Why companies using SCADA systems need to wake up to the increased threat of cyber-attacks

Ukraine's power supply suffered one of the most high profile targeted cyber-attacks on infrastructure ever- but the route - via phishing - is one of the oldest, emphaising the need for increased staff awareness says Mark Logsdon.

Mark Logsdon, cyber resilience expert, AXELOS
Mark Logsdon, cyber resilience expert, AXELOS

Late last year, the media reported on the co-ordinated, multi-faceted attack on the Supervisory Control and Data Acquisition (SCADA) systems used by a Ukrainian power company. These plunged the homes of more than 80,000 people into darkness at Christmas, sparking international interest and condemnation.

Since the attacks, we've learned more about the incident and the alleged attackers. It appears that the incident was probably the work of hackers who used highly destructive malware to gain a foothold into multiple regional distribution power companies in Ukraine.  Beyond simply causing an outage, there is evidence that the group managed to significantly delay attempts to restore the network, prolonging the impact of the incident.

Supervisory Control and Data Acquisition (SCADA) is an industrial control system used to monitor and control industrial processes that exist in the physical world. Examples range from raising and lowering the Thames barrier to controlling energy-generating and distribution networks, including nuclear, traffic systems and rail networks all over the world.  It is not hard to recognise that the impacts of cyber-attacks on these systems can be huge – and that a successful attack would be an attractive goal for both individual hackers and state-sponsored organisations.

SCADA has been around for many years and when it was developed security wasn't at the forefront of the developers mind; cyber-security simply wasn't the issue it is today. Indeed it was first developed at a time when common networks as we know them today simply didn't exist. Very few people were even aware of the existence of SCADA, let alone any vulnerability in its code. Security was through obscurity. Beyond that, access to the pieces of hardware that used SCADA was difficult if not impossible. Networks and access to them were not widespread, and the equipment that housed SCADA was often at the bottom of the sea in inhospitable environments. The attack surface, (ie the exposure to a potential attacker) and therefore the likelihood of an attack was historically very small.

So what has changed? Over the last ten years knowledge of SCADA has become more widespread. One can even find examples of SCADA attacks on YouTube. Furthermore it has become ever more pervasive in our everyday lives. It is used to control rail networks, to traffic systems, air conditioning and fire suppression systems.

A more significant shift has been a change in the attack surface of SCADA systems. The need to control SCADA systems remotely and the cost of bespoke networks have meant that the majority are now connected to the internet and are linked to the cloud and other propriety technologies that come with a myriad of vulnerabilities. The size of the attack surface has therefore massively increased. The result is something of a perfect storm; an attractive, high impact target with a large attack surface, combined with an increasing availability of cheap and easy to deploy exploits.

It looks as though the attack on the Ukrainian power systems was a prime example of a phishing attack. An employee inadvertently ignored best practice and opened an email attachment he or she shouldn't. About 90 percent of all exploits rely on a user; attackers use a combination of a phishing and or a social engineering attack. These typically require the recipient to click on a link, open an attachment, or innocently give up a sensitive piece of information. This incident began with some form of phishing attack. This was the root cause of this incident. Stop it and the attack fails. The most effective ways of stopping them and thus cyber-attacks, including ones on SCADA, is through an effective awareness programme.      

Although investing in progressively more expensive and complex technological security systems will make a difference, nothing is more important than ensuring that all employees, regardless of their role or status, exhibit good online-behaviour and are able to identify risks before they are allowed to infect your systems, damage your organisation and potentially impact the lives of thousands of people. Educating your workforce should be a key part of your resilience strategy, particularly when the technology your organisation relies on is becoming more and more of a target.

This extends from top to bottom of the organisation. Everyone in your business needs to have an awareness of the risks the organisation faces. For organisations that are owners and or operators of critical national infrastructure this is even more vital. These landmark attacks on Ukraine may herald a new era of infrastructure attacks – and to ensure that we can prevent the lights going out more often organisations need to invest urgently in their resilience.

Contributed by Mark Logsdon, cyber resilience expert, AXELOS