Industrial Control System attacks and SCADA system attacks are growing and so is the concern. Many ICS’s are antiquated or un-patched versions of Windows operating systems.


Why are attackers targeting ICS? 

The damage or consequences can be high, everybody knows the result of shutting down a power plant even if only for one day. And not only that but third world countries are at higher risk, with lower security standards physical and network.

 

External threats – APT, Targeted attacks.

34% of ICS (Industrial Control Systems) were breached more than twice in last 12 months (2016). In 2015, ICS operators reported more security incidents to US authorities that any year prior.

Physical damages or disruptions are occurring in many of the breaches.

 

What are the common motivations of targeting SCADA and ICS systems?

  • Politically motivation
  • Industrial espionage/ Intelligence gathering

 

It is agreed that politically motivated attacks can be of great concern as they can have unlimited financial backing.

Critical threat vectors: Intellectual property and physical damage/disruption, more than likely in the form of a terrorist attack.

Attacks looking for operational damage can extend sector wide if common vulnerabilities or common metrics are discovered in the breach.

Internal Threat

Contractors with access to ICS networks. Most ICS systems don’t have authentication processes. A disgruntled employee or improperly screened employee can be a serious security risk.

Human Error

Unauthorized remote connections

Configurations, PLC programming errors,

Solutions:

Real time deep network monitoring and control technologies designed specifically for ICS networks with deep analysis and warnings.

 

From 2015 to 2016, IBM Managed Security Services reported a 110 percent increase in ICS cyber-security attacks. The US accounted for most of these incidents, given it has the most Internet-connected ICS networks on the planet, but the effects were still geographically widespread.

 

How to detect, generally:

  • Very similar to regular networks
  • Deeply monitor network activity
  • Compare ICS behavior with control system logs
  • Monitor user activity, internal threat.
  • Perimeter network/ firewalls
  • ICS firewalls
  • Segmented zones, similar to enterprise DMZ’s
  • Conduct RED TEAM tests
  • Air gap layer 1 internet from the internal control panels.
  • Social engineering
    • Spear-phishing
    • Have a strong security policy, physical and network.

Lets remember that cyber security risks in ICS and SCADA are very dynamic and only going to become more dynamic as technologies improve and new vulnerabilities and threats quickly emerge. Zero-day threats also exist in the industrial realm.

New threats:

  • AI hacking
  • Automated attack bots(software)

 

Cyber-physical attacks

More hacks targeting electrical grids, transportation systems, and other parts of countries’ critical infrastructure are going to take place in 2018. Some will be designed to cause immediate disruption (see “A Hack Used to Plunge Ukraine into Darkness Could Still Do Far More Damage”), while others will involve ransomware that hijacks vital systems and threatens to wreak havoc unless owners pay swiftly to regain control of them. During the year, researchers—and hackers—are likely to uncover more chinks in the defenses of older planes, trains, ships, and other modes of transport that could leave them vulnerable.

 

Industrial ransomware

Many industrial networks contain un-patched windows operating systems. The danger is attacks targeting the controllers. Targeting PLC’s that have a network connection online, such as Vendor specific vulnerabilities.

 

Red Button Event

In November, during her annual speech in London’s Guildhall, UK Prime Minister Theresa May accused Russia of attacking Britain’s national grid and telecom companies, claiming that Russia had “…mounted a sustained campaign of cyber-espionage and disruption”. She went on to say, “We know what you are doing and you will not succeed.”

These developments all point to what is known as a “Red Button” capability, whereby adversaries have gained a foothold inside industrial networks and critical infrastructure, and are capable of shutting down power grids, water supplies, etc. with the push of a button.

 

How to identify an attack on an I.C.S.?

  • Environments lack visibility and security controls, it can be difficult to detect attacks in real time or even quite some time after.
  • New monitoring technologies are needed.

 

Industrial management systems (ICS/SCADA) are now the prime target for cyber attackers seeking to compromise the production base and public utilities. Kaspersky labs released Threat Landscape for H1 2018, according to the report the attacks increased by 41% percentage targeting ICS computers attacked when compared to H1 and H2 of 2017.

 

Latest source of infection for computers in Industrial network infrastructures:

  • Internet
  • Removable Media
  • Email

 

Internet threats being the largest source:

The pre-internet proprietary nature of ICS networks, especially their lack of open computing standards.

 

ICS biggest vulnerabilities currently:

  • Lack of encryption
  • Lack of authentication.

Dana Onyshko | Cyber Security Investigator  | dana@informationhacker.com