Analysis: Industrial control systems under attack

Society relies on power grids and nuclear plants, but the systems used to control them could have an avalanche of cyber-attacks coming their way. Sooraj Shah finds out why

Industrial control systems (ICS) are integral to many services that society relies on, whether it is power grids, water treatment plants, nuclear and power plants or other critical infrastructure. But now, more than ever before, these systems are under attack.

Two years ago a highly sophisticated computer worm, Stuxnet, successfully attacked an Iranian nuclear power station, setting the country’s nuclear programme back by several years.

The worm uses specially incorporated malware to target Siemens supervisory control and data acquisition (SCADA) systems, which control and monitor specific industrial processes also prevalent in the electrical, water, oil and gas industries.

“Stuxnet was a wake-up call. Copycats and spin-offs are hard at work and we’re going to see interesting branches being revealed in the near future,” Doron Shikmoni, co-founder of network access control solutions provider ForeScout says.

Although the industrial control industry may now be aware, the security behind the systems is still “at least 10 years” behind corporate information systems, according to Paul Vlissidis, technical director at security firm NCC Group.

The problem is not only that the security is not up to date, but that the weaknesses within each system could worsen.

“As the complexity of a system increases, it becomes more prone to vulnerabilities; we can say that almost any ICS can be attacked,” claims Ruben Santamarta, a security researcher at security services firm IO Active.

Why would an ICS be attacked?

In January 2011, Stuxnet was alleged by the New York Times to have been the result of a combined effort from Israel and the US intelligence services.

“A sophisticated and targeted attack intended to cause as much damage as possible requires a huge amount of resources – including intelligence, cash, devices and skilled personnel – precluding everyone except nation-states or terrorist groups,” says Santamarta.

He adds that the reasons behind such an attack could be to cause political instability or damage opposing military facilities to establish advantages before initiating a physical conflict. Other motivations could be to extort corporations for money, cause personal damages or even to cause the loss of lives.

Smart meters

The cyber problems for national infrastructure continues with the advent of smart meters.

Gartner analyst Ruggero Contu says that there is potential for people to commit fraud by manipulating the data captured by the meter. Another concern, Contu says, is the privacy of data. A hacker could compromise a smart meter to find out about home owners’ peaks of use to learn when they are likely to be out.

More worrying still is the fact that smart meters are connected to smart grids.

Analysis: Industrial control systems under attack

Society relies on power grids and nuclear plants, but the systems used to control them could have an avalanche of cyber-attacks coming their way. Sooraj Shah finds out why

“If someone is able to attack the system and give the impression that there is a high peak of demand, then they can impact the load balancing for energy supply on the smart grid, which may bring down whole or part of the system,” he explains.

As the smart grid is connected to the utility company, there is also a risk that the grid’s back-end systems could be infiltrated from any attack, says Contu.

Exposed

Santamarta has demonstrated these vulnerabilities before, with both SCADA software and devices such as smart meters and programmable logic controllers (PLC).

“I discovered several vulnerabilities in a specific Ethernet/IP based PLC from [industrial solutions provider] Rockwell Automation that could be triggered by sending a specific sequence of packets,” he says. “These flaws could be used to either cause a permanent denial of service – meaning an operator had to physically access the device to recover it – or to load a ‘trojanised’ firmware instance that would give the attacker total control over the device.”

Although the original attack was tested against a specific model, it was found that it might affect other devices based on the Ethernet/IP protocol.

Another concern comes from “backdoors”: hidden accounts that allow the vendor to access systems without the need for the customer’s security details. These are usually test or development accounts that the original developers forgot to remove from their firmware or software – but could allow attackers in.

“By reverse engineering the firmware, it is possible to discover these vulnerabilities without physically possessing the device,” Santamarta says. He used this technique to expose Schneider Electric smart meters.

Protection

Last year, research firm Gartner claimed that the main issue with enterprises that have concerns about securing their ICSs effectively is a lack of a management focus on security.

Santamarta claims the best way to prevent an attack is to understand how the system can be attacked in the first place.

“You must know where the weaknesses exist before you can try to fix them,” he says. “A defence in-depth strategy is highly recommended.”

Gartner analyst Ruggero Contu adds that multiple approaches can be taken by an organisation to become as secure as possible.

“Make sure systems are patched up to date,” he says. “Perhaps deploy a security appliance to sit in front of the ICS, add anti-malware capabilities and if the ICS is critical then ban the use of USBs and other devices in the workplace.”