Bryan Doerr

Cyber-Threats and the Need for Secure Industrial Control Systems

Secure Industrial Control Systems (ICS)

Industrial Control Systems (ICS) tend to be “out of sight, out of mind.” These systems are essential to life in any advanced society because they manage critical infrastructure such as power plants, the electrical grid, hydroelectric facilities, transportation, water and wastewater, manufacturing, and other essential services.  Society depends on their reliable operations.

Yet, these systems tend to be taken for granted, by everyone except their operators, that is, until a failure in an ICS system leads to a crisis that is visible enough to require wider attention.  And as these systems are increasingly connected to private and public networks, a new, possibly failure mode is being introduced. Yes, the ICS systems that manage crucial infrastructure such as energy, power, water, and transportation can be attacked by malware.

The prevalence of malware within ICS environments suggests that IT and security professionals should pay closer attention to cyber-threats within ICS environments. The Dragos Threat Operations Center studied 15,000 malware samples from ICS environments over a three-month period and concluded that approximately 3,000 industrial sites per year get infected with malware. Additionally, much of the malware these researchers found came from common malware families. One malware variant, posing as Siemens Programmable Logic Controller (PLC) firmware, has been in circulation since 2013 and has been reported by 10 industrial sites in the U.S., Europe, and China. Another attack, which dates back to 2011, was a phishing email that targeted multiple nuclear sites in the U.S. and other Western countries.

ICS

As bad as these numbers are, they appear to be getting worse. According to IBM Managed Security Services (MSS) data, ICS attacks increased more than 110 percent in 2016. This increase was related primarily to brute force Supervisory Control and Data Acquisition (SCADA) attacks, which use automation to attempt to guess default or weak passwords. Once a hacker gains access, they can remotely monitor or control connected devices — paving the way for a larger attack or other nefarious activities.

Cyberattacks that target ICS environments aim to inflict “loss of view” and/or “loss of control” on the systems’ operators. The authors of ICS malware may have many different motives for targeting an ICS environment, including political motivations, financial gain, or even a military objective. Attacks may be state-sponsored, inflicted by competitors, insiders with malicious goals, or even hacktivists. No matter who is behind them – or their motivation – attacks on ICS are serious business. Documented attacks in 18 countries outside the U.S. and hits have included:

  • The destruction of centrifuges in Iran’s nuclear facility (via the Stuxnet worm)
  • Damage to a blast furnace
  • Tilting of an offshore oil rig
  • Significant environmental discharges

Within the U.S., recent attacks have included the loss of electrical power and water, damage to manufacturing lines, shutdown of HVAC systems, and damage to critical motors. In March 2016, the U.S. Justice Department claimed that Iran had attacked U.S. infrastructure by infiltrating the industrial controls of a dam in Rye Brook, New York using a cellular modem. Worse, the attack is believed to have occurred in 2013, but wasn’t reported until 2016 – further proof that cyberattacks often take months and years to identify and resolve.

ICS makes an easy target

What makes ICS and SCADA systems such attractive targets for hackers? While they are generally regarded as being well designed to withstand or recover from physical threats such as fires and explosions, as well as physical events caused by hardware malfunction, the truth is they are often not designed with cyberattacks in mind.  It’s easy to see why they are an attractive target, especially now that they are more connected to other external IT systems and the internet. Because many ICS systems rely on technology that may not have been built with security in mind, they tend to expose vulnerabilities related to access policies, configuration control, hardware, software, and network configuration. As IT systems and operational technology environments increase their interconnectedness, ICS solutions become much more vulnerable to intrusions and attacks.

Mitigate risks related to ICS

With so much malware already resident in ICS environments and the prospect of an ICS breach leading to an infrastructure failure with disastrous consequences, government agencies in the U.S. and elsewhere are scrambling to raise awareness and mobilize the owners and operators of infrastructure assets.

Especially active is the U.S. Department of Homeland Security’s ICS-CERT (Industrial Control Systems Cyber Emergency Response Team), which has published a series of recommendations on how to identify and mitigate the cyber vulnerabilities of ICS environments. Some of its recommendations include:

  • Removing critical control systems from the public-facing internet
  • Ensuring that updates are performed securely and with documentation
  • Strictly controlling access to critical systems and maintaining high levels of discipline related to access credentials.

A useful addition to these suggestions would be recognizing that the components of networked ICS systems also function, in effect, as endpoints on their networks. If users can automate the process of identifying these endpoints’ deviations from their normal behavior, and generate actionable alerts to the analyst(s) responsible for securing the network, cyber-risk awareness within ICS and SCADA environments can be significantly increased.

The endpoint modeling advantage

Endpoint modeling is an advanced threat-detection technology that creates and maintains a software model – a real-time simulation – of each networked resource. It automatically discovers the role and behavior of IT assets, and then continuously tracks the behavior of those assets. When endpoint modeling is applied to an ICS environment, it provides analysts and operators an ideal way to monitor for any threats as well as any changes in the assets connected to the network.  By monitoring and detecting behavior changes, no prior awareness of threat characteristics is needed.  A threat that changes the network behavior of an asset can become visible to an operator.  Endpoint modeling also has another benefit: it exposes normal network behavior for ICS assets which increases operator understanding and their ability to recognize abnormal activity that may be due to component failure.

Endpoint modeling brings highly accurate, low-noise security awareness to security analysts who can quickly investigate to determine if this behavior represents a threat, and if so, take effective action to remediate it. As a result, vulnerable ICS systems – which may be been poorly secured before now – can benefit from increased visibility and security.

By Bryan Doerr, Chief Executive Officer, Observable Networks

Bryan Doerr

Bryan Doerr is the chief executive officer of Observable Networks, a leading provider of network security technology and advanced threat detection services. Bryan's career is embossed with over 25 years of industry experience in corporate research, product design, IT management, and executive management. Prior to Observable, Bryan was Chief Technology Officer at Savvis (now CenturyLink), where he led technology research and development and inspired the company's go-to-market strategy spanning cloud, network, hosting, security infrastructure and services, and internal IT systems development.

View Website
Countdown to GDPR: Preparing for Global Data Privacy Reform

Countdown to GDPR: Preparing for Global Data Privacy Reform

Preparing for Global Data Privacy Reform Multinational businesses who aren’t up to speed on the regulatory requirements of the European ...
Tweaking with Application Assessment Tools

Tweaking with Application Assessment Tools

Application Assessment We have all seen the TV commercial where impossible situations are solved quickly by simply pressing a button ...
Have you Heard? The Chinese Cloud Is Coming!

Have you Heard? The Chinese Cloud Is Coming!

Alibaba challenges Amazon “Alibaba challenges Amazon in the Cloud marketplace!” Analysts are almost breathless in their commentary. What’s the real ...
Are Smart Pills a Smart Idea for the IoT?

Are Smart Pills a Smart Idea for the IoT?

Smart Pills and IoT It stands to reason that the medical industry would be the most likely place for groundbreaking ...
3 Challenges of Network Deployment in Hyperconverged Infrastructure for Private Cloud

3 Challenges of Network Deployment in Hyperconverged Infrastructure for Private Cloud

Hyperconverged Infrastructure In this article, we’ll explore three challenges that are associated with network deployment in a hyperconverged private cloud environment, ...
Technology And Trends That Will Help Shape The Enterprise IT In 2018

Technology And Trends That Will Help Shape The Enterprise IT In 2018

Enterprise Trends In 2018 Enterprise Trends In 2018... The year 2017 was a landmark year for the Enterprise IT. On ...
open source cloud

Expect Open Source Security to Become a Major Focus in 2017

Open Source Security There is no doubt about it: We are living in the middle of the Digital Age. But ...
Insights From AWS Reinvent: Three Steps To Ensure Cloud Propels Your Digital Business

Insights From AWS Reinvent: Three Steps To Ensure Cloud Propels Your Digital Business

Insights From AWS Reinvent It was an exhilarating experience at AWS invent, from learning about all the innovations by Amazon ...
Survey: 87% of Businesses Are Confident About Cybersecurity

Survey: 87% of Businesses Are Confident About Cybersecurity

Businesses Confident About Cybersecurity In a year that has seen multiple massive data breaches and troubling cyberattacks, a new survey ...
Research Report: Emergency Management Leaders Discuss the Security of Mobile, Remote Workers

Research Report: Emergency Management Leaders Discuss the Security of Mobile, Remote Workers

The Security of Mobile, Remote Workers Everbridge, Inc., a global software company that provides critical event management and enterprise safety ...