Increasingly we hear about cyber-attacks against critical infrastructure and warnings about the vulnerability of critical infrastructure to further attacks. How are these attacks possible? We are also seeing an increase of infrastructure control systems (ICS) being connected to the Internet. Are these cyber-attacks a result of more opportunities or are there other factors involved?
ICS and Supervisory Control and Data Acquisition Systems (SCADA) have been around for decades. In fact, much of your daily routine is reliant on SCADA systems, traffic lights, electricity grids, building access, heating and cooling as well as all forms of transport to bring food, water treatment facilities, sewerage facilities, dams, gas and oil pipelines to fuel transport and wind turbines. Nearly all infrastructure uses SCADA and ICS to function effectively.
A SCADA system is a hierarchical collection of components, Remote Terminal Units (RTUs) and Intelligent Electronic Devices (IEDs) are leaf node sensors and actuators to measures and control the physical attributes are networked to a local Programmable Logic Controller (PLC). The PLCs are then grouped under a central Human Management Interface (HMI), which can be an MS Windows application. SCADA systems were traditionally isolated from the corporate network. SCADA has kept pace with technology, and newer SCADA systems include Internet of Things (IoT) components.
The legacy of decades of SCADA evolution and, the isolated beginnings, relative obscurity and almost exclusive focus on functionality created many vulnerabilities and insecure practices in products. Reports show a range issue in SCADA software across all vendors and industry sectors.
Industrial Internet of Things
The advent of the Internet of Things (IoT) has been revolutionary, from smart toasters to smart lights, and smart toilet seats that do skin fold tests and, if you’re gaining weight tells the smart fridge not to order butter. Today, the world is interconnected and controlled from the cloud.
The parallels to SCADA are remarkable, each uses a small remote unit controlled by a central system, however in the case of IoT, the remote unit usually has processing capacity rivalling desktops of a decade ago and the central controller is connected to over the internet in the cloud.
There is a lot of discussion about whether IoT may be a replacement for SCADA due to the fact that IoT can be deployed in newer facilities. However, legacy SCADA systems can benefit being paired with IoT. SCADA really provides real-time data, whereas IoT can provide predictive analytics.
Sources of Insecurity
Companies often look to gain the benefits of either remotely accessing their SCADA devices directly to save labour costs or pairing with IoT to the Internet. The interconnectivity is improved; however, the Internet represents a much higher risk than the corporate LAN, and far higher than an isolated network. The Internet is global; everything connected to it is reachable by cybercriminals and hostile nations who may carry out cyber-warfare.
Cyber warfare may seem farfetched. However, Symantec has identified malware, crafted by an eastern European group named Dragonfly, infecting energy sector ICS across Europe and the US. The malware is a collection of “Trojan horse” style programs, which sit quietly in the infected systems and can severely disrupt entire national electrical grids but mostly performs industrial espionage.
Reports from Kaspersky and a presentation at the yearly CS3 conference in Stockholm show an increasing number of SCADA systems available on the Internet with an increasing number of their known vulnerabilities catalogued with US Homeland Security’s ICS-CERT division. There is also a Vimeo channel showing many exploits of SCADA systems, and websites selling previously unknown SCADA exploits (known as Zero-day exploits).
An obscurity is no longer an option, the world’s first search engine for Internet-connected devices Shodan finds all the ICS devices on the Internet and is linked to Offensive Security’s exploits database which is used by tools such as Metasploit, made famous in the movie “Hackers” exploit scene.
Companies connecting SCADA systems to the Internet should initially undertake an analysis to review the risks. In most cases, the benefits will be significant, so preparation is key to staying as secure as possible.
Working towards and maintaining ISA/IEC-62443 (formerly ISA-99) conformant ensures current best practices towards keeping your SCADA systems under your control.
Agilient has experienced consultants, auditors, technicians and project managers to partner with you through these activities, and providing additional assurance activities. For more information contact the team from Agilient today.