With the first hacker-caused power outage happening just a few months ago, it’s clear that attackers are showing greater interest in targeting Industrial Control Systems (ICS).
While security breaches for most organisations simply cause financial loss, attacks on ICS can destroy critical equipment, threaten national security and even endanger human life.
While the lion’s share of cybercrime is motivated by money, there’s a troubling difference in the motivations of ICS attackers. Here’s a round up of 2015’s attacks and what we can learn:
– The first hacker-caused power outage
On 23rd December 2015, several regions in Ukraine experienced a power outage due to blackouts in 57 power substations. It is believed to be "the first power outage proven to have been caused by a cyberattack".
The attack was conducted in a sophisticated, well-planned manner as a 3-stage process:
– Infection through spear-phishing emails with MS Office documents as attachments. The documents contained malicious macros.
– Takedown and recovery prevention by wiping system files from the control systems.
– Distributed Denial of Service (DDoS) attacks targeted at the different power companies’ customer service centres using a barrage of fake calls, thereby delaying the company finding out about the problem.
The malware used has been linked to the BlackEnergy malware family that has been around since 2007, other variants of which were also found collecting SCADA infrastructure information in 2014.
– Confirmation of ICS reconnaissance attacks in the US
In December 2015, two reports revealed that IDC attacks were reconnaissance attacks, i.e. done with the intention of gathering intelligence.
The first report confirmed an attack on the Bowman Avenue Dam in 2013. Although the dam wasn’t compromised, the attack was focused at gathering queries and searches on the infected machines. It was attributed to Iranian hackers.
Similarly, the analysis of a computer belonging to a contractor of Calpine, "America’s largest generator of electricity from natural gas and geothermal resources" revealed it had been compromised, allowing attackers access to company information. The stolen information was found on one of the attackers’ FTP servers and included usernames and passwords that could remotely connect to Calpine’s networks and detailed engineering drawings of networks and 71 power stations across the US.
– Compromised SCADA (Supervisory Control And Data Acquisition) systems for sale in the underground
Internet forum posts offering to sell compromised SCADA systems were found in underground forums, complete with a screenshot of the compromised system and even three French IP addresses and VNC passwords. The authenticity of these credentials hasn’t been confirmed. However, this introduces the very real possibility of ready-to-use vulnerable SCADA systems becoming another commodity that can be readily bought.
These attacks are only three among many others. According to The ICS-CERT Monitor Newsletter: Oct 2014 – Sept 2015, a total of 295 incidents were reported to the ICS-CERT in 2015. 97.33% of incidents were targeted at critical manufacturing infrastructures, followed by the energy sector (46.16%). The rise in attacks against critical manufacturing systems was attributed to a widespread spear-phishing campaign primarily targeting that sector.
One of the top challenges for securing ICS is the sophistication of today’s cybercriminals. There are additional challenges such as industry-specific systems, regulations and practices. Most ICS have different vendors and run proprietary operating systems, applications and protocols. As a result, host-based security developed for IT is generally not available for ICS and many network security controls developed for common enterprise applications and protocols do not support those used by ICS.
So how can you protect your system?
– Beware of phishing emails: Good antivirus software adds another layer of security by warning about malicious attachments. Spear-phishing emails have been found, in practice, to have been used in all attacks, making it as popular in the ICS world as it is in the enterprise world.
– Conduct logging and regular network scanning: Logs are a great way of monitoring activity on systems and help put together missing pieces of the puzzle in case of any incidents. They have also served as early detectors of infection in several cases. Log maintenance is highly recommended to ICS sysadmins for the same reason. Regular network scanning is another security best-practice that serves as an early indicator of an infection, if it exists.
The good news is that in recent years, the inherent problems and vulnerabilities of ICS have become more widely recognised, and the first steps have now been taken to rectify them. Government bodies such as the Centre for Protection of National Infrastructure (CPNI) publish advice and guidance on security best practice.
Another way is through the definition of common standards such as ISA/IEC-62443 (formerly ISA-99). Created by the International Society for Automation (ISA) as ISA-99 and later renumbered 62443 to align with the corresponding International Electro-Technical Commission (IEC) standards, these documents outline a comprehensive framework for the design, planning, integration and management of secure ICS.