SCADA and ICS Cyber Security: Facing the Facts

Our last blog, contributed by Thomas Nuth, highlighted the fact that industrial cyber security is now being discussed by heads of state within the international community - the Executive Order – Improving Critical Infrastructure Cybersecurity signed by President Obama in February of this year being just one indication of the importance being attached to this issue.

Let’s continue the discussion...

Why the Threat Level to SCADA and Industrial Control Networks is Increasing

In the past, the main reason for securing a SCADA/ICS network was to protect against inadvertent network incidents or attacks from insiders. The risk of an external malicious cyber-attack was considered minimal.

And then we witnessed the rise of global terrorism in the new millennium - and the disclosure of Stuxnet.

In 2010, Stuxnet was successfully introduced into an apparently ‘air-gapped’ facility with the intent to destroy an industrial process. As I discussed in my blogs on Stuxnet, the worm used multiple methods to infiltrate the target site, the most famous of which was the use of a USB key. Its discovery had multiple effects:

1. The ‘bad guys’ switched their attention to industrial systems.

Stuxnet’s fame drew attention to the existence of industrial systems and devices. It also made it clear how insecure they really were. In 2011 more industrial control system (ICS) vulnerabilities were made public (many with exploit codes available on the internet), than in the entire previous decade. In 2012 there were even more vulnerabilities. 2013 shows every sign of breaking records again.

2. New advanced persistent threats targeting industry began to emerge.

Stuxnet wasn’t the first advanced persistent threat (APT), but it was the first to focus on industry. As well, it was so well dissected by security experts that it became an “APTs for Dummies” cookbook on how to write attacks that target industrial companies.

Most recent APTs have focused on industrial espionage to steal business information from the energy industry, but others like Shamoon (which was not all that ’advanced’ or ‘persistent’) have been successful at destroying large computer systems. Expect to see lots more APTs being discovered in the next few years. And if we don’t see more, it is likely due to the fact that we haven’t found them yet, not that they don’t exist. After all, industrial-focused APTs are clearly effective for their creators, so why would they stop creating them now?

3. Low-grade cyber “warfare” goes mainstream.

Stuxnet has been widely attributed to a joint U.S./Israeli project to destroy Iran’s uranium enrichment program. Its existence has given tacit approval to other nations and political groups to use cyber-attacks as a form of undeclared warfare. Most recently, we have seen large scale attacks on South Korea that have been attributed to North Korea.

My advice? If you have critical industrial facilities in any politically sensitive region (such as the U.S., the Middle East or the Far East), now is the time to renew your cyber security efforts.

Stuxnet’s design provided a ‘toolkit’ for other sophisticated malware. Image Credit: Black Box Network Services Canada

SCADA and Industrial Control Networks Get Connected

While the threat has increased significantly, the opportunity to connect to a SCADA or ICS system has too. In the good old days, industrial networks ran on proprietary networks, used proprietary equipment, and were isolated from business networks and the internet. This was the era of both ‘security by obscurity’ and ‘security by air gap’ (if you are a regular reader of my blog, you’ll know my views on the air gap theory!).

But over the last decade, things have changed. Industrial networks have migrated from proprietary systems to commercial off-the-shelf technology like Ethernet, TCP/IP and Windows. What’s more, today’s industrial systems require a constant stream of updates from the outside world. There’s no denying it – the industrial floor is no longer isolated.

It’s also true that devices such as programmable logic controllers (PLCs) and distributed control systems (DCS) were designed with a focus on reliability and safety, rather than security. This makes many of them, particularly older units, easy to exploit. And the protocols that SCADA and ICS use to communicate are no different – designed to be reliable and easy to troubleshoot, most protocols lack even the most basic security features like authentication. As the Tofino test team likes to say, “If you can ping it, you can own it”.

The Perfect Storm for the Attacker

Today it is clearly a game with the advantage going to the attacker – millions of decades-old systems that were never designed to be secure, increasing connectivity of SCADA and ICS, and a growing library of free tools and techniques to attack SCADA and ICS.

Can our critical infrastructure weather the storm? Image Credit: Archival Photography by Steve Nicklas, NOS, NGS [Public domain], via Wikimedia Commons

It’s evident then that there’s no simple solution to securing our critical infrastructure. The process is going to take a lot of time and effort - and very careful planning. But regardless of the pain points involved, investing in industrial network security is not only responsible, it’s necessary for any mission critical application.

If our heads of state are taking this issue seriously then so should industry.

I’d love to hear your views on this topic. Do you think we are taking the subject of industrial cyber security seriously enough? Have we made any progress?

Related Content to Download

"SCADA and CIP Security in a Post-Stuxnet World"

 

Download this presentation and receive:

A summary of the Stuxnet malware and how it has affected SCADA and CIP security
Details about the possibility of a Son-of-Stuxnet
A tool for informing management about the implications of Stuxnet

Related Links

 

RSS Feed Subscribe to the "Practical SCADA Security" news feed

Author Eric Byres

Comments

1

First of all I would like to say that I really enjoy your blogs.

My name is Scott Rokita and I am an Electrical Engineer with 16 year of hardware experience across most all of the major subfield of Electrical Engineering(EE).

Recently, I have gone back to school to get a Master in Information Security and Intelligence(ISI), since my skill set does not match the jobs where I currently live. What I am finding though is that even though my program is very good. I am one of 3 EE's in the entire program. Most of the students are either ISI undergraduates or have traditional IT degrees and backgrounds. So the program is geared towards the traditional IT type work and security. I myself am working towards a Business Intelligence and Project Management specialties. Now the teachers try to talk about controls when they can.

So my question is how are we to truly train the next generation when the college programs do not even know how to train for Industrial Controls Systems (ICS) Cyber Security?

As you clearly point out ICS uses a lot of the same network hardware but that is about it.

Respectfully,

Scott Rokita

Add new comment