Political SCADA attacks on the rise - or are they?

The latest Global Threat Report from Dell Security reveals that attacks against SCADA systems have doubled in the last year - with most regarded as political.

Political SCADA attacks on the rise - or are they?
Political SCADA attacks on the rise - or are they?

Released earlier today, the report takes in network and telemetry data from Dell SonicWall customers across 200 countries, and its headline findings include that cyber-criminals are increasingly reliant on SSL/TLS encryption, are working on new and emerging Point-of-Sale (POS) malware and have also taken to attacking supervisory control and data acquisition (SCADA) systems.

On the latter, Dell Security says that attacks had more than doubled in the year from 2013 to 2014 with the majority of these targeting Finland, the UK and the US - countries where an increasing number of SCADA systems are internet-connected.

Researchers at the firm say that hackers would commonly look to exploit buffer overflow vulnerabilities in attacks which, “tend to be political in nature as they target operational capabilities within power plants, factories and refineries.”

“Since companies are only required to report data breaches that involve personal or payment information, SCADA attacks often go unreported,” said Patrick Sweeney, executive director of Dell Security, in a statement. “This lack of information sharing combined with an aging industrial machinery infrastructure presents huge security challenges that will to continue to grow in the coming months and years.”

Robert Miller, head of smart energy at MWR InfoSecurity, told SCMagazineUK.com that it was hard to tell if there has been an increase in attacks – or an increase in detection. Other commentators shared this view with one source, who wished to remain unnamed, saying that while there has been a growing interest in politically motivated SCADA attacks, these are ‘impossible' to monetise and thus only looked into seriously by “kiddies and seasoned black hats”.

“These findings could be interpreted as an increase in attacks or an increase in their detection,” said Miller. “An increase in attacks is consistent with other groups' findings and is attributed to not only the increase in interest from various threat groups, but also the increasing connectivity of SCADA to traditional IT networks and the internet.

“The detection of such attacks is an important sign that SCADA-dependant businesses are beginning to look beyond just building in preventative measures, such as air-gaps, but are also now looking into greater defence in depth such as intrusion detection. If an attacker is advanced enough then they will find a way into part of a system. The goal of modern SCADA security is to build a network that isn't impervious to intrusion, but maximises the chances of slowing and detecting the intrusion, and then having the right tools and training to deal with the attack accordingly before it advances to any critical assets.”

Elsewhere in the report, Dell Security reports that there had been a 333 percent increase in POS malware signatures in 2014 (up from three to 14), with most of these being used to hit the US retail sector. Dell threat researchers also observed a change in POS malware tactics.

“Malware targeting point-of-sale systems is evolving drastically, and new trends like memory scraping and the use of encryption to avoid detection from firewalls are on the rise,” said Sweeney. “To guard against the rising tide of breaches, retailers should implement more stringent training and firewall policies, as well as re-examine their data policies with partners and suppliers.”

Kevin Williams, general manager of TC-UK and formerly of the National Crime Agency, told SC that criminals continue to innovate with POS malware.

“We have seen the use of malware and intrusion of POS devices and supporting networks on an industrial scale, this industrialisation of their methodology shows that the criminals are collaborating and innovating constantly,” he said.

“There is a market for the sale of financial and personal identifiable information (PII) in the underground market. There is a need for criminals to exploit this at speed in order to gain greatest advantage before the potential victim is aware of the theft.”

The Global Threat Report also revealed a 109 percent year-on-year rise in the volume of HTTPS web connections in early 2015, with hackers seemingly exploiting TLS/SSL encryption to evade enterprise firewalls. In addition, threat researchers predict that more organisations will enforce policies with two-factor authentication in the coming year, resulting in more attacks, while there will be more sophisticated Android malware, as well as variants that target wearables, televisions and even electric vehicles.