InCloud Control Infographic
To show just how vulnerable U.S. industrial systems are, a study was just completed that measured who is attacking and what information they are seeking out.
Industrial control systems (ICS) are devices, systems, networks, and controls used to operate and/or automate industrial processes. These devices are often found in nearly any industry—from the vehicle manufacturing and transportation segment to the energy and water treatment segment.
Supervisory control and data acquisition (SCADA) networks are systems and/or networks that communicate with ICS to provide data to operators for supervisory purposes as well as control capabilities for process management. As automation continues to evolve and becomes more important worldwide, the use of ICS/SCADA systems is going to become even more prevalent.
ICS/SCADA systems have been the talk of the security community for the past two years due to Stuxnet, Flame, and several other threats and attacks. While the importance and lack of security surrounding ICS/SCADA systems is well-documented and widely known, this talk today addresses who’s really attacking Internet-facing ICS/SCADA systems and why. It also covers techniques to secure ICS/SCADA systems and some best practices to do so.
The move from proprietary technologies to more standardized and open solutions together with the increased number of connections between SCADA systems and office networks and the Internet has made them more vulnerable to attacks. Consequently, the security of some SCADA-based systems has come into question as they are seen as potentially vulnerable to cyber attacks. In particular, security researchers are concerned about:
SCADA systems are used to control and monitor physical processes, examples of which are transmission of electricity, transportation of gas and oil in pipelines, water distribution, traffic lights, and other systems used as the basis of modern society. The security of these SCADA systems is important because compromise or destruction of these systems would impact multiple areas of society far removed from the original compromise. For example, a blackout caused by a compromised electrical SCADA system would cause financial losses to all the customers that received electricity from that source.
Security in an ICS/SCADA network is often considered “bolt-on” or thought of “after the fact.” When these systems were first brought into service more than 20 or so years ago, security was typically not a concern. Many of them, at that time, were not even capable of accessing the Internet or connecting to LANs. Physical isolation addressed the need for security.
However, as things changed over time, most of these systems’ purposes have been reestablished, along with the way they were configured. A system that used to only be accessible to a single computer next to a conveyor belt became accessible via the Internet, with very little hindrance.
There are two distinct threats to a modern SCADA system. First is the threat of unauthorized access to the control software. Second is the threat of packet access to the network segments hosting SCADA devices. In many cases, there is rudimentary or no security on the actual packet control protocol, so anyone who can send packets to the SCADA device can control it.
In many cases SCADA users unaware that physical access to SCADA-related network jacks and switches provides the ability to totally bypass all security on the control software and fully control those SCADA networks. These kinds of physical access attacks bypass firewall and VPN security.
With so much at stake, the question is – are these systems under attack? The answer was discussed in a recent “honeypot” study conducted over a 28-day period.
A Honeypot is an environment created specifically to resemble that of a live and functioning industrial enterprise network. The environment for this research project included actual live data feeds from instrumentation, remote terminal units (RTU), programmable logic controllers (PLC) and a fully functioning ICS/SCADA platform with internet-facing connectivity.
It took only 18 hours to find the first signs of attack on one of the honeypots. While the honeypots ran and continued to collect attack statistics, the findings concerning the deployments proved disturbing. The statistics of this report contain data for 28 days with a total of 39 attacks from 14 different countries. Out of these 39 attacks, 12 were unique and could be classified as “targeted” while 13 were repeated by several of the same actors over a period of several days and could be considered “targeted” and/or “automated.” All of these attacks were prefaced by port scans performed by the same IP address or an IP address in the same netblock.
The top alert generated in the honeypot environment was Modbus TCP non-Modbus communication. This alert is triggered when an established connection utilizing Modbus is hijacked or spoofed to send other commands or attacks to a different device.
In addition to generating this alert, the following two rules were also triggered:
These rules are traditionally triggered when an unauthorized Modbus client attempts to read or write information from or to a PLC or SCADA device.
The sources of all three alerts were the United States, Russia, and China, respectively.
There are some very basic configuration and architectural considerations that can help prevent remote access to trusted ICS resources from occurring in this fashion. Most of these recommendations are based on “baking in” your security as ICS are architected and deployed. Future discussions will include ways to “bolt on” security for these systems and networks.
As you can see, Internet-facing ICS are readily targeted. Until proper ICS security is implemented, these types of attacks will likely become more prevalent and advanced or destructive in the coming years. We expect attack trends to continue in the ICS arena, with possible far-reaching consequences. With continued diligence and utilizing secure computing techniques, your ability to deflect and defend against these attacks will help secure your organization.
InCloud Control has addressed these and many other current concerns with both IRP and Manufacturing Platforms. We also have a team of security and industry consultants that can assess your organization, provide a clear roadmap for securing your infrastructure, and provide the expertise to deliver remediation design and implementation engagements.
If you would like to learn more about our secure platform or speak to one of our experts, we’d love to hear from you.
Email us at Hello@myincloud.com
In a sentence IRP is: a complete oil and gas plant asset maintenance, management and reliability analytics platform enabling customer adoption at whatever point in the planning and execution life-cycle that is most profitable for them.
IRP handles everything from simple day-to-day maintenance work orders to complex, total facility turnaround operations through embedded domain knowledge from industry experts, standards and best practices.
IRP manages the full life-cycle for complex projects, from capital planning and budgeting, to bidding, scheduling and resource assignment, to the management of project critical path, parts inventory management, and more. Mobile workers bring execution data into the system enabling a real-time view of project progression.
Built-in Process and Knowledge Management brings discipline to Reliability Centered Maintenance programs. Real-time capture, aggregation and analysis of instrumentation data allow reliability technicians to move beyond break-fix into predictive and preventive maintenance. With InCloud IRP you can take veteran maintenance leaders and transform them into data scientists. Making decisions based on live data instead of intuition.
IRP enables documentation of diagnostic, analytic and repair routines and then creates repeatable procedures to pass key experience and lessons learned from one generation of technicians to the next.
Sensor and maintenance/repair data gathered over time will allow customers to compare manufacturer predicted MBTF and MTTF values with actual field data.
And ultimately, the InCloud IRP Exchange – where sanitized and anonymized customer field data is aggregated from all over the world – will enable customers to compare their data against global benchmarks and adjust their predicted MBTF and MTTF metrics to account for environmental and geographic variables.
Why chose between reducing maintenance costs, increasing overall uptime, shortening maintenance windows, and eliminating unplanned outages when you can do all of those things at once?
The IRP provides customers a profit driven reliability roadmap.