PROTECTING CRITICAL INFRASTRUCTURE AGAINST CYBER ATTACKS
Continuity Central | 15th January 2015
With attacks on critical infrastructure growing, Oded Gonda discusses the threat to SCADA networks and ICS and how these vital services can be protected.
Cyber attacks on critical infrastructure are on the increase, and are a growing concern for organizations and governments across the globe. Power generation facilities, metropolitan traffic control systems, water treatment systems and factories have recently been targeted by attackers. Vulnerabilities in these systems vary from basic issues, such as systems without passwords or with default-only passwords, to configuration issues and software bugs. But once an attacker is able to run software that has access to a controller, the likelihood of a successful, damaging, attack is high.
In December 2014, it was revealed that a steel mill in Germany had been hit by hackers who gained access to the plant’s production network and then prevented a blast furnace from being properly shut down, causing ‘massive’ damage. Earlier in the year, the US Department of Homeland Security announced it would investigate the possibility that the Havex Trojan had targeted industrial control systems compromising over 1,000 energy companies across Europe and North America. These exploits followed the well-known Stuxnet attack on Iran’s nuclear facilities, discovered in 2010.
Attacks such as these on critical infrastructure severely impact service uptime, data integrity, compliance and even public safety, and require that organizations take steps to deal with these security concerns. The first step is to understand the difference between ICS/SCADA and traditional IT environments.
Critical infrastructure facilities (electricity, oil, gas, water, waste, etc.) rely heavily on electrical, mechanical, hydraulic and other types of equipment. This equipment is controlled and monitored by dedicated computer systems known as controllers and sensors. These systems are connected to management systems, together forming networks that use SCADA (supervisory control and data acquisition) and ICS (industrial control system) solutions to enable efficient collection and analysis of data and help automate control of industrial equipment.
While SCADA/ICS networks and devices were designed to provide management and control with maximum reliability, they do not feature mechanisms to prevent unauthorized access or to cope with the evolving security threats originating from external or internal networks. But SCADA controllers are essentially small computers, using operating systems (often embedded Windows or Unix), software applications, accounts and logins, communication protocols, etc. What’s more, some of the management environments use standard computing environments such as Windows and Unix workstations. As a result, the familiar challenges associated with vulnerabilities and exploits apply to ICS and SCADA systems, with the additional challenge of such systems operating in environments that can be physically difficult to reach, or that cannot be taken offline.
ICS and SCADA networks are not always separated from corporate IT networks. Some companies may use the same LANs and WANs and encrypt their ICS and SCADA traffic across a shared infrastructure, but more often networks are interconnected to enable operational input from and/or export data to external third party systems. SCADA network devices have specific characteristics which can be very different than regular IT systems:
- They are often installed in locations that are difficult to access physically (e.g. on towers, on an oil rig, on industrial machinery), often in harsh environments;
- They often use propriety operating systems that may not be security-hardened;
- Their software cannot be updated or patched frequently, due to access limitations, concerns over downtime or the need to re-certify;
- They use proprietary or special protocols.
These differences create problems such as lack of authentication and encryption, and weak password storage that can allow attackers to gain access to the systems. Whilst most SCADA/ISC networks have some level of perimeter defence, including network segmentation and firewalling, attackers are always looking for alternative ways to get inside: for instance, through a gate that is left open, or by triggering operations from inside the organization that opens up a communication channel to the outside.
Typical tactics include:
- Using a remote access port used by vendor for maintenance;
- Hacking a legitimate channel between IT systems and ICS/SCADA systems;
- Convincing an internal user to click on a URL link in an email from a workstation that is connected both the ICS/SCADA network and to the Internet;
- Infecting laptops and/or removable media while outside the ICS/SCADA network, later infecting internal systems when they’re connected to the network for data collection or software updates;
- Making use of configuration mistakes in security or connected devices.
Once a hacker has infiltrated the SCADA network it becomes possible to send malicious commands to the devices in order to crash or halt their activity, and to interfere with specific critical processes controlled by them, such as the opening and closing of valves. This was the technique used in the attack against the German steel mill: the attackers gained access through the plant’s business network using a spear-phishing email, then worked their way into production networks to access systems controlling plant equipment.
To achieve the level of protection needed for industrial and critical networks, the security strategy must detect abnormal behaviour and prevent attacks while providing the organization with meaningful forensics to investigate breaches when they occur. All activity should be logged in an independent out-of-band process that is not related to the configuration of the SCADA devices, as those may be hacked by intruders. This should be supported by a baseline for normal behaviour on SCADA devices and define what is allowed, not allowed and what is considered suspicious, with automatic notification and prevention of deviations from the baseline.
It’s also critical to employ mechanisms for ensuring authorized access only, such as application control and identity awareness as well as threat prevention including firewalling, intrusion prevention, anti-virus and threat emulation. A key component of a multi-layered defence for SCADA devices should include threat intelligence to both share and gather intelligence on new and emerging threats to critical infrastructure, helping organizations to defend their networks against cyber threats before they enter the network.
Hackers are getting smarter and ever more interested in attacking critical infrastructures and, because of well-known vulnerabilities, SCADA networks are most at risk. Therefore it is essential that strategies and systems are implemented to protect both the network and the services they control, to protect not only organizations but the public too.
Oded Gonda ia VP of Network Security Products at Check Point.