A Critical Threat
Attacks on critical national infrastructure are a growing concern, not just the banking and civil infrastructure, but also control systems used in the physical delivery of services. This is set to become even more of a problem as SCADA systems become internet enabled, reports Kate O'Flaherty
Andrew Rogoyski, head of cyber-security, CGI.
Believed to have been perpetrated by a nation state, and most likely the US and Israel, the attack on Iran's nuclear plants demonstrated the level of damage that can be done with relatively little effort. Though the worm was sophisticated enough to hide its disruption by ensuring that the operators' monitoring data continued to show everything was normal, when that was not the case.
Another large-scale attack took place last year, when hackers manipulated and disrupted control systems in a German steel mill, making it impossible to safely shut down a furnace.
The ease with which critical infrastructure can be penetrated is leading to an increase in malware targeting control systems. The Flame Trojan was discovered in 2012, while in 2014 a variant of remote access Trojan Havex emerged with the ability to target supervisory control and data acquisition (SCADA) systems.
Therefore, insecure SCADA devices are a growing concern for firms running critical infrastructure. These systems were not designed with security in mind, which opens up a multitude of risks when they are connected to the internet.
According to a recent report by Dell Security, this has resulted in an increase in the number of criminals targeting SCADA. The report found that attacks had more than doubled from 2013 to 2014, with the majority of these targeting Finland, the UK and the US - countries where a growing number of SCADA systems are internet-connected.
A global issue
The risk is fuelling legislation across the globe. The US has passed laws that are designed to protect its national infrastructure through new technology and information sharing. Germany is looking at specific legislation, while the UK is keen to create awareness in the area. Meanwhile, in Europe, the cyber-security directive aims to expand breach reporting for companies involved in critical national infrastructure.
Critical national infrastructure was previously defined as companies dealing with communications, transport, water and energy. But the area for attack is widening, says Andrew Rogoyski, head of cyber-security at consultancy firm CGI. “Now it also spans financial systems, healthcare and the food supply chain.”
According to Rogoyski, penetrating such systems can do significant harm with “relatively little effort and cost”. He says: “Shutting down a power grid using a small team of hackers, rather than physical means, is much easier.”
This makes the area particularly attractive for nation states: many attacks on SCADA systems - including Stuxnet – are mentioned as being motivated by political means.
It is possible countries are already testing each other's infrastructure for weaknesses, experts have told SC Magazine UK. Of the nation states, China is known to be capable and have scale, while the Russians are increasingly sophisticated in the cyber-space.
OUT OF CONTROL?
Control systems are under cyber-attack – from power plants to steel mills, and even the Large Hadron Collider at CERN – but most of these devices were never meant to be connected to the internet. They need even more protection than computer systems – often using the same approach, as Tony Morbin discovers
When the Higgs Boson was discovered using the Large Hadron Collider, tabloid headlines screamed that the universe could be destroyed in a cosmic death bubble. Another case of inappropriate sensationalism of course, otherwise Dr Stefan Lüders, CERN computer security officer, Head of Computer Security, European Organisation for Nuclear Research (CERN) could have claimed to be protector of the universe or canny in its end.
Instead, he has a genuinely vital role defending one of the largest, most sophisticated and interesting bits of scientific experimental kit in the world.
And rumours about the end of the world? Just a misunderstanding of Steven Hawking's suggestion that the Higgs potential could become metastable and the universe undergo catastrophic vacuum decay, with a bubble of the true vacuum expanding at the speed of light. Not the CISO's problem.
Even though an attack on CERN won't result in the end of the universe, it has enough publicity value for the complex to endure more than its fair share of attacks.
Real world things, specifically control systems, tend to be more vulnerable than computer systems, simply because they weren't designed with security in mind. Why is that?
Lüders explains: “It's because there has been a revolution as we have moved away from proprietary hardware and control systems to more IT-based systems, taking the cherries from the IT world cake: Windows PCs, data storage, HMIs, TCP/IP for communications, web protocol, emailing – because there is a use-case for them. However (despite the benefits), there was no incentive to look at the security side because the old paradigm was – we have an air gap, we're disconnected, everything is proprietary, obscure, nobody will hack us. But this is no longer the reality.”
Today there are tools such as SHODAN scanning for SCADA control systems on the internet, (https://icsmap.shodan.io), and there are attackers specifically looking for vulnerabilities in control systems. Lüders suggests that the biggest problem is how to create incentives for software vendors and control system vendors to create more secure products.
Yet Lüders doesn't blame the vendors for not putting in security – abuse was never an issue, apart from physical sabotage, because the systems were isolated. Now there are layers of connectivity and you have to ask not only what is the use case for your device, but what are the possible routes for abusing the device, and how do you mitigate or prevent that?
One of the solutions CERN uses to secure its vast range of complex control systems is to delegate a lot of responsibility for security to the people who are managing those devices, with Lüders commenting: “The expertise is with the control system experts – making them responsible for their security has benefits because they know the system best. Some control experts will forego some efficiency and availibility of the controls process and put security second or third. Risk is owned by the management which sets the parameters of what is acceptable – so at CERN the accelerator management is responsible for that sector and Lüders ensures they know what the risks are, so they can judge whether to invest in more secure control systems or not.
Lüders concludes that the revolution whereby control systems sucked in IT technology, now needs them to suck in IT security methods and apply the same means to secure the control systems – looking at software development life cycles, penetration testing, vulnerability scanning, agile patching where possible, using similar access controls and protection as used in the IT world.
On the human side this means bringing together the IT and Control System departments, as similar technologies apply on both sides. So where can you benefit – do you still need your own control system network team? Lüders comments: “At CERN our network is run by one group – the requirements are the same so we use the same team – I don't believe CERN is special in this regard.”
So the advice is, ask the same questions about how to secure control systems that you would ask when securing the computer centre – take account of their differences but treat both the same – how to guarantee availability, how to protect yourself without creating inefficiencies, making the same risk assessment – what are the different threat scenarios, who can attack the control systems. Now you need to ask what are the possible routes for abuse and how do you prevent or mitigate them? For a CISO it's the same toolkit as used for a computer centre. And talk to the control system experts who know the system best.
*Part of this interview with Dr Stefan Lüders has appeared in SC online.
But the US is also known to have elite cyber-capabilities, says Rogoyski: “The US is sophisticated: it has scale and owns much of the IT industry.”
Industrial control systems are vulnerable because generally they use proprietary hardware, software or legacy operating systems that are no longer supported. “Some were designed before the age of networks, when security involved nothing more than access control,” says Florian Malecki, international product director, Dell Networking Security. “Therefore, it has no mechanism for authentication, or for ensuring data integrity and confidentiality.”
Malecki explains: “Most SCADA systems are vulnerable to network attacks that work by exploiting weaknesses at protocol level. SCADA systems management terminals connected to a network, particularly an external one, are exposed to the usual threats associated with malicious software downloaded by a user who has clicked on a link, or opened an email attachment, or an infected file on removable media.”
Therefore SCADA systems are arguably more vulnerable than enterprise networks, says Ross Brewer, vice president and managing director of international markets at LogRhythm. “Much of the existing infrastructure was developed and implemented prior to the wide uptake of the internet and so their protection was based on securing physical aspects of these critical systems. A lot of SCADA devices employ extremely basic - and easily defeated - authentication methods, transmitting data in clear text, with many cyber-assets operating on old and vulnerable code bases.”
Dai Kennett, security consultant at Context Information Security, agrees: “The lack of understanding of security within our industrial processes and the rate at which new technologies are being introduced are not symmetrical. This has created a wide gap, ripe for exploitation.”
One way of exploiting and controlling a device is through buffer overflow attacks. Kennett explains: “The operating system underneath will often be using real-time systems, which can forego modern defence mechanisms such as ‘address space layout randomisation', a technology used to help prevent shellcode from being successful; and ‘data execution prevention' - which prevents certain memory sectors from being executed.”
However, Kennett says that complex buffer overflow attacks are “unnecessary” in the current threat landscape. “Simple and archaic packet replay attacks are just as effective and can be used by even a novice attacker.”
Lack of intelligence
The problem is elevated by the lack of intelligence built into devices, says Clive Longbottom, analyst at Quocirca. This is made worse by the lack of true standardisation around how ‘Internet of Things' (IoT) SCADA devices are being brought to market.
He warns: “A black hat with knowledge of one vendor's product line can easily break into their devices using API calls or faults in coding. This would not be the case if the industry had come up with a full and agreed standard around how these devices should operate and interoperate.”
Additionally, says Brewer, the nature of SCADA systems sees them deployed and controlled across wide area and local area communication links, fuelling the risk further. “These systems are often dispersed across a variety of geographic locations, such as field sites, control rooms at processing facilities and control centres. Point security solutions, including anti-virus, simply don't offer the required protection.”
Adding to complexity, the life cycle of SCADA-type devices is particularly long: they are often in use for over 10 years. The older the operating system, the more vulnerability, the easier it is to exploit, says Benny Czarny, CEO and founder, OPSWAT.
“SCADA systems are put into place to sometimes last decades,” says Rogoyski. “So you get technologies that are out of date and not maintained as they should be - and you get people making mistakes when patching them. I've seen telemetry systems out in the field and connected to the equivalent of a mobile phone.”
Fixed line or mobile networks can be secured reasonably well, says Rogoyski. But attacks on energy companies are often perpetrated via spear-phishing with “booby-trapped emails loading malware onto the IT systems and accessing data”.
Managing the threat requires a thorough and wide-reaching approach. Security needs to be part of business planning: firms must do a risk analysis and ensure they are doing security testing - as well as monitoring existing systems, Dr Klaus Kursawe, chief scientist at the European Network for Cyber Security, says. “The hard part is to find a way to make the effect of security measurable to build a solid business case: managers hate to spend large amounts of money without having any measurable outcome,” he adds.
Overall, experts agree that monitoring is key to control systems' security. Securing SCADA requires a centralised system that can provide visibility across all IT network activity in real time, says Brewer. “Such continuous monitoring of all the data generated by systems enables security teams to automatically identify anomalous activity and react as quickly as possible. A centralised system can correlate events and provides key intelligence detailing the threats that pose a risk and need a fast response.”
Amol Sarwate, director of vulnerability labs at Qualys, advises implementing proper access control, making sure that necessary patching processes are in place and followed, and says that removing debug services “will help minimise risk”.
Firms must ensure that they have a strict user account management policy, Malecki agrees, adding: “This advice may seem obvious, but it is vital to change default passwords immediately after an attack.”
In addition, says Malecki, firms should identify behaviour that puts systems at risk ensuring they are updating operating systems, applications, and firmware.
“These are very targeted attacks, impacting a niche industry,” Malecki says. “However, with many software vendors leaving large timeframes between update patches, it requires internal IT teams to ensure they go above and beyond to protect the network and data.”
Rogoyski underlines the importance of asset management: businesses should know where devices are and what they are connected to.