It sounds naive to think of critical infrastructure having been built without cyber-security in mind – but with isolated machines in power-plants whose lifespans exceed the existence of the internet – itself once an almost entirely benign place – physical security was once the only concern. But none of the assumptions of trust or absence of threat are true now.
As Robert Hinden, Check Point Fellow, described in his Wednesday RSA session, Protecting Critical Infrastructure, hacking physical infrastructure is something that can affect us all, and like IT systems, there are many vulnerabilities, but the consequences are much greater, and the attacks have begun.
From Stuxnet to German steel mills, it was emphasised that we know physical things can be impacted via cyber means. Hinden also cited a 2014 government report from CERT that included 79 cyber-attacks on energy infrastructure, with manufacturing also high at 65, healthcare 15, water 14, communications 14, transportation 12, and equally worrying, but lower, nuclear at six. And it is suspected that there are more who are not aware of being attacked. For most attacks, their type was described as unknown, though the familiar spear-phishing, weak authentication, network scanning and probing, abuse of access authority, and SQL injection all figured.
Worryingly, most malware discovered was focussed on collecting data, not causing crashes – collating and exfiltrating data, information on devices, topology, protocols, etc, - often to the same command and control, which it is believed will be used to enable future attacks.
The PLCs (programmable logic controllers – which are simply programmable remote terminal units) are built for automation and are essentially computers, with software updates, and thus many vulnerabilities.
Typical Scada networks will have a management facility and a production facility – but then have a corporate network which straddles and thereby connects the two, and then connects to the internet and remote users - so what were thought purely production staff may also have access to email etc, then connect to Internet, to vpn to remote user. A survey of the energy sector reportedly showed an average of 11 direct connections and up to 250 in some cases.
The Stuxnet worm was an attack on SCADA progam logic controllers and Hinden presented a list of known vulnerabilities, from running old software to improper access control, and buffer overload – emphasising that lessons learned in computers had not all been implemented in SCADA systems.
The choice of inappropriate control system platforms came in for particularly heavy criticism from Hinden, saying: “Why choose the platform with the most exploits, why not upgrade to the latest operating system, install patches and updates, why run with no AV, no anti-Malware, or run on sytems with no support because they have not been renewed? You must want to run malware. People are not choosing platforms based on their security.” And just because industrial control systems are a different environment, they are not immune from enterprise security challenges, such as Open SSL vulnerabilities, Shellshock, and Bash Shell. This laxity was seen as symptomatic of crtical infrastructure operators not taking security seriously.
Recommendations to improve cyber-security in critical infrastructure were far from revolutionary:
Deploy strong perimeter security – firewalls, anti-bot, anti-virus etc;
Select platforms for security characteristics (not just price or functionality)
Internet connection is needed in order to keep tools and signatures up to date.
Limit which computers can talk from corporate to production
Run VPNs over WAN.
Control usage of USBs
Apply latest patches, fixes
Do not run unsupported operating systems
Run latest AV anti-malware
Log all SCADA traffic – ensure full visibility, every command and querry, so if you have an attack you will have a record of what the attacker was doing.
Define normal baseline – then identify deviations to find attacks
Respond to alerts to prevent attacks.
Make security a priority, part of the procuring process, invest in security, undertake security audits, industrial CERTS and vendor notifications. Don't be afraid to report attacks and compromises.