Foreboding headlines frequently scream out at us about the poor security posture of critical national infrastructure (CNI) firms. The latest related to a Unisys study which claimed a staggering 70 percent of such organisations suffered breaches in the past year. A further 78 percent of senior security officials at CNI firms said a successful attack on their ICS and SCADA systems was likely in the next 24 months. In the interest of balance, however, I'd like to present an alternative view. Not that these firms and systems aren't at risk, but that the size of the threat at times can be overstated.
Let's take the most famous example of an attack on industrial control systems: Stuxnet. Yes this sophisticated worm managed to infiltrate the Natanz nuclear facility in Iran and caused, by all accounts, significant physical damage to the centrifuges at the plant. But it's a very isolated example – a highly targeted attack which required huge amounts of resources in the planning and execution, most likely by one or more nation states.
A nation state might conceivably do this kind of thing again, but it will be an incredibly rare occurrence, for the reasons given. As for rogue states and terrorists, the return on investment is simply not compelling enough to bother targeting SCADA, ICS or PLC systems. Imagine if a North Korea or an Al Qaeda-like group wanted to make a statement to the world by shutting down a nuclear reactor at a UK plant, for example. Even if they were successful with such an attack, Downing Street would claim another, more innocuous, reason for the “incident” to avoid panic. From a publicity perspective, planting a bomb on the Underground would be a far more effective tactic for rogue elements like these.
So what about financially motivated cybercriminals? Yes it's technically possible to blackmail a CNI firm by infiltrating and disrupting its industrial control systems, but there are far easier and cheaper ways to make money. Infamous banking Trojans are available online in many underground forums, as are toolkits to launch a wide variety of anonymous, mostly risk-free attacks which could net the cybercriminal a tidy sum.
There is an incredible diversity of industrial systems, sensors and devices out there – a fact which further discourages would-be attackers by making it more expensive to develop malware and launch attacks. There's also usually a “human overlay” with such systems which adds to the difficulty of achieving a successful result.
All of this is not to say, of course, that everything is OK in the world of CNI security and industrial control systems – far from it. Even if the motivation for attacks isn't really there yet, as I've discussed above, this might change over time. In fact, a Trend Micro researcher last year developed a sophisticated, internet-facing honeypot architecture to mimic such systems. He found it took just 18 hours for the first sign of an attack and after one month a total of 39 were observed.
So what should CSOs in CNI firms be looking to do to minimise the risk of a successful attack? Well there are several basic steps which would make industrial systems more robust – not least disconnecting them from the internet unless they absolutely have to be online. It's also basic best practice not to continue using XP or old versions of Windows Embedded. Upgrade to the latest, most secure versions or even ditch Windows altogether. Out-of-the box products and platform monocultures are attractive to hackers because they can reuse attacks on many different targets, so think about building a bespoke Linux system instead.
Patching is also an obvious step. It can be more difficult with industrial systems where uptime often needs to be 24/7/365, but there are ways and means. Testing is another no-brainer; many of these systems were brought into service decades ago when security was not a primary concern, so they need to be upgraded for operating in 2014 with all the added risks this brings.
Finally, we should all be looking to the government for a guiding hand. It's not called critical infrastructure for nothing – the effects of an outage or security incident could be far reaching for the UK. That's why this industry needs to be regulated, just as the car and aviation industries are. Firm guidelines would not be difficult to draw up but they would go a long way to reducing insider and external threats.
Then perhaps those horror story headlines will finally become a thing of the past.
Contributed by Raimund Genes, CTO, Trend Micro