system that are decades old. Created in the pre-history of security, components had no built-in security or communications protocols, interfaces were unprotected, and all users were assumed to be authorized. And monolithic network architecture ensured that there were no security checks to impede transmissions.
- Reliability vs security
With the development of computer networking, ICS operators took advantage of the better performance, increased reliability, and reduced costs of interconnected sub-networks. Unfortunately, security innovation was left behind: components were insecure, protocols were mainly clear text, and authentication of users and applications was weak. The design goals were more concerned with reliability and cost reduction than with security. This might be described as ‘insecure-by-design’.
- Deliberate hacking and intrusion
A large, expert and active hacking community directs its efforts to exposing and exploiting flaws in operating systems and architectures. Hacks of popular operating systems commonly used in ICS and corporate workstations (such as Windows or Linux), or cell phone operating systems (such as Android) are constantly in the news. But even a proprietary operating system on a SCADA/ICS controller is at risk, allowing an intruder to enter via a maintenance laptop.
- Failure to maintain
Corporate policies and regulatory controls may ‘freeze’ an ICS when it is first commissioned and certified, making patching and updating vulnerable operating systems all but impossible.
It is difficult to retrofit security onto a design which is unprotected at so many levels. If you consider all the hardware, software, network, and physical vulnerabilities of a system (its ‘attack surface’), it becomes clear that only a complete redesign from the ground up will secure the ICS from known threats. That is why assistance from experienced security professionals is critical, to combat the many different types of attack that can be launched against an ICS.
*R.J. Turk ‘Cyber Incidents involving Control Systems’, Document INL/EXT-05-00671 October 2005
And if you like our articles, subscribe to Connection to be the first to know when new issues are released!