Infrastructure hacker graphic

How to disarm an infrastructure hacker

The media has been full of reports of cyber-attacks on critical infrastructure, but the fear is that there is far worse to come.

"We are at the beginning of a new and dangerous era of cyber warfare." That is the chilling warning from Mikko Hyponnen, chief research officer at Internet security company F-Secure.

Hyponnen believes that the days of the mischievous teen hacker can be consigned to the 1990s and that far darker motives drive the hackers of today, whether they are criminals, activists, terrorists or, more worryingly, state-sponsored groups.

A quick scan of recent headlines makes it difficult to disagree with that assessment, with a multitude of attacks reported on critical infrastructure. Top of the list when it comes to media attention is the Stuxnet virus. This has been the culprit in three high-profile instances of cyber terrorism – in Estonia, in Iran (on a nuclear facility) and in Saudi Arabia (on oil infrastructure).

Late last year hackers used the Shamoon worm to attack Saudi Armco in an attempt to halt fuel production. Whilst the attack on a company that produces 10 per cent of the world's oil failed to stem the flow, it crippled the company's network and infected some 30,000 computers. The blame was laid firmly at the door of an activist group calling itself Cutting Sword of Justice. Although they failed to interfere with production, the organisation claimed to have accessed important documents that they threatened to leak at a future date. Earlier this year an American power plant was disabled by a malicious attack that was carried into its control system via a USB stick.

A public transportation system was the victim of an attack in 2008 when a Polish teenager hacked the control network and turned a Polish tram system into his own private, full-size train set. The 14-year-old modified a TV remote control so that it could be used to change points on the system. Four trams were derailed, though fortunately no one was killed.

Government strategy

Of course, the UK is not immune to such attacks. "On average over 30,000 malicious emails are blocked at the gateway to the government's secure Internet every month," Chloe Smith, minister for political and constitutional reform revealed at this year's Infosec event. "These are likely to contain sophisticated malware, often sent by highly capable cyber criminals and state-sponsored groups."

In the UK government's national security strategy, cyber-attacks are categorised as a 'tier-one' threat to the country's national security, alongside international terrorism.

The UK Strategic Defence Review has allocated £650m over four years to establish a new National Security Programme that will work to identify and analyse attacks. The review also extended the role of the Centre for the Protection of National Infrastructure (CPNI). The CPNI works with the operators of essential services and with government departments to identify infrastructure at risk and help protect it.

Another vital cog in the UK anti-cyber arsenal is fabled GCHQ. Best known for its foreign intelligence role it is perhaps not so widely known that GCHQ also has a clear security mission. Its precise mandate is "to provide advice and assistance about... cryptography and other matters relating to the protection of information and other material".

Worrying worms

"My perspective on 'cyber' comes from bringing together both sides of GCHQ's mission: the intelligence mission illuminates some of the capabilities ' and sometimes the intentions of adversaries to use cyber techniques," Iain Lobban, director of GCHQ recently said at the International Institute for Strategic Studies (IISS). "It allows us to detect some of their activities. And the information assurance mission gives us knowledge of where our own government and critical national infrastructure systems, and those of our Allies, may be vulnerable to cyber exploitation.

"It is true that we have seen worms cause significant disruption to government systems – both those targeted deliberately against us, and those picked up from the Internet accidentally. It is true that we have seen the use of cyber techniques by one nation on another to bring diplomatic or economic pressure to bear. Cyberspace lowers the bar for entry to the espionage game, both for states and for criminal actors.

"Much attention has been paid in the media to the potential for cyber-attacks to seriously disrupt critical national infrastructure. I would not wish to talk about the steps we take with the Security Service to reduce specific vulnerabilities. But the threat is a real and credible one. We already provide expert advice and incident response to the operators of critical services. We must continue to strengthen these capabilities and be swifter in our response, aiming to match the speed at which cyber events happen. We need to consider the value of receiving in return a direct feed of information from the operators with that same sort of timeliness so that we are aware of the attacks that they are seeing on their systems as they happen. Of course that would need to be in proportion to the threat faced. But such feeds could give us the opportunity to respond, if necessary, with some active defensive techniques, as well as to spread knowledge of the threat quickly to others who may be vulnerable. For me this points to a different sort of partnership between the national security agencies and the key industry players. Our systems will need to be more interconnected. And we may need to establish different financial models to underpin a national capability which will be both public and private."

Industrial control

Richard Piggin, security expert at Atkins Global, believes that cyber security means different things to different people, but fundamentally it is a term for the defences which shield computer systems from electronic attack. "These range from small-scale email scams right through to the state-sponsored disruption of the computer-based systems that run critical national infrastructure, infrastructure that includes the electricity grid as well as the water and transport networks," he says.

Critical national infrastructure – whether in power, water, sewerage, petroleum, pipelines and transport – rely on industrial control systems (ICS) and supervisory control and data acquisition systems (SCADA). Even beyond these they are deeply embedded in activities from manufacturing to theme-park rides.

"ICS and SCADA are the building blocks of automated systems where control or monitoring of a process is required," Piggin explains. "Many also have varying degrees of safety-related functionality, from protecting operators, users or customers to members of the public."

The potential vulnerability of ICS systems was highlighted by Stuxnet, a very sophisticated tailored attack against specific systems (the Iranian enrichment facilities). However, much of the potential vulnerability is the capability of the controllers to be legitimately programmed to perform control functionality in infrastructure applications.

However, disruption from a cyber-event could be devastating. For example, around 80 per cent of the UK population relies on five supermarket retailers who hold only four days' worth of stock in their supply chain; so a cyber-event could have a far-reaching impact.

"Based on our data and expertise we see the constant rise of the intensity of attacks of all kinds, including targeted attacks on critically important systems," Costin Raiu, director of global research and analysis team at Kaspersky Lab, explains. "Unfortunately, it is hard to come up with exact data for attacks on industrial systems, as there is no existing practice of registering and analysing such incidents and disclosing data about them publicly.

"We can definitely say that there were tens of incidents involving critical infrastructure last year."

Overall, modern industrial systems employ a highly complex infrastructure, comprised of modern as well as legacy hardware and software, specialised controller systems as well as traditional computers. Thanks to such complexity, establishing a proper protection for the entire infrastructure of for example, a hospital computer system or electric plant, is not an easy task.


Even generic, widespread and non-intelligent malware may and does affect critical infrastructure, let alone targeted attacks for the purposes of cyber-espionage and sabotage. The latter, being the worst-case scenario, may result in serious consequences for hundreds of millions of people who are highly dependent on technology in their life.

One more unpleasant thing about attacks on critical infrastructure is that mitigation options are rather different from the ones used in normal computer environments. "When an attack is detected on a regular corporate network, the best option might be to isolate or shut down the affected node temporarily, to prevent further consequences," Raiu says. "Typical industrial systems cannot be isolated or turned off easily in the same manner. The personnel responsible for the reliability of an industrial system have to ensure that no critical failures occur, despite the attack."

The most serious threats are the ones able to affect the availability of hardware of software systems, used to control technological processes. The second most critical type of threat is when a criminal group targets the integrity of information, circulating in the industrial computer network. Both threats may be classified as external, although attacks of this type may originate from both the Internet and inside the protected network perimeter.

There are many possible ways to attack critical infrastructure. "One example is the ability to remotely control the equipment, for instance when enabled by the equipment manufacturer," Raiu adds. "Another is the default passwords used to access critical nodes, lack of security mechanisms like authentication in technological data exchange protocols. Of course, security of industry is affected by inefficient policies employed by the system owner, lack of personnel discipline, insufficient knowledge in the level of security among engineers responsible for deployment and maintenance of an industrial system."

The topicality of this problem is understood by the governments worldwide and international bodies. "In our view, protection of critical infrastructure requires a joint effort from governmental organisations, technology and security experts, vendors of hardware and software solutions. Only the joint operations will prevent a significant risk of attacks on critical infrastructure, being a part of an ongoing cyber war."

According to Raiu there are many steps which can be implemented in order to increase the security of critical infrastructures, and they range from simple to complex.

He says that the easy steps are to define a good, thorough security policy for the whole organisation and deploy firewalls that separate critical networks from the public Internet. In addition, there is the pressing need to deploy advanced security software, monitoring traffic and keep detailed logs.

Windows worries

When it comes to harder steps, top of the list is to upgrade all versions of Windows to Windows 7 x64 (64 bits) as well as to remove Internet Explorer in favour of a more secure browser such as Chrome. He also recommends removing Java from all PCs along with old hardware that can't be properly secured. Other measures include implementing a 'whitelisting' policy by banning all unknown programs, deploying 'honeypots' inside the organisation to track attacks and educating the personnel about security threats

"But the most essential problem for critical industrial systems is trustworthy monitoring," Raiu continues. "Operators of such systems have to be able to get precise information about system nodes, such as the telemetry from certain controllers, for example. This alone will not prevent the attack but will allow the personnel to identify the cause of the breach and take measures.

"Otherwise, if the attackers are able to falsify the monitoring data, there is no way to reveal the fact of the attack in the first place. The Secure OS approach solves this problem by enabling an additional, highly secure and fully trustworthy control layer. Combined with more traditional security technologies, such as proper evaluation of risks, development of mitigation tactics, deployment of security policies and timely software updates, Secure OS will offer more efficient protection for the critical infrastructure systems."

Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.

Recent articles