vol 9, issue 8

Industrial control systems and SCADA cyber-security

11 August 2014
By Dr Richard Piggin
Share |
Natanz uranium enrichment plant, south of Tehran

Former Iranian President Mahmoud Ahmadinejad touring a centrifuge facility at the Natanz uranium enrichment plant

Iranian nuclear plant, Bushehr

Tight physical security at Iranian nuclear plants is no sure protection against malware that targets such facilities

Hackers are now directing their activities toward the technology commonly found in power stations, factories and other infrastructural facilities. Engineers tasked with managing these systems must understand the rising risk, and ensure that safeguards are implemented.

Awareness of the cyber-security risks inherent in industrial control systems (ICSs) and supervisory control and data acquisition (SCADA) systems has been growing since Stuxnet, the first publicly-known malware to specifically target these classes of technology, first appeared in June 2010.

The 'reconnaissance' malware launched by Energetic Bear group (aka 'Dragonfly'), just over four years later, highlighted the continuing business risk to engineers, technologists and (potentially) executive boards responsible for the management of a broad range of facilities using ICSs.

Malware is being developed that targets ICSs; more alarming still is the fact that this malware has been delivered by 'legitimate' means – ie, vendor updates via their website – so it is programmed to obtain information about ICSs. Without reconnaissance, it is difficult for a cyber-threat to stage an attack: the importance of protecting plant information cannot be over-stated.

Stuxnet's intention was to sabotage operational industrial plant – not disrupt abstract IT systems. No-one has claimed responsibility for originating Stuxnet; there has been speculation that it was developed by nation states to attack Iran's facilities – a 2011 New York Times report suggested that it 'wiped-out' around 25 per cent of Iran's nuclear centrifuges and helped delay the country's ability to make nuclear arms – but other countries' facilities were also infected.

Stuxnet highlighted that ICS types were vulnerable to attack. Organisations would be wrong, however, to base their potential threats on Stuxnet alone. Automation components are generic, so less-sophisticated attacks could use similar techniques to make attacks scalable. Stuxnet variants have also been identified. The Havex.A RAT 'reconnaissance piece' – explained elsewhere in this article – might be an early indication of new Stuxnet-inspired attacks.

New threats come in the wake of investigative research carried out earlier this year by consultancy firm Atkins, which discovered that data is being made available from various mainstream online media that – theoretically – could be used by hackers to inform attacks on a range of ICSs and SCADA-based platforms. Atkins wanted to understand what ICS/SCADA information found in the public domain could be used to target control systems and to assess the remedial actions organisations might take to improve security in ICS domains.

The findings brought new emphasis to the fact that hackers and other cyber-threats are increasingly turning their attention to the ICSs and what is being termed operational technology (OT) running much of the enabling computer technology that factories, assembly lines, industrial plants, and utilities (ie, power, gas, water), now rely on.

Aside from information that might advertently or inadvertently be published into the public domain about ICSs and their vulnerabilities, probably the most alarming discloser of ICS equipment is the Shodan website. This is a search engine for Internet-facing devices: Shodan interrogates connected devices and catalogues the response from a device, known as a 'banner'. The equipment banner information is then indexed; device-specific searches can be filtered by port, hostname and/or country.

Hacking the humans

According to cyber threat intelligence firm iSightpartners, since at least 2001 Iranian hacker groups have been engaged in a 'creative' social media campaign aimed at high-ranking USA and Israeli defence, diplomatic and other officials. Targets were lured to fake websites through an elaborate social media network that features a bogus news site called NewsOnAir.org. The cyber-espionage operation – 'Newcaster' – used social media to engage with targets, building trust with fake relationships with friends, family and colleagues in order to compromise email accounts. Victims were then sent spear-phishing emails with links to spoof webmail login pages to steal account credentials.

No matter how thorough an organisation's awareness of potential risks, and how diligently its safeguards are applied, personnel – including third-party staffers and contractors – can still constitute a weak link; but weaknesses can be converted into defence. Effective security can become cultural, like safety considerations. However, while we understand system safety, system cyber-security is more difficult and less tangible. Yet organisations can do more to highlight the risks and the right behaviours. More sophisticated attacks may be initiated by 'spear phishing' (eg, artfully-crafted emails directing victims to download malware). Risks of information leakage, inappropriate social media use and circumventing security policies and procedures can be reduced with suitable education. One-third of manufacturing organisations were affected by at least one targeted spear-phishing attack in 2013, according to security vendor Symantec. Education and straight forward reporting can help.

System vulnerabilities, hacking tools and so-called 'script kiddies' (unskilled individuals using third-party scripts or programs developed to attack computer systems, networks and specifically ICSs), represent an escalating threat. The technical knowledge required to launch an attack has fallen due to the availability of 'off-the-shelf' hacking tools. Vulnerabilities are more understood due to increased reporting, the emergence of 'ICS security research exploits' and heightened media coverage.

There are features of ICSs that constitute security weaknesses. These include the inherent trust associated with system components when communicating with other control system elements. The prime one is the 'automation Lego' of generic components designed to be easily integrated, programmed and configured: it doesn't need to be have vulnerabilities exploited – it just has to be reprogrammed.

The Energetic Bear attack

Download the full Energetic Bear attack infographic, featuring further information and a timeline of events

 

It is a legal requirement to risk-assess ICSs and design them to avoid safety failures. Whether these established risk-assessments extend to ICS cyber security is less easy to ascertain. Even where control systems suffer a security breach, research has shown that safety functions have not been compromised; but a nuisance shutdown may occur that impacts on operations, and might also have financial and contractual implications.

Reasons for a shutdown may not be readily discernible. Instances of ICS/SCADA devices being in some way compromised might not be immediately evident to operators or engineers, as the systems were probably not implemented with suitably-granular diagnostics or forensic capability.

Gauging the level of risk to an ICS means understanding the application and physical process under control. Non-availability could be significant, as indeed could the opposite: unexpected operation. Understanding the threat agent, their motivation and their capability, is another key consideration: second-guessing their motivation might give clue to the sophistication of future activity and the defences required.

Most control systems engineers are now aware of the potential impact of safety incidents, which may include damage to equipment, environmental damage, injury to persons and even fatalities. Potential consequences for the failure of ICS systems are known, and often widely reported.

So it's important to bear in mind that a range of factors – and not just malicious intent – can affect ICS security. This demonstrates the challenges facing the organisations that rely on them. Taking steps to address ICS cyber-security should improve control system resilience to other adverse incidents, reducing unplanned downtime and facilitating a more rapid return to business-as-usual following an incident.

Prelude to a sophisticated attack?

Malware that was detected in July 2014 targets ICSs in the European Energy sector. The malware was distributed by phishing emails with PDF attachments to selected employees, industry websites (known as a 'watering hole' attack) and via compromised software updates on three legitimate ICS vendor websites. This variant of the Havex.A Remote Access Trojan (RAT) is targeted specifically at ICSs, although previous versions have been used against the defence and aerospace sectors, with 88 variants discovered.

Internet security solutions provider F'Secure revealed that the RAT has been adapted for intelligence gathering of ICSs, enumerating networks and specifically searching for Open Platform Communications (OPC) servers. The OPC Foundation renamed the protocol Object Linking and Embedding (OLE) for Process Control (OPC). Such servers are used for real'time data communications between ICS/SCADA devices from different vendors. A large number of (mostly) European Energy organisations have reportedly been affected.

A notable feature of Havex is that one of the routes to infection is via compromised manufacturer software updates. The group behind the Trojan exploited vulnerabilities in the website content management software for command and control servers, hiding the Trojan in legitimate software installers available for download to customers in order to compromise ICSs/SCADA systems.

Crucially, one of the affected software updates is for secure remote access. Once the malware is installed, it communicates with one of the 146 command and control servers (the compromised Web servers) and downloads the ICS/SCADA 'sniffer' component. This demonstrates an intention to exploit and control ICS/SCADA systems, which is presently uncommon.

Previous extensive evidence of the Havex RAT has been attributed to the Russian Federation by security provider Crowdstrike's 'Global Threat Report 2013 Year in Review', suggesting the group responsible may have operated with sponsorship or knowledge of the Russian state. According to ICS-CERT, the Industrial Control System Computer Emergency Response Team based in the US, Havex uses an old version of OPC, 'OPC Classic'.

Research has shown that infected systems may crash causing OPC communications denial of service. The new OPC Unified Architecture does not use the Microsoft COM/DOM technology and is unaffected. Affected organisations are recommended to check their network logs for potential Havex activity and to secure their OPC servers.

Organisations have sought to optimise processes and reduce cost, using the opportunity afforded by the technology trend of convergence of control systems or OT on common IT technologies such as Ethernet, standard computer operating systems and wireless. However, this opportunity potentially carries increased risk as often formerly isolated control systems, including safety systems, are opened to the enterprise for business users – and thus potentially exposed to the Internet. Organisations are finding convergence demanding – and security of an ICS is often compromised.

ICSs have many characteristics that differ from traditional IT systems, including different risks and priorities. In many organisations, the business impact of an ICS incident is not assessed or considered alongside information assurance or safety risks. Executive boards don't always recognise the issue and it is often not articulated to them by those in the know.

The fact that the IT security and engineering communities do not often mix, share limited information and have differing perspectives and use different language, needs to be better understood. Few corporate boards have members with direct responsibility for cyber security, let alone an appreciation of ICS security and its nuances.

Good practice strategies outlined

So what are infrastructure operators, governments and academia doing about this threat? There has been work on providing guidance on ICS security which highlights the US National Institute of Standards and Technology (NIST) information about the potential malicious events that could affect a control system.

Governments are providing good practice guidance and information. In the UK, the Cyber-Security Information Sharing Partnership (CISP) was launched in March 2013. It is a joint, collaborative initiative between industry and government to share cyber threat and vulnerability information in order to increase overall situational awareness of the cyber threat – and therefore reduce the impact upon UK business.

Industry groups are sharing information and producing sector standards and progress plans. Standards such as IEC 62443 are being developed in this area, as are guides such as the forthcoming 'Cyber Security in the Built Environment Code of Practice' guidance from the Institution of Engineering and Technology (IET).

Good 'cyber hygiene' can reduce risk. A few steps are recommended to provide a good level of security. The recently launched UK Cyber Essentials Scheme from the UK Department for Business, Innovation and Skills and the Cabinet Office, concentrates on five controls against Internet-originated attacks. While not primarily aimed at ICSs, the recommended controls focus on access control, boundary firewalls and Internet gateways, malware protection, patch management, and secure configuration. 

Industry is developing specialist courses to develop skills and bridge the gap between ICS engineering/OT and IT, such as the Global Industrial Controls Systems Professional Certification (GICSP) from the SANS Institute. Conferences – such as the forthcoming IET System Safety and Cyber Security 2014 Conference (scheduled for 14-16 October 2014) – are an important step toward awareness-raising and peer education.

CPNI and EPSRC have just launched RITICS: Research Institute in Trustworthy Industrial Control Systems. This activity supports the UK's Cyber Security Strategy and the creation of research institutes. RITICS was created in January 2014 as a response to the growing need for improved cyber security for ICSs.

The UK Centre for the Protection of National Infrastructure (CPNI) is the government authority that provides security advice to the national infrastructure. Specific SCADA advice is offered by the CPNI in a series of process control and SCADA security good practice guidelines.

Since the CPNI Good Practice Guides were published, there has been an increase in industrial cyber security guidance available. There are now a number of generic guides and resources for securing ICSs. They include: National Institute Standards and Technology (NIST) Special Publication 800-82, 'Guide to Industrial Control Systems Security' (www.csrc.nist.gov/publications/PubsSPs.html); IEC/TS 62443-1-1:2009, a technical specification which defines the terminology, concepts and models for Industrial Automation and Control Systems security – establishes basis for remaining standards in the IEC 62443 series (www.iec.ch); and the CPNI's 'Process control and SCADA security' good practice guidelines series (www.cpni.gov.uk/advice/cyber/scada).

Safety checklist

The operators of industrial control systems are responsible for their security. A basic checklist specifically for ICS operators might recommend that they should:

  • Undertake open-source searches to identify plant information, and take steps to mitigate accordingly
  • Restrict physical access to the ICS network and devices
  • Protect individual ICS components from exploitation, for example applying security patches after testing; disabling unused ports and services; restricting ICS user privileges; tracking and monitoring audit trails and using security controls such as antivirus software and file integrity checking software where feasible to prevent, deter, detect and mitigate malware)
  • Maintain functionality during adverse conditions: design ICSs so that critical components have redundancy. Component failures should not cause cascading events, such as unnecessary traffic on the ICS or other networks
  • Plan for system restoration after an incident. Incidents are inevitable and an incident response plan is a basic requirement
  • Review ICS security and training. As time progresses systems change, vulnerabilities are discovered, information is published and there is staff turnover.

Another ongoing requirement is to educate and share information on the evolving threat – this is why, its advocates say, UK organisations should participate in CISP. Vendors of control systems need to develop technologies to secure products; users should assess these and make their requirements known. ICS users need to implement appropriate security measures, including security functionality in existing equipment and harden systems. Ensuring appropriate governance and responsibility is another key element to implementing a programme that underpins business resilience.

Dr Richard Piggin CEng MIET is a security consultant at Atkins (www.atkinsglobal.com\ics-demo) and a UK expert to the IEC 62443 working group for the industrial automation and control systems security standard
Share |

Potential adverse consequences for ICS failures

Potential danger to staff, customers and the public

ICS systems control machinery and physical equipment, abnormal operation could endanger operators, customers and (potentially) the public.

Environmental damage

Damage to the environment by release of substances through hacking has occurred. Organisations will be liable for environmental damage caused by their systems’ malfunction. Incidents have shown that subsequent reputational damage is also likely to be a significant factor.

Financial loss

Any loss in production can have an impact through lost revenue.  Processes operating beyond tolerances can damage equipment and delay restart. Loss of service/supply or product non-conformance can leave an organisation liable to fines and prosecution.

Loss in shareholder value

IT incidents including loss of data have had dramatic impacts on shareholder value. Industrial accidents and the provision for fines and compensation have also had significant impacts, and can affect an organisation’s ability to retain and win new business.

Loss of control and inability to operate systems

In the event of control issues, systems may need to be shutdown to prevent damage and economic loss, or protect staff or even the public.

Loss of critical information

In regulated industries such as pharmaceutical this could result in loss of stock. In other industries the loss of data could disrupt operations and could include misappropriation of intellectual property, which has led to lost business, and company closures.

Production or service disruption

ICS incidents could affect an organisation’s ability to meet production schedules or maintain services. This could result in the loss of future business and/or penalty clause charges.

Reputational damage

Events resulting in widespread negative publicity have shown to adversely affect organisations, and can have a greater impact on business than the immediate financial loss incurred.

Unplanned downtime

Loss of system availability, even for unplanned maintenance, often results in immediate financial impact through lost production.

Industrial systems cyber-security incidents are escalating

2000: Vitek Boden, a former employee of Hunter Watertech, the automation supplier to Maroochy Shire, took control of the waste water management system. He hacked the system using industrial wireless and software on 46 occasions, releasing some 80,000 litres of sewage into local parks, rivers and the grounds of a hotel.

2003: The Davis-Besse nuclear power plant in Ohio, US, was infected with the Microsoft SQL ‘Slammer’ worm, which resulted in a five-hour loss of safety monitoring. It took a further six hours to restore systems. The worm was introduced via a compromised third-party network linked to the Davis-Besse corporate network.

2005: Several rounds of Internet Worm infections disabled 13 of DaimlerChrysler’s US automotive manufacturing plants offline for almost an hour. The Worm mainly affected Microsoft Windows 2000 systems, but also some early versions of Microsoft Windows XP, highlighting the IT system connectivity issues for ICSs. The worm caused the repeated shutdown and rebooting of computers. The Zotob Worm and its variations also caused outages at construction and mining equipment maker Caterpillar and airplane company Boeing.

2010: Stuxnet worm discovered – the first ICS worm used to attack the Iranian nuclear programme and other targets.

2011: Hack attacks on water utilities in the US widely reported, such as the Houston waste water intrusion by the hacker known as ‘pr0f’. pr0f claimed access to a human machine interface used by South Houston’s Water and Sewer personnel. The hacker claimed that the HMI targeted used a password that was just three characters long.

2011: Duqu reconnaissance malware discovered and software components are linked to Stuxnet. It used a previously unknown vulnerability in Microsoft Word to initially compromise computers. Duqu was a Trojan targeted at industrial control systems vendors in Europe in order to gather data including cryptographic keys used to authenticate software, for use in future attacks.

2012: Telvent attacked, allegedly, by a highly active Chinese group. Attackers installed malicious software and stole SCADA projects files. The target was the OASyS SCADA product used by energy and water companies to integrate control systems and networks to enterprise systems.

2013: The Syrian Electronic Army (SEA) hacks an Israeli SCADA System. SEA refuted claims to have attacked the Haifa municipal water SCADA. Fictitious claims can be used to conceal attacker methodology. It was, however, actually the irrigation control system of Kibbutz Sa’ar, near Nahariya. Screen shots show a date of the preceding year. Control of the irrigation system could affect crop yields or cause flooding.

2013: Drug traffickers caught hacking into Antwerp container management system to locate containers with hidden drugs. The attack commenced with malicious software being emailed to staff, allowing remote access. When this was discovered, the hackers broke into the premises and fitted computer-installed keyboard, video and mouse switches to enable remote access.

2013: Alleged Iranian proxy hacktivist group attacked the Haifa Camel Tunnels – the largest tunnels in Israel – initially targeting the camera systems, resulting in multiple closures over several days and causing significant lost revenue. The tunnel operator later blamed a ‘communication’s glitch’ for the tunnel closures.

2014: The Energetic Bear group, thought to be responsible for a reconnaissance malware designed to ‘discover’ SCADA systems, that was detected on 1 July 2014, has targeted energy facilities located mainly in Europe and North America.

Related forum discussions
forum comment To start a discussion topic about this article, please log in or register.    

Latest Issue

E&T cover image 1411

"This issue we honour a national hero, and the subject of Benedict Cumberbatch's latest film, codebreaker Alan Turing"

E&T jobs

E&T Marketplace

The essential source of engineering products and suppliers.

Subscribe

Choose the way you would like to access the latest news and developments in your field.

Subscribe to E&T