The growing security threat faced by the world’s industrial control systems
They sit at the heart of electricity generators, gas plants and factories, and are becoming an increasing focus for cyber criminals hell bent on causing disruption. Anthony Daniel from WatchGuard Technologies explores.
Industrial control systems (ICS) are specialised computers that control the large-scale industrial infrastructures which underpin much of modern life. These also include the supervisory control and data acquisition (SCADA) systems that remotely monitor and control so-called operational technology.
Although ICS equipment is very specialised in its design, it can still suffer the same software and hardware vulnerabilities that afflict traditional computers. Security experts have long warned that cyber criminals would target ICS and recent incidents, such as the US-based Colonial Pipeline ransomware attack, prove that this is indeed the case.
Protecting against attack
With the number and sophistication of attacks against ICS computers continuing to climb, operators of large-scale infrastructures need to consider some key issues. These include:
- Beware the threat from within
While most attention is directed to preventing malicious attacks by outsiders, it’s important not to forget the potential for insiders to become a threat. Back in 2008, Maroochy Water Services in Queensland started suffering wastewater pump failures which resulted in the unplanned release of more than four million litres of untreated sewage. These failures happened without any faults or alarms going off. It transpired that a disgruntled contractor had stolen computer and radio equipment and was sabotaging the pumps as revenge for not receiving a permanent position.
Protecting equipment from malicious insiders can be challenging but having strong asset management controls and processes for quickly revoking the privileges of former employees can help.
- Airgaps don't provide impenetrable security
During 2010, the Stuxnet attack on Iran’s nuclear program opened a Pandora's box of state-sponsored ICS cyber attacks. This sophisticated attack caused Iranian uranium enrichment centrifuges to spin out of control, essentially tearing themselves apart. The attack involved extremely advanced malware that exploited four zero-day flaws – the first-ever programmable logic controller rootkit targeting a very proprietary device – and even an alleged double agent who walked the malware through an airgap.
This incident showed that, with the right amount of money, time and motivation, even the most secure facility can be breached. If the system being protected is critical, there needs to be very advanced security controls and procedures in place.
- Be wary of spear-phishing attacks
In 2014 and 2015, alleged Russian cyber criminals installed BlackEnergy malware onto the computers of a Ukrainian power company via a spear-phishing campaign that used Word documents containing malicious code. The malware gave the criminals the ability to shut down power for nearly a quarter million Ukrainians for six hours. This is only one of many ICS breaches that began with a spear-phishing attack.
- Digital attacks can cause real-world damage and death
During 2017, experts investigating some system failures in a Saudi Arabian petrochemical plant found very specialised ICS malware designed to disable industrial emergency shutdown and safety systems and cause physical damage. Dubbed TRITON, this was widely considered to be the first cyber attack intended to cause human casualties.
- ICS is also susceptible to ransomware attacks
- Historically, ICS attacks have tended to be the realm of nation-state and terrorist threat actors, but now cybercriminals are also getting involved. In 2019, Norway’s Norsk Hydro aluminium smelter company became infected by ransomware, causing it to shut down some products and revert to manual processes. This year, similar disruptions were caused by a ransomware attack on US-based Colonial Pipeline.
While such incidents may have different root causes, they highlight the fact that criminal actors are now sufficiently sophisticated to crack ICS companies and use this ability for extortion.
Any company that operates ICS needs to have comprehensive security protection in place as well as a detailed disaster recovery plan that can be put into action should an attack occur. Attackers are unlikely to reduce their attempts to penetrate systems and cause damage, however taking critical steps now could reduce the impact of their efforts.
Anthony Daniel is the regional director – Australia, New Zealand and Pacific Islands, at WatchGuard Technologies.
iscover
Anthony Daniel
