Hackers are now directing their activities toward the technology commonly found in power stations, factories and other infrastructural facilities. Engineers tasked with managing these systems must understand the rising risk, and ensure that safeguards are implemented.
Awareness of the cyber-security risks inherent in industrial control systems (ICSs) and supervisory control and data acquisition (SCADA) systems has been growing since Stuxnet, the first publicly-known malware to specifically target these classes of technology, first appeared in June 2010.
The 'reconnaissance' malware launched by Energetic Bear group (aka 'Dragonfly'), just over four years later, highlighted the continuing business risk to engineers, technologists and (potentially) executive boards responsible for the management of a broad range of facilities using ICSs.
Malware is being developed that targets ICSs; more alarming still is the fact that this malware has been delivered by 'legitimate' means – ie, vendor updates via their website – so it is programmed to obtain information about ICSs. Without reconnaissance, it is difficult for a cyber-threat to stage an attack: the importance of protecting plant information cannot be over-stated.
Stuxnet's intention was to sabotage operational industrial plant – not disrupt abstract IT systems. No-one has claimed responsibility for originating Stuxnet; there has been speculation that it was developed by nation states to attack Iran's facilities – a 2011 New York Times report suggested that it 'wiped-out' around 25 per cent of Iran's nuclear centrifuges and helped delay the country's ability to make nuclear arms – but other countries' facilities were also infected.
Stuxnet highlighted that ICS types were vulnerable to attack. Organisations would be wrong, however, to base their potential threats on Stuxnet alone. Automation components are generic, so less-sophisticated attacks could use similar techniques to make attacks scalable. Stuxnet variants have also been identified. The Havex.A RAT 'reconnaissance piece' – explained elsewhere in this article – might be an early indication of new Stuxnet-inspired attacks.
New threats come in the wake of investigative research carried out earlier this year by consultancy firm Atkins, which discovered that data is being made available from various mainstream online media that – theoretically – could be used by hackers to inform attacks on a range of ICSs and SCADA-based platforms. Atkins wanted to understand what ICS/SCADA information found in the public domain could be used to target control systems and to assess the remedial actions organisations might take to improve security in ICS domains.
The findings brought new emphasis to the fact that hackers and other cyber-threats are increasingly turning their attention to the ICSs and what is being termed operational technology (OT) running much of the enabling computer technology that factories, assembly lines, industrial plants, and utilities (ie, power, gas, water), now rely on.
Aside from information that might advertently or inadvertently be published into the public domain about ICSs and their vulnerabilities, probably the most alarming discloser of ICS equipment is the Shodan website. This is a search engine for Internet-facing devices: Shodan interrogates connected devices and catalogues the response from a device, known as a 'banner'. The equipment banner information is then indexed; device-specific searches can be filtered by port, hostname and/or country.
Hacking the humans
According to cyber threat intelligence firm iSightpartners, since at least 2001 Iranian hacker groups have been engaged in a 'creative' social media campaign aimed at high-ranking USA and Israeli defence, diplomatic and other officials. Targets were lured to fake websites through an elaborate social media network that features a bogus news site called NewsOnAir.org. The cyber-espionage operation – 'Newcaster' – used social media to engage with targets, building trust with fake relationships with friends, family and colleagues in order to compromise email accounts. Victims were then sent spear-phishing emails with links to spoof webmail login pages to steal account credentials.
No matter how thorough an organisation's awareness of potential risks, and how diligently its safeguards are applied, personnel – including third-party staffers and contractors – can still constitute a weak link; but weaknesses can be converted into defence. Effective security can become cultural, like safety considerations. However, while we understand system safety, system cyber-security is more difficult and less tangible. Yet organisations can do more to highlight the risks and the right behaviours. More sophisticated attacks may be initiated by 'spear phishing' (eg, artfully-crafted emails directing victims to download malware). Risks of information leakage, inappropriate social media use and circumventing security policies and procedures can be reduced with suitable education. One-third of manufacturing organisations were affected by at least one targeted spear-phishing attack in 2013, according to security vendor Symantec. Education and straight forward reporting can help.
System vulnerabilities, hacking tools and so-called 'script kiddies' (unskilled individuals using third-party scripts or programs developed to attack computer systems, networks and specifically ICSs), represent an escalating threat. The technical knowledge required to launch an attack has fallen due to the availability of 'off-the-shelf' hacking tools. Vulnerabilities are more understood due to increased reporting, the emergence of 'ICS security research exploits' and heightened media coverage.
There are features of ICSs that constitute security weaknesses. These include the inherent trust associated with system components when communicating with other control system elements. The prime one is the 'automation Lego' of generic components designed to be easily integrated, programmed and configured: it doesn't need to be have vulnerabilities exploited – it just has to be reprogrammed.
Download the full Energetic Bear attack infographic, featuring further information and a timeline of events
It is a legal requirement to risk-assess ICSs and design them to avoid safety failures. Whether these established risk-assessments extend to ICS cyber security is less easy to ascertain. Even where control systems suffer a security breach, research has shown that safety functions have not been compromised; but a nuisance shutdown may occur that impacts on operations, and might also have financial and contractual implications.
Reasons for a shutdown may not be readily discernible. Instances of ICS/SCADA devices being in some way compromised might not be immediately evident to operators or engineers, as the systems were probably not implemented with suitably-granular diagnostics or forensic capability.
Gauging the level of risk to an ICS means understanding the application and physical process under control. Non-availability could be significant, as indeed could the opposite: unexpected operation. Understanding the threat agent, their motivation and their capability, is another key consideration: second-guessing their motivation might give clue to the sophistication of future activity and the defences required.
Most control systems engineers are now aware of the potential impact of safety incidents, which may include damage to equipment, environmental damage, injury to persons and even fatalities. Potential consequences for the failure of ICS systems are known, and often widely reported.
So it's important to bear in mind that a range of factors – and not just malicious intent – can affect ICS security. This demonstrates the challenges facing the organisations that rely on them. Taking steps to address ICS cyber-security should improve control system resilience to other adverse incidents, reducing unplanned downtime and facilitating a more rapid return to business-as-usual following an incident.
Prelude to a sophisticated attack?
Malware that was detected in July 2014 targets ICSs in the European Energy sector. The malware was distributed by phishing emails with PDF attachments to selected employees, industry websites (known as a 'watering hole' attack) and via compromised software updates on three legitimate ICS vendor websites. This variant of the Havex.A Remote Access Trojan (RAT) is targeted specifically at ICSs, although previous versions have been used against the defence and aerospace sectors, with 88 variants discovered.
Internet security solutions provider F'Secure revealed that the RAT has been adapted for intelligence gathering of ICSs, enumerating networks and specifically searching for Open Platform Communications (OPC) servers. The OPC Foundation renamed the protocol Object Linking and Embedding (OLE) for Process Control (OPC). Such servers are used for real'time data communications between ICS/SCADA devices from different vendors. A large number of (mostly) European Energy organisations have reportedly been affected.
A notable feature of Havex is that one of the routes to infection is via compromised manufacturer software updates. The group behind the Trojan exploited vulnerabilities in the website content management software for command and control servers, hiding the Trojan in legitimate software installers available for download to customers in order to compromise ICSs/SCADA systems.
Crucially, one of the affected software updates is for secure remote access. Once the malware is installed, it communicates with one of the 146 command and control servers (the compromised Web servers) and downloads the ICS/SCADA 'sniffer' component. This demonstrates an intention to exploit and control ICS/SCADA systems, which is presently uncommon.
Previous extensive evidence of the Havex RAT has been attributed to the Russian Federation by security provider Crowdstrike's 'Global Threat Report 2013 Year in Review', suggesting the group responsible may have operated with sponsorship or knowledge of the Russian state. According to ICS-CERT, the Industrial Control System Computer Emergency Response Team based in the US, Havex uses an old version of OPC, 'OPC Classic'.
Research has shown that infected systems may crash causing OPC communications denial of service. The new OPC Unified Architecture does not use the Microsoft COM/DOM technology and is unaffected. Affected organisations are recommended to check their network logs for potential Havex activity and to secure their OPC servers.
Organisations have sought to optimise processes and reduce cost, using the opportunity afforded by the technology trend of convergence of control systems or OT on common IT technologies such as Ethernet, standard computer operating systems and wireless. However, this opportunity potentially carries increased risk as often formerly isolated control systems, including safety systems, are opened to the enterprise for business users – and thus potentially exposed to the Internet. Organisations are finding convergence demanding – and security of an ICS is often compromised.
ICSs have many characteristics that differ from traditional IT systems, including different risks and priorities. In many organisations, the business impact of an ICS incident is not assessed or considered alongside information assurance or safety risks. Executive boards don't always recognise the issue and it is often not articulated to them by those in the know.
The fact that the IT security and engineering communities do not often mix, share limited information and have differing perspectives and use different language, needs to be better understood. Few corporate boards have members with direct responsibility for cyber security, let alone an appreciation of ICS security and its nuances.
Good practice strategies outlined
So what are infrastructure operators, governments and academia doing about this threat? There has been work on providing guidance on ICS security which highlights the US National Institute of Standards and Technology (NIST) information about the potential malicious events that could affect a control system.
Governments are providing good practice guidance and information. In the UK, the Cyber-Security Information Sharing Partnership (CISP) was launched in March 2013. It is a joint, collaborative initiative between industry and government to share cyber threat and vulnerability information in order to increase overall situational awareness of the cyber threat – and therefore reduce the impact upon UK business.
Industry groups are sharing information and producing sector standards and progress plans. Standards such as IEC 62443 are being developed in this area, as are guides such as the forthcoming 'Cyber Security in the Built Environment Code of Practice' guidance from the Institution of Engineering and Technology (IET).
Good 'cyber hygiene' can reduce risk. A few steps are recommended to provide a good level of security. The recently launched UK Cyber Essentials Scheme from the UK Department for Business, Innovation and Skills and the Cabinet Office, concentrates on five controls against Internet-originated attacks. While not primarily aimed at ICSs, the recommended controls focus on access control, boundary firewalls and Internet gateways, malware protection, patch management, and secure configuration.
Industry is developing specialist courses to develop skills and bridge the gap between ICS engineering/OT and IT, such as the Global Industrial Controls Systems Professional Certification (GICSP) from the SANS Institute. Conferences – such as the forthcoming IET System Safety and Cyber Security 2014 Conference (scheduled for 14-16 October 2014) – are an important step toward awareness-raising and peer education.
CPNI and EPSRC have just launched RITICS: Research Institute in Trustworthy Industrial Control Systems. This activity supports the UK's Cyber Security Strategy and the creation of research institutes. RITICS was created in January 2014 as a response to the growing need for improved cyber security for ICSs.
The UK Centre for the Protection of National Infrastructure (CPNI) is the government authority that provides security advice to the national infrastructure. Specific SCADA advice is offered by the CPNI in a series of process control and SCADA security good practice guidelines.
Since the CPNI Good Practice Guides were published, there has been an increase in industrial cyber security guidance available. There are now a number of generic guides and resources for securing ICSs. They include: National Institute Standards and Technology (NIST) Special Publication 800-82, 'Guide to Industrial Control Systems Security' (www.csrc.nist.gov/publications/PubsSPs.html); IEC/TS 62443-1-1:2009, a technical specification which defines the terminology, concepts and models for Industrial Automation and Control Systems security – establishes basis for remaining standards in the IEC 62443 series (www.iec.ch); and the CPNI's 'Process control and SCADA security' good practice guidelines series (www.cpni.gov.uk/advice/cyber/scada).
The operators of industrial control systems are responsible for their security. A basic checklist specifically for ICS operators might recommend that they should:
- Undertake open-source searches to identify plant information, and take steps to mitigate accordingly
- Restrict physical access to the ICS network and devices
- Protect individual ICS components from exploitation, for example applying security patches after testing; disabling unused ports and services; restricting ICS user privileges; tracking and monitoring audit trails and using security controls such as antivirus software and file integrity checking software where feasible to prevent, deter, detect and mitigate malware)
- Maintain functionality during adverse conditions: design ICSs so that critical components have redundancy. Component failures should not cause cascading events, such as unnecessary traffic on the ICS or other networks
- Plan for system restoration after an incident. Incidents are inevitable and an incident response plan is a basic requirement
- Review ICS security and training. As time progresses systems change, vulnerabilities are discovered, information is published and there is staff turnover.
Another ongoing requirement is to educate and share information on the evolving threat – this is why, its advocates say, UK organisations should participate in CISP. Vendors of control systems need to develop technologies to secure products; users should assess these and make their requirements known. ICS users need to implement appropriate security measures, including security functionality in existing equipment and harden systems. Ensuring appropriate governance and responsibility is another key element to implementing a programme that underpins business resilience.