Posted by: Katherine Brocklehurst on February 22, 2017
Industrial control systems (ICS) are the workhorses of our physical world, and becoming more internet-connected, more virtualized in many cases, and more remotely accessible by the day. Gartner Research indicates 5.5 million devices were added per day in 2016, a pace that leads to an estimated 21+ billion internet-connected “things” running our world by 2020.
Security experts worry that the growing dependence on internet-connected devices is outpacing our ability to secure them. This is particularly true within industrial and critical infrastructure because cyber threats could result in physical disruption, loss of availability and even risk to public safety.
On the other hand, many ICS professionals continue to feel that the actual threat to plant operations and industrial automation is slim given highly purpose-built industrial equipment, specialized communications protocols, air gaps and unique automation systems and processes. Unfortunately, that’s not what the data shows.
This chart offers a snapshot of which sectors experienced cyber security incidents in 2015. Critical manufacturing, energy, transportation and water sectors were most affected. Source: NCCIC/ICS-CERT Year in Review, 2015 (page 19)
As some say, “offense informs defense,” so let’s examine a recent industrial incident and then summarize some useful lessons learned.
An unnamed water district, dubbed the Kemuri Water Company (KWC), experienced unexplained patterns of valve and duct movements over at least a period of 60 days as described in Verizon’s 2016 Data Breach Digest. It was discovered that attackers were manipulating the chemicals used to assure safe drinking water, and also altering the water flow rates causing disruptions to water distribution. Many other activities went unnoticed, including theft of more than 2.5 million unique data records, until Verizon’s forensic investigation started.
In this case, physical harm and safety was at risk but luckily didn’t happen due to alert functionality that caught the chemical and flow control issues. Also, it appeared that the type of outside attackers who gained access were likely “hacktivists” – usually not motivated by financial gain.
Verizon discovered that attackers were manipulating the chemicals
used to assure safe drinking water.
Take a look at how KWC set-up its network in the diagram pictured below as depicted in the 2016 Verizon Data Breach Digest. Can you tell where they went wrong? (Here’s a hint, note the seven red callout buttons.)
Verizon’s forensic investigation found that three known threat actor IP addresses had gained access multiple times to the water district’s OT and IT assets, including:
KWC had multiple foundational security control weaknesses or exploitable vulnerabilities that Verizon said made them a great candidate for easy hacking:
It’s easy to believe “it could never happen to us.” However, noting the weak or absent foundational security controls in the Kemuri analysis gives pause to consider what your environment holds. You may not realize similar risks are probably present to some degree.
Maybe it would be a stretch to catch plant engineers or contractors charging their phone or tablet on your PLC or HMI USB ports or allowing a contractor or family member wireless access from the hidden router in the back room.
However, most security practitioners recommend taking a risk-based approach to address your specific site through a third party cyber security assessment.
Do you think any of these risks (and others) could be present in your environment, increasing cyber security risks more than you know? Belden’s industrial cyber security solutions from Tofino Security, Tripwire, GarrettCom and Hirschmann are integrated and can help your organization detect, prevent and respond.
Contact us at firstname.lastname@example.org if you’d like to talk to one of our industrial cyber security experts.