In September 2015, water industry magazine Waterworld reported that security researcher Kyle Wilhoit had connected to the Internet three industrial control systems designed to look like a water pressure station in a small American town. It took about 18 hours for the attacks to start. Within 28 days, the systems were attacked 39 times, revealing phishing tactics, concerted efforts to attack American infrastructure (35 percent of the attacks came from China), and two previously unknown strains of malware aimed at industrial control systems.
We depend on industrial controllers in manufacturing, oil refining, chemical processing, pharmaceuticals, power plants, water and sewer plants, environmental controls, and more. These systems are referred to in the industry as industrial control systems/supervisory control and data acquisition or ICS/SCADA. Many of these controllers have been in operation for decades and were not designed for the demands and dangers of life on the Internet. Even many new controllers being deployed today lack the security needed to face today’s cyber-threats, and weaknesses at business partners, suppliers, and services companies can also leave ICS at risk. These weaknesses leave our society vulnerable to cyber-attacks with economically devastating or even life-threatening consequences. They can also offer back doors for information theft from our business systems. Figuring out how to secure them has to be the business of every business.
Hitting us where we live
Industrial control systems are natural targets for cyber attacks because they are so critical to our economy and society and because most are so insecure, and there are already numerous known instances of attackers exploiting these vulnerabilities. A new book by Wired staffer Kim Zetter, Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon, tells the story of Stuxnet, the first virus designed to damage industrial systems. Stuxnet was first deployed in 2009 against Iranian nuclear facilities, causing centrifuges to fail. The virus was spread via infected USB drives, and it was introduced via the computers of outside vendors connected to the Iranian nuclear program.
With increasing attacks against these systems, security standards will only improve. In the meantime, businesses that use ICS and their business partners need to “bolt on” their own security measures.
Stuxnet was just the beginning. In 2014, Reuters reported that hackers shut down an oil platform, using control systems to tip it, and infected another with so much malware that it took almost three weeks to restore the systems. Alexander Polyakov, founder of security firm ERPscan recently told Motherboard that the oil and gas industry is “a juicy target for cyberattacks, as oil and gas companies are responsible for a great part of some countries’ economies.” The article cited a 2012 attack on Saudi Arabian oil giant Saudi Aramco, which started with a spear-phishing campaign and ended with an operations shutdown, as every computer at the company had to be unplugged and cleaned up.
In January 2015, Wired reported that hackers had breached a German steel mill, disrupting control systems to the point that a blast furnace could not be shut down, causing massive damage. Wired pointed out that this is the first confirmed case since Stuxnet, in which a purely digital attack caused physical damage to industrial equipment. Marina Krotofil, a researcher at Hamburg University of Technology, told attendees at BlackHat USA 2015 that cyber-attacks against industrial plants for extortion is also common, according to Computer Weekly coverage of the conference. Krotofil said that hackers have been penetrating industrial control systems of utility companies on a large scale for extortion since at least 2006, and research has shown that defense methods are around 20 years behind attack methods.
So far, industrial controller attacks have been used for extortion or tampering, but future large-scale attacks could include shutting down utilities or causing casualties through massive industrial accidents. On a smaller scale, what if an attacker tampered with controllers in pharmaceutical manufacturing, releasing lethal drugs on an unsuspecting public? As weak endpoints, industrial systems can also give garden-variety cyber-criminals an easy entry to steal personal or sensitive information from business information systems.
Eyes wide shut
In a white paper on his water system experiment, Trend Micro security researcher Kyle Wilhoit points out that security is typically “bolted on” to ICS after the fact. He says, ”When these systems were first brought into service more than 20 or so years ago, security was typically not a concern. Many of them, at that time, were not even capable of accessing the Internet or connecting to LANs. Physical isolation addressed the need for security.” As Internet usage grew, businesses found benefit in connecting controllers to other systems, to gather data, to enable remote alerts, and sometimes just so the technicians using them could check their email.
At the same time ICS were going online, it became easier for would-be hackers to discover these systems. Shodan, an IoT search engine, was invented in 2009. A Money/CNN article reported that Shodan searchers found control systems for a nuclear power plant, a water park, a gas station, a hotel wine cooler, a crematorium, and a particle-accelerating cyclotron. In his white paper, Wilhoit also reports success using “Google-dorks” searches (search strings that use advanced search operators) to find ICS on the Internet, and in the Motherboard article cited earlier, Wade Williamson, director of product marketing at Vectra Networks, explains that cyber-criminals can use “botnets” — large collections of infected computers — to discover control systems. In his white paper, Wilhoit also shows how hackers are using a site called Pastebin to distribute IP addresses and other identifiable information on ICS/SCADA systems, providing target information for attackers.
Once hackers locate ICS systems, they find plenty of vulnerabilities, even in new systems. In September 2015, Security Week reported on U.S. Director of National Intelligence James Clapper’s testimony before the House Committee on Intelligence. Clapper told the committee that unknown Russian threat actors have successfully compromised the supply chains of at least three industrial control system vendors, causing their customers to download malicious malware designed to facilitate attacks via the ICS vendors’ web sites, and he warned that “Politically motivated cyber-attacks are now a growing reality, and foreign actors are reconnoitering and developing access to U.S critical infrastructure systems.“ The article also cited Martin Jartelius, CSO of vulnerability management at Outpost24, who said, “We have already seen USB-devices shipped with malware straight out of the factory, just as we have seen CD's from magazines with malware during the '90s.” But Jartelius also noted that “[Industrial controller] systems generally are very poorly maintained, with patch penetrations bordering towards zero percent when we have been able to observe penetration on the market, [and they] are often deployed on networks from where they can reach other internal resources. Being able to infect devices that are likely to spend 10 to 20 years on a network largely unmaintained is one of the most stable sources of persistence a malicious actor can obtain. This means the devices not only provide means of controlling critical infrastructure in other nations, it is also a means of obtaining access to other internal resources for an extended period of time.”
“Bolting on” your own risk management
The intelligence and security community are alert to the dangers of insecure industrial controllers. The National Institute for Standards and Technology (NIST) has published security guidelines for ICS, ICS-Cert (the Industrial Control Systems Computer Emergency Readiness Team) publishes standards and best practices, and the International Society for Automation (ISA) has developed multiple security standards for industrial systems. With increasing attacks against these systems, security standards will only improve.
In the meantime, businesses that use ICS and their business partners need to “bolt on” their own security measures. First steps are for the privacy and security team to inventory ICS that are connected to the Internet, directly or indirectly, identify risks surrounding those systems, and take steps to mitigate the risks, such as overseeing patch management. Also ask yourselves how many of those systems actually need an Internet connection. (These days, why can’t that technician check his or her email on a smartphone?) Wherever possible, segment and isolate the ICS networks and set strict access controls. And check out Kyle Wilhoit’s white paper for an excellent list of other security recommendations.
In an always-connected world, even organizations that don’t make or run connected controllers can be back doors into industrial systems, and industrial controllers can be back doors into your business systems. Maybe your business doesn’t run power plants, but your HVAC system connects to a power grid that connects to one. Maybe your company provides services and holds personal data on ICS operators, data that could be used for extortion or phishing attacks against their systems. Industrial controllers are the lifeblood of our society, so risk management is everyone’s business. After all, you don’t want yours to be the company that brought down a city, an industry, the economy, or worst case, thousands of your fellow human beings.
This is part four of a five-part series on the Internet of Things by Rick Kam. Read part one: Time to Get Smart About IoT Security, part two: IoT Security: Is Your Fitbit a Key for Criminals?, and part three: Connected Cars: Security and Privacy Risks on Wheels.
If you want to comment on this post, you need to login.