Bryan Doerr

Cyber-Threats and the Need for Secure Industrial Control Systems

Secure Industrial Control Systems (ICS)

Industrial Control Systems (ICS) tend to be “out of sight, out of mind.” These systems are essential to life in any advanced society because they manage critical infrastructure such as power plants, the electrical grid, hydroelectric facilities, transportation, water and wastewater, manufacturing, and other essential services.  Society depends on their reliable operations.

Yet, these systems tend to be taken for granted, by everyone except their operators, that is, until a failure in an ICS system leads to a crisis that is visible enough to require wider attention.  And as these systems are increasingly connected to private and public networks, a new, possibly failure mode is being introduced. Yes, the ICS systems that manage crucial infrastructure such as energy, power, water, and transportation can be attacked by malware.

The prevalence of malware within ICS environments suggests that IT and security professionals should pay closer attention to cyber-threats within ICS environments. The Dragos Threat Operations Center studied 15,000 malware samples from ICS environments over a three-month period and concluded that approximately 3,000 industrial sites per year get infected with malware. Additionally, much of the malware these researchers found came from common malware families. One malware variant, posing as Siemens Programmable Logic Controller (PLC) firmware, has been in circulation since 2013 and has been reported by 10 industrial sites in the U.S., Europe, and China. Another attack, which dates back to 2011, was a phishing email that targeted multiple nuclear sites in the U.S. and other Western countries.

ICS

As bad as these numbers are, they appear to be getting worse. According to IBM Managed Security Services (MSS) data, ICS attacks increased more than 110 percent in 2016. This increase was related primarily to brute force Supervisory Control and Data Acquisition (SCADA) attacks, which use automation to attempt to guess default or weak passwords. Once a hacker gains access, they can remotely monitor or control connected devices — paving the way for a larger attack or other nefarious activities.

Cyberattacks that target ICS environments aim to inflict “loss of view” and/or “loss of control” on the systems’ operators. The authors of ICS malware may have many different motives for targeting an ICS environment, including political motivations, financial gain, or even a military objective. Attacks may be state-sponsored, inflicted by competitors, insiders with malicious goals, or even hacktivists. No matter who is behind them – or their motivation – attacks on ICS are serious business. Documented attacks in 18 countries outside the U.S. and hits have included:

  • The destruction of centrifuges in Iran’s nuclear facility (via the Stuxnet worm)
  • Damage to a blast furnace
  • Tilting of an offshore oil rig
  • Significant environmental discharges

Within the U.S., recent attacks have included the loss of electrical power and water, damage to manufacturing lines, shutdown of HVAC systems, and damage to critical motors. In March 2016, the U.S. Justice Department claimed that Iran had attacked U.S. infrastructure by infiltrating the industrial controls of a dam in Rye Brook, New York using a cellular modem. Worse, the attack is believed to have occurred in 2013, but wasn’t reported until 2016 – further proof that cyberattacks often take months and years to identify and resolve.

ICS makes an easy target

What makes ICS and SCADA systems such attractive targets for hackers? While they are generally regarded as being well designed to withstand or recover from physical threats such as fires and explosions, as well as physical events caused by hardware malfunction, the truth is they are often not designed with cyberattacks in mind.  It’s easy to see why they are an attractive target, especially now that they are more connected to other external IT systems and the internet. Because many ICS systems rely on technology that may not have been built with security in mind, they tend to expose vulnerabilities related to access policies, configuration control, hardware, software, and network configuration. As IT systems and operational technology environments increase their interconnectedness, ICS solutions become much more vulnerable to intrusions and attacks.

Mitigate risks related to ICS

With so much malware already resident in ICS environments and the prospect of an ICS breach leading to an infrastructure failure with disastrous consequences, government agencies in the U.S. and elsewhere are scrambling to raise awareness and mobilize the owners and operators of infrastructure assets.

Especially active is the U.S. Department of Homeland Security’s ICS-CERT (Industrial Control Systems Cyber Emergency Response Team), which has published a series of recommendations on how to identify and mitigate the cyber vulnerabilities of ICS environments. Some of its recommendations include:

  • Removing critical control systems from the public-facing internet
  • Ensuring that updates are performed securely and with documentation
  • Strictly controlling access to critical systems and maintaining high levels of discipline related to access credentials.

A useful addition to these suggestions would be recognizing that the components of networked ICS systems also function, in effect, as endpoints on their networks. If users can automate the process of identifying these endpoints’ deviations from their normal behavior, and generate actionable alerts to the analyst(s) responsible for securing the network, cyber-risk awareness within ICS and SCADA environments can be significantly increased.

The endpoint modeling advantage

Endpoint modeling is an advanced threat-detection technology that creates and maintains a software model – a real-time simulation – of each networked resource. It automatically discovers the role and behavior of IT assets, and then continuously tracks the behavior of those assets. When endpoint modeling is applied to an ICS environment, it provides analysts and operators an ideal way to monitor for any threats as well as any changes in the assets connected to the network.  By monitoring and detecting behavior changes, no prior awareness of threat characteristics is needed.  A threat that changes the network behavior of an asset can become visible to an operator.  Endpoint modeling also has another benefit: it exposes normal network behavior for ICS assets which increases operator understanding and their ability to recognize abnormal activity that may be due to component failure.

Endpoint modeling brings highly accurate, low-noise security awareness to security analysts who can quickly investigate to determine if this behavior represents a threat, and if so, take effective action to remediate it. As a result, vulnerable ICS systems – which may be been poorly secured before now – can benefit from increased visibility and security.

By Bryan Doerr, Chief Executive Officer, Observable Networks

Bryan Doerr

Bryan Doerr is the chief executive officer of Observable Networks, a leading provider of network security technology and advanced threat detection services. Bryan's career is embossed with over 25 years of industry experience in corporate research, product design, IT management, and executive management. Prior to Observable, Bryan was Chief Technology Officer at Savvis (now CenturyLink), where he led technology research and development and inspired the company's go-to-market strategy spanning cloud, network, hosting, security infrastructure and services, and internal IT systems development.

View Website

CONTRIBUTORS

Cloud Migration and Cyberwar

Cloud Migration and Cyberwar

Cyberwar Concerns This last week the Washington Post published a bombshell story on the recent attacks on the US election infrastructure ironically ...
Journey Science In Telecom: Take Customer Experience To The Next Level

Journey Science In Telecom: Take Customer Experience To The Next Level

Journey Science In Telecom Journey Science, being derived from connected data from different customer activities, has become pivotal for the ...
Top Security and IT Priorities To Pay Close Attention To

Top Security and IT Priorities To Pay Close Attention To

Top Security Priorities By 2019, cybercrime is expected to cost businesses over $2.1 trillion globally according to Juniper Research. Needless ...
5 Reasons to Head for the Cloud – Part 1

5 Reasons to Head for the Cloud – Part 1

Head for the Cloud Last month Salesforce held its 14th annual Dreamforce event in San Francisco. It has become the ...
How To Be Data Compliant When Using The Cloud

How To Be Data Compliant When Using The Cloud

Data compliant Companies using the cloud for data storage, applications hosting or anything else, have to carefully consider data compliance ...
5 Ways the Cloud and IoT Have Transformed the Transportation Industry

5 Ways the Cloud and IoT Have Transformed the Transportation Industry

IoT Transportation Industry The Internet of Things has caused many industries to evolve - but few more than transportation. Here ...
Critical Success Factors when shifting Workloads into the Cloud

Critical Success Factors when shifting Workloads into the Cloud

Shifting Workloads into the Cloud By 2020, 92 percent of all workloads will reside in the cloud. Yet challenges remain ...
Through the Looking Glass: Tech and Security Industry Predictions

Through the Looking Glass: Tech and Security Industry Predictions

Tech and Security Industry Predictions As we close out 2016, which didn’t start off very well for tech IPOs, momentum ...
Identity and Access Management: Advancing to Meet the Changing Needs of Passwords and Governance

Identity and Access Management: Advancing to Meet the Changing Needs of Passwords and Governance

Identity and Access Management The identity and access management market continues to grow in a wide variety of industries of ...
Ransomware Cyber-Attacks: Best Practices and Preventative Measures

Ransomware Cyber-Attacks: Best Practices and Preventative Measures

Ransomware Cyber-Attacks “WanaCrypt0r 2.0” or “WannaCry,” an unprecedented global ransomware cyber-attack recently hit over 200,000 banking institutions, hospitals, government agencies, ...