The Attack On America’s Industrial Systems
To show just how vulnerable U.S. industrial systems are, a study was just completed that measured who is attacking and what information they are seeking out.
Industrial control systems (ICS) are devices, systems, networks, and controls used to operate and/or automate industrial processes. These devices are often found in nearly any industry—from the vehicle manufacturing and transportation segment to the energy and water treatment segment.
Supervisory control and data acquisition (SCADA) networks are systems and/or networks that communicate with ICS to provide data to operators for supervisory purposes as well as control capabilities for process management. As automation continues to evolve and becomes more important worldwide, the use of ICS/SCADA systems is going to become even more prevalent.
ICS/SCADA systems have been the talk of the security community for the past two years due to Stuxnet, Flame, and several other threats and attacks. While the importance and lack of security surrounding ICS/SCADA systems is well-documented and widely known, this talk today addresses who’s really attacking Internet-facing ICS/SCADA systems and why. It also covers techniques to secure ICS/SCADA systems and some best practices to do so.
The move from proprietary technologies to more standardized and open solutions together with the increased number of connections between SCADA systems and office networks and the Internet has made them more vulnerable to attacks. Consequently, the security of some SCADA-based systems has come into question as they are seen as potentially vulnerable to cyber attacks. In particular, security researchers are concerned about:
- The lack of concern about security and authentication in the design, deployment and operation of some existing SCADA networks
- The belief that SCADA systems have the benefit of security through obscurity through the use of specialized protocols and proprietary interfaces
- The belief that SCADA networks are secure because they are physically secured
- The belief that SCADA networks are secure because they are disconnected from the Internet.
SCADA systems are used to control and monitor physical processes, examples of which are transmission of electricity, transportation of gas and oil in pipelines, water distribution, traffic lights, and other systems used as the basis of modern society. The security of these SCADA systems is important because compromise or destruction of these systems would impact multiple areas of society far removed from the original compromise. For example, a blackout caused by a compromised electrical SCADA system would cause financial losses to all the customers that received electricity from that source.
Security in an ICS/SCADA network is often considered “bolt-on” or thought of “after the fact.” When these systems were first brought into service more than 20 or so years ago, security was typically not a concern. Many of them, at that time, were not even capable of accessing the Internet or connecting to LANs. Physical isolation addressed the need for security.
However, as things changed over time, most of these systems’ purposes have been reestablished, along with the way they were configured. A system that used to only be accessible to a single computer next to a conveyor belt became accessible via the Internet, with very little hindrance.
There are two distinct threats to a modern SCADA system. First is the threat of unauthorized access to the control software. Second is the threat of packet access to the network segments hosting SCADA devices. In many cases, there is rudimentary or no security on the actual packet control protocol, so anyone who can send packets to the SCADA device can control it.
In many cases SCADA users unaware that physical access to SCADA-related network jacks and switches provides the ability to totally bypass all security on the control software and fully control those SCADA networks. These kinds of physical access attacks bypass firewall and VPN security.
With so much at stake, the question is – are these systems under attack? The answer was discussed in a recent “honeypot” study conducted over a 28-day period.
A Honeypot is an environment created specifically to resemble that of a live and functioning industrial enterprise network. The environment for this research project included actual live data feeds from instrumentation, remote terminal units (RTU), programmable logic controllers (PLC) and a fully functioning ICS/SCADA platform with internet-facing connectivity.
It took only 18 hours to find the first signs of attack on one of the honeypots. While the honeypots ran and continued to collect attack statistics, the findings concerning the deployments proved disturbing. The statistics of this report contain data for 28 days with a total of 39 attacks from 14 different countries. Out of these 39 attacks, 12 were unique and could be classified as “targeted” while 13 were repeated by several of the same actors over a period of several days and could be considered “targeted” and/or “automated.” All of these attacks were prefaced by port scans performed by the same IP address or an IP address in the same netblock.
The top alert generated in the honeypot environment was Modbus TCP non-Modbus communication. This alert is triggered when an established connection utilizing Modbus is hijacked or spoofed to send other commands or attacks to a different device.
In addition to generating this alert, the following two rules were also triggered:
- Unauthorized Read Request to a PLC
- Unauthorized Write Request to a PLC
These rules are traditionally triggered when an unauthorized Modbus client attempts to read or write information from or to a PLC or SCADA device.
The sources of all three alerts were the United States, Russia, and China, respectively.
There are some very basic configuration and architectural considerations that can help prevent remote access to trusted ICS resources from occurring in this fashion. Most of these recommendations are based on “baking in” your security as ICS are architected and deployed. Future discussions will include ways to “bolt on” security for these systems and networks.
- Disable Internet access to your trusted resources, where possible.
- Make sure your trusted resources have the latest patches and that you diligently monitor when new patches/fixes are released.
- Use real-time anti-malware protection and real-time network scanning locally on trusted hosts and where applicable. (Some PLC systems cannot support anti-malware products because of the fragile nature of ICS protocols.)
- Require user name/password combinations for all systems, including those that are not deemed “trustworthy.”
- Set appropriately secure login credentials. Do not rely on defaults.
- Implement two-factor authentication on all trusted systems for any user account.
- Disable remote protocols that are insecure like Telnet.
- Disable all protocols that communicate inbound to your trusted resources but are not critical to business functionality.
- Control contractor access. Many ICS/SCADA networks utilize remote contractors, and controlling how they access trusted resources is imperative.
- Utilize SSL/TLS for all communications to web-based ICS/SCADA systems.
- Control access to trusted devices. For instance, for access to a segmented network, use a bastion host with access control lists (ACLs) for ingress/ egress access.
- Improve logging in on trusted environments in addition to passing logs to SIEM devices for third-party backup/analysis.
- Develop a threat modeling system for your organization. Understand who’s attacking you and why.
As you can see, Internet-facing ICS are readily targeted. Until proper ICS security is implemented, these types of attacks will likely become more prevalent and advanced or destructive in the coming years. We expect attack trends to continue in the ICS arena, with possible far-reaching consequences. With continued diligence and utilizing secure computing techniques, your ability to deflect and defend against these attacks will help secure your organization.
InCloud Control has addressed these and many other current concerns with both IRP and Manufacturing Platforms. We also have a team of security and industry consultants that can assess your organization, provide a clear roadmap for securing your infrastructure, and provide the expertise to deliver remediation design and implementation engagements.
If you would like to learn more about our secure platform or speak to one of our experts, we’d love to hear from you.
Email us at Hello@myincloud.com