Our last blog, contributed by Thomas Nuth, highlighted the fact that industrial cyber security is now being discussed by heads of state within the international community - the Executive Order – Improving Critical Infrastructure Cybersecuritysigned by President Obama in February of this year being just one indication of the importance being attached to this issue.
Let’s continue the discussion...
In the past, the main reason for securing a SCADA/ICS network was to protect against inadvertent network incidents or attacks from insiders. The risk of an external malicious cyber-attack was considered minimal.
And then we witnessed the rise of global terrorism in the new millennium - and the disclosure of Stuxnet. In 2010, Stuxnet was successfully introduced into an apparently ‘air-gapped’ facility with the intent to destroy an industrial process. As I discussed in my blogs on Stuxnet, the worm used multiple methods to infiltrate the target site, the most famous of which was the use of a USB key. Its discovery had multiple effects:
1. The ‘bad guys’ switched their attention to industrial systems.
Stuxnet’s fame drew attention to the existence of industrial systems and devices. It also made it clear how insecure they really were. In 2011 more industrial control system (ICS) vulnerabilities were made public(many with exploit codes available on the internet), than in the entire previous decade. In 2012 there were even more vulnerabilities. 2013 shows every sign of breaking records again.
2. New advanced persistent threats targeting industry began to emerge.
Stuxnet wasn’t the first advanced persistent threat (APT), but it was the first to focus on industry. As well, it was so well dissected by security experts that it became an “APTs for Dummies” cookbook on how to write attacks that target industrial companies.
Most recent APTs have focused on industrial espionage to steal business information from the energy industry, but others like Shamoon (which was not all that ’advanced’ or ‘persistent’) have been successful at destroying large computer systems. Expect to see lots more APTs being discovered in the next few years. And if we don’t see more, it is likely due to the fact that we haven’t found them yet, not that they don’t exist. After all, industrial-focused APTs are clearly effective for their creators, so why would they stop creating them now?
3. Low-grade cyber “warfare” goes mainstream.
Stuxnet has been widely attributed to a joint U.S./Israeli project to destroy Iran’s uranium enrichment program. Its existence has given tacit approval to other nations and political groups to use cyber-attacks as a form of undeclared warfare. Most recently, we have seen large scale attacks on South Koreathat have been attributed to North Korea.
My advice? If you have critical industrial facilities in any politically sensitive region (such as the U.S., the Middle East or the Far East), now is the time to renew your cyber security efforts.
Stuxnet’s design provided a ‘toolkit’ for other sophisticated malware. Image Credit: Black Box Network Services Canada
While the threat has increased significantly, the opportunity to connect to a SCADA or ICS system has too. In the good old days, industrial networks ran on proprietary networks, used proprietary equipment, and were isolated from business networks and the internet. This was the era of both ‘security by obscurity’ and ‘security by air gap’ (if you are a regular reader of my blog, you’ll know my views on the air gap theory!).
But over the last decade, things have changed. Industrial networks have migrated from proprietary systems to commercial off-the-shelf technology like Ethernet, TCP/IP and Windows. What’s more, today’s industrial systems require a constant stream of updates from the outside world. There’s no denying it – the industrial floor is no longer isolated.
It’s also true that devices such as programmable logic controllers (PLCs) and distributed control systems (DCS) were designed with a focus on reliability and safety, rather than security. This makes many of them, particularly older units, easy to exploit. And the protocols that SCADA and ICS use to communicate are no different – designed to be reliable and easy to troubleshoot, most protocols lack even the most basic security features like authentication. As the Tofino test team likes to say, “If you can ping it, you can own it”.
Today it is clearly a game with the advantage going to the attacker – millions of decades-old systems that were never designed to be secure, increasing connectivity of SCADA and ICS, and a growing library of free tools and techniques to attack SCADA and ICS.
Can our critical infrastructure weather the storm? Image Credit: Archival Photography by Steve Nicklas, NOS, NGS [Public domain], via Wikimedia Commons
It’s evident then that there’s no simple solution to securing our critical infrastructure. The process is going to take a lot of time and effort - and very careful planning. But regardless of the pain points involved, investing in industrial network security is not only responsible, it’s necessary for any mission critical application.
If our heads of state are taking this issue seriously then so should industry.
I’d love to hear your views on this topic. Do you think we are taking the subject of industrial cyber security seriously enough? Have we made any progress?