Targeted attacks on industrial control systems surge

Number of attacks are small, but outcomes could be catastrophic

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

When most of Turkey recent­ly went dark for 10 hours in a mas­sive pow­er black­out, cyber crim­i­nal activ­i­ty was among the sus­pect­ed caus­es. While ter­ror­ism did not turn out to be the cul­prit, an increase in tar­get­ed attacks on indus­tri­al con­trol sys­tems in recent years make that sce­nario quite plausible.

Indus­tri­al con­trol sys­tems (ICS) — used in sec­tors such as ener­gy, oil and crit­i­cal man­u­fac­tur­ing — had tra­di­tion­al­ly relied on pas­sive defens­es, such as archi­tec­ture seg­men­ta­tion, fire­walls and “air gap­ping” embed­ded devices.

But as the num­ber of Inter­net-fac­ing embed­ded devices and con­trol sys­tems ris­es, so does the num­ber of tar­get­ed attacks by cyber criminals.

Fea­tured Info­graph­ic: Indus­tri­al con­trols under siege

Over the last cou­ple of years, we’ve seen the devel­op­ment of a focused effort to attack indus­tri­al con­trol sys­tems, and attack­ers are more aware of indus­tri­al con­trol sys­tem pro­to­cols, com­po­nents and exploits,” says Michael Assante, train­ing lead for ICS and SCADA (super­vi­so­ry con­trol and data acqui­si­tion) secu­ri­ty at the SANS Institute.

He says that while most attacks on these sys­tems are still non­tar­get­ed, cyber crim­i­nals are increas­ing­ly hon­ing their tech­niques to hack ICS, includ­ing through tra­di­tion­al meth­ods such as water­ing hole attacks, spear phish­ing and tro­janized software.

Home­land Security’s Indus­tri­al Con­trol Sys­tems Cyber Emer­gency Response Team (ICS-CERT) respond­ed to 245 inci­dents in fis­cal 2014, a third of those in the ener­gy sec­tor. (Many more inci­dents go unre­port­ed, accord­ing to ICS-CERT.) Of the report­ed inci­dents, 55 per­cent involved advanced per­sis­tent threats or sophis­ti­cat­ed actors.

The num­ber of attacks is small com­pared to typ­i­cal cyber inci­dents, but their poten­tial out­comes are much more catastrophic.

The moti­va­tion of the peo­ple tar­get­ing indus­tri­al con­trol sys­tems are often com­plete­ly dif­fer­ent from the vast major­i­ty of hack­ing that hap­pens on the Inter­net,” says Kurt Stamm­berg­er, senior vice pres­i­dent of mar­ket devel­op­ment at Norse Corp., a secu­ri­ty com­pa­ny that pro­vides live attack intel­li­gence via 8 mil­lion sen­sors deployed across the Internet.

Typ­i­cal hack­ing is prof­it- or revenge-dri­ven, but some­thing tar­get­ing indus­tri­al con­trol sys­tems has a much more scari­er moti­va­tion behind it,” he says.

Out­dat­ed technology

Unlike typ­i­cal com­put­ers and oper­at­ing sys­tems, embed­ded devices used in indus­tri­al con­trol sys­tems don’t update every two to three years. The major­i­ty of the devices are five to 10 years old, built in the days when secu­ri­ty was not a major concern.

A lot of the sys­tems have no capa­bil­i­ties to han­dle updates online, and even if patch­es exist, they have to be applied man­u­al­ly,” Stamm­berg­er says.

The vari­ety of hard­ware archi­tec­ture, oper­at­ing sys­tem plat­forms and com­mu­ni­ca­tion pro­to­cols are adding to the com­plex­i­ty of mon­i­tor­ing those systems.

Because they’re so het­ero­ge­neous, it’s hard to have a one-size-fits-all secu­ri­ty pro­to­col,” says James Blais­dell, world-renowned expert on embed­ded secu­ri­ty and CTO of Mocana, a secu­ri­ty com­pa­ny spe­cial­iz­ing in smart con­nect­ed devices.

Pletho­ra of exploits

While tar­get­ed attacks on indus­tri­al con­trol sys­tems often are high­ly cus­tomized, the actors — fre­quent­ly spon­sored by nation-states — are using many of the usu­al techniques.

A water­ing hole attack, for exam­ple, can be used on a web­site of a ven­dor, infect­ing the com­put­ers of top engi­neers when they go to down­load a prod­uct spec sheet. Spear phish­ing can be used to attack the gen­er­al busi­ness net­work and under­stand the tar­get, then infil­trate the ICS.

Free IDT911 white paper: Breach, Pri­va­cy and Cyber Cov­er­ages: Fact and Fiction

Because we’re see­ing more con­trol sys­tems on the Inter­net, you can use gen­er­al scan­ning tech­niques to iden­ti­fy and fin­ger­print con­trol sys­tems,” Assante says. “You can quick­ly iden­ti­fy if it’s a vul­ner­a­ble ver­sion and may already have an exist­ing exploit, or you can weaponize your own exploit.”

Even basic tools like advanced Google search­es can be used to look for these devices. And hack­ers are smart — they look for the eas­i­est way to get in, Blais­dell says.

Some of the attacks are real triv­ial,” he says. “They don’t have to work hard to get in.”

Blais­dell notes that often­times, attacks on ICS are col­lat­er­al dam­age. A bad actor may be hack­ing into a tele­vi­sion set at a lab, for exam­ple, and not even know it.

They think they’re attack­ing a PC but they’re actu­al­ly attack­ing a device,” he says. “They can take over the sys­tem and have it join a bot­net … and it can cause unin­tend­ed consequences.”

Long way to go

There are encour­ag­ing signs that the indus­try is mov­ing in the right direc­tion. Blais­dell, for exam­ple, says Mocana is work­ing with many clients who are tak­ing a secu­ri­ty-first approach with their devices.

And Assante is see­ing an increased inter­est across indus­tries in the SANSICS secu­ri­ty cur­ricu­lum. He points to the oil indus­try as an example.

They’re putting togeth­er indus­tri­al con­trol sys­tems secu­ri­ty teams, with both infor­ma­tion secu­ri­ty folks and engi­neers, and mak­ing them avail­able to the assets,” he says.

But across the board, the amount of fund­ing allo­cat­ed to cyber­se­cu­ri­ty is slim. In a 2014 sur­vey of 268 respon­dents from the ICS sec­tor, SANS Insti­tute found that 30 per­cent of orga­ni­za­tions are only allo­cat­ing 1 per­cent to 5 per­cent of the cor­po­rate bud­get to cybersecurity.

At the same time, the sur­vey found that the num­ber of sus­pect­ed secu­ri­ty breach­es has increased to 40 per­cent, from 28 per­cent in 2013.

In gen­er­al, the indus­try is under­in­vest­ing in secu­ri­ty and not mov­ing quick­ly enough to cul­ti­vate the tal­ents and tools we need for this prob­lem,” Stamm­berg­er says. “We’re los­ing this fight, and we’re los­ing this fight in a big way, fast.”

More on emerg­ing best practices:
5 data pro­tec­tion tips for SMBs
What SMBs need to know about CISOs
Pro­tect­ing your dig­i­tal foot­print in the post pri­va­cy era

Posted in Cybersecurity, Data Security, News & Analysis