In 2010, the Stuxnet computer worm was identified as the first cyber-weapon that attacked one particular target. Stuxnet was aimed at SCADA systems, used for supervisory control of industrial processes. The malware was developed to spy on and reprogram industrial systems while camouflaging its modifications. The nature of the industrial systems concerned caused alarm among IT managers.
Stuxnet uses a sophisticated attack strategy. Beginning with self-replication via removable media, worms are circulated across the network via zero-day flaws in Windows Print Spooler and remote execution services. It installs a rootkit for Windows, this auto-executes in project files of SCADA WinCC/PCS 7 software, and command and control prompts. This exploitation of flaws allows the code to be inserted in a micro-program, which is transmitted by the SCADA management system to the PLC. Indeed, this was the first ever rootkit for PLCs identified.
Industrial control systems are vulnerable as they generally use proprietary hardware and software. Most were designed before the age of networks – when security involved nothing more than access control and therefore, have no mechanisms for authentication or for ensuring data integrity and confidentiality. Its biggest weaknesses is the use of the Modbus protocol and management terminals.
Most SCADA systems are vulnerable to network attacks that exploit weaknesses at the protocol level. SCADA management terminals that are connected to a network are exposed to the usual threats associated with malicious software downloaded by a user who has clicked on a link or opened an email attachment or an infected file on removable media.
Some cyber-criminals are able to take control of SCADA systems by modifying the PLC micro-program, and once it has infected a machine it can execute unauthorised operations.
However, the techniques used to compromise SCADA systems management terminals are the same as those used for any system, as the bulk of devices are running on a Windows OS.
The hackers deploy malware that will give them access to a specific target allowing the hacker to penetrate the security of the device and data on the network.
In this context, operating systems that are no longer supported will become vulnerable, increasing the risk of attack.
It is important to not underestimate the scale of the risk given that attacks have the capability of become “viral”. Advice from the CPNI (UK) states that, “To safeguard the process control system from electronic attacks, it may be insufficient to rely on a single firewall, designed to protect the corporate IT network. A much more effective security model is to build on the benefits of the corporate firewall with an additional dedicated process control firewall and deploy other protection measures such as an anti-virus software and intrusion detection. A multi-layer security model is referred to as defence in depth.”
While the usual precautions continue to be applied, IT managers will have to remain vigilant to prevent attacks.
It is not enough to isolate the systems by disconnecting them from the Internet. IT managers need to go further and check that these systems are not connected to other environments which themselves are connected to the Internet and therefore at risk.
When it comes to IT security, there are two lines of defence:
Raising user awareness of risks
Many incidents come about because users install free software. Rather than deliberate acts, this can be considered to be more negligent, nonetheless, as underlined by CNPI, if you understand the risk, threats and impacts, you can put sufficient plans in place to ensure that risks can be contained and quarantined on contact with the network.
Implementing preventive measures
Various protective technologies should be deployed. The focus should be on the following:
- Protect the systems from unauthorised access by implementing a user account management policy:
- Change default passwords after an attack.
- Monitor where data is going, and if the request came from an authorised access point.
- Plain text passwords in the code of applications, operating procedures and stored data shouldn't be allowed.
- Sound management of profiles and file access permissions.
- Identify behaviour that puts systems at risk:
- Deactivation of non-secure protocols.
- Online modification of control programs that were authorised without verification.
- Reloading the start-up configuration via USB stick.
- Supervision, incident detection.
- Install patch updates of operating systems, applications, firmware immediately.
- Implementation of solutions to detect virus signatures and security incidents in industrial environments.
- Technologies that combat the network threat vectors
These are very targeted attacks, affecting a niche industry. However, it requires an understanding from their internal IT teams as to how they can cost effectively protect the network and data, without having to spend a high amount of budget.
It's also important to understand the difference between an authorised and unauthorised request, as this is where data breaches can occur. Therefore, it's important all changes and requests are reviewed in real time.Contributed by Florian Malecki, international product marketing director, Dell Networking Security.