What do we currently know about SCADA and ICS Cyber Threats?

What are the SCADA-Specific Malwares out there and how vulnerable are industrial targets?

Overview of SCADA systems

In one of the most important sectors of cyber security is what most people NOT in security rarely hear about.

SCADA (Supervisory Control and Data Acquisition) are systems that monitor and control networks for core and critical infrastructure such as power plants, industrial plants, etc. SCADA is mainly control units with remote terminal units connected to sensors, with allowable human intervention.


Why are ICS and SCADA Threats Very Scary?

Generally, SCADA systems are closed systems or “air gapped” but that doesn’t seem to stop malware, as Stuxnet proved.

But mainly, the consequences of a power plant being shut down or damaged, have severe repercussions, and not just any power plant, what if it is a nuclear power plant?

Electrical grids, nuclear power plants, water plants, water dams, switching stations, private industrial plants, these are all very important to the operation and logistics of our infrastructure.


Recent Malware


Was the first malware to specifically target SCADA systems and programmable logic controllers (PLCs). It was responsible for causing substantial damage to Iran’s nuclear program. Be it notes that the Iranian enrichment facility systems were AIR GAPPED.


A Remote Access Trojan (RAT), was used as part of a widespread espionage campaign targeting ICS environments across numerous industries. It scanned infected systems to locate SCADA or ICS devices on the network, and sent data back to the attackers. Havex was an intelligence-collection tool used for espionage and not for the disruption or destruction of industrial systems.

This malware specifically seeks servers that control SCADA systems IN critical infrastructure.

BlackEnergy 2

Was modified from an existing malware variant called BlackEnergyto target human-machine interface (HMI) software from a handful of vendors, including GE,   Advantech/Broadwin and Siemens.

It was used in the cyber-attack that took down the Ukrainian power grid in Dec 2015. 

Crash Override/Industroyer

Is the first known malware designed to attack electric grid systems, and was used in the Dec 2016 hack on a transmission substation in the Ukraine. It is a completely new malware and far more advanced than the general-purpose tools used to attack Ukraine’s power grid in 2015. What makes Crash Override so sophisticated is its ability to use the same protocols that individual electric grid systems rely on to communicate with one another, sometimes called control-plane protocols. Stuxnet and Triton also access these native protocols.


Since most ICS environments suffer from lack of visibility, it is very difficult for organizations to identify malicious activities once an adversary gains access to the operational network.


Flame was s political and strategic malware that seems to be created for industrial espionage, currently deployed in the Middle East.  From initial analysis, Flame seems to be designed to gather any kind of intelligence, with no specific target, leasing experts to believe it is a complete general toolkit designed for any kind of cyber-espionage warfare.

The important thing to know is that in the past, such highly flexible malware can be used to deploy specific attack modules, which can target SCADA systems, ICS and critical infrastructure.


Malware Targeting Core Infrastructure Fast

What we know for sure is that SCADA systems and ICS’s are in the cross-hairs of cyber attackers NOW, and it’s only going to increase. These attackers can be assumed to not be driven by money, but political motivations.


How are attackers getting into the ICS systems?

  • A remote connection through one of the RTU’s may enable the attacker to infiltrate an industrial network.
  • Once inside, the attacker can scan the network and identify ICS machines.
  • Once ICS nets do not use authentication or encryption, you can see the problem here. Any system can now be accessed, including operator or workstations.
  • THE attacker then extracts the reconnaissance data to an off-site location. Next, the Malware is installed on workstation with access to an ICS using the intelligence gathered in the above actions.
  • In the final stages, the malware can disrupt automated processes and cause physical damage or operational damage, of which consequence could be very dire.


How do we stop an attacker from getting into an ICS network?


  • Locate and ID remote connections, unauthorized system access, scanning the network and attempts to read controller information.
  • Monitor communications between industrial systems on the network and to external systems.
  • Detect any unauthorized access and changes to controller logic, configuration and status.
  • Segment zones similar to DMZ’s for non-core machines and according the the guidelines in the ANSI/ISA-99.


Target Infrastructure


Previously ICS systems were not really targeted by malware, however; this in not the case anymore. This is a huge challenge and many industrial systems are not similar to enterprise and corporate networks, as they lack even the most basic security measures and often are legacy systems. Many Industrial networks do not even have network monitoring capabilities or logging.

The ray of light is that new, rapidly developing ICS-specific and SCADA specific security technologies are emerging to defense industrial networks

ANSI/ISA-99 Standards

Currently security experts agree that the most effective way to prevent intrusions in ICS networks is to make use of zone-based defenses as described in the ANSI/ISA-99.02.01 and IEC-62443.

Segment the network into security zones, and in between the zones, industrial-grade firewalls are installed with rules that block the protocols that Stuxnet uses for infection and communications. Thus, if a breach does occur, it is limited to a small number of machines in a single zone.

The concept of zones and conduits as a way to segment and isolate the various sub-systems in a control system was introduced by the ANSI/ISA-99 and slightly resembles the DMZ zones on a large Enterprise network.

A zone is defined as grouping of logical or physical assets that share a common security requirements based on factors of consequence (Like a public web server in a DMZ, in an industrial zone, a low-priority machine or system of low consequence could be placed).

Since SCADA and ICS security measures are being increased and addressed now more than ever, the following aspects must be considered for new security plans:

Authentication, Authorization, Confidentiality, Integrity and Availability

Cyber-attacks are becoming a big threat in the Internet world. Being connected to the Internet with the RTU’s, SCADA systems are vulnerable for cyber-attacks.

The recent attacks urge development of more critical infrastructure security. Imagine a worst case scenario, malware secretly installed in numerous power plants and electrical grids that activate simultaneously, a country could be forced to an extremely vulnerable position within a few minutes.

Article By: Dana Onyshko | InformationHacker.com | Contact