Adversaries are getting smarter, more efficient, and consequently more successful at penetrating industrial networks. Statistics from a recent Booz Allen Hamilton survey reinforce this fact. The firm surveyed 314 organizations operating Industrial Control Systems (ICS) around the world, and revealed that 34 percent were breached more than twice in the last 12 months. In 2015, ICS operators reported more security incidents to U.S. authorities than in any year prior.
The threat landscape ICS operators face today is more hazardous than ever. The volume, types and severity of targeted threats are increasing rapidly, noted Booz Allen Hamilton. Operators across a range of industries disclosed that cyber attacks had disrupted and, in some cases, caused physical damage to their systems.
Securing industrial networks is no trivial task. Primarily because most were built before cyber threats existed, and were not designed with built-in external security controls. Understanding today’s top threats to these networks is the first step in improving their security posture.
External Threats - APTs, Targeted Attacks and More
External cyber attacks targeting ICS networks can be sponsored by politically motivated adversaries (a nation state, terrorist group or hacktivists), but also be part of industrial espionage activity. The goal of such attacks can differ based on the adversary’s motivation. For example, the goal of politically motivated attacks is more likely to be operational disruptions and physical damage, while industrial espionage is more concerned about theft of Intellectual Property (IP). Today, most industrial sectors, especially those involving critical infrastructures, are more likely to be targeted by politically motivated attacks, looking to cause operational disruptions and physical damage.
Even organizations that aren’t concerned about APTs or targeted attacks because they’re not in the critical infrastructure sector, can suffer from collateral damage. That’s because politically motivated ICS cyber attacks that intend to cause disruptions in operational systems use exploits which target technologies used across all industrial sectors. These attacks can inadvertently impact non-targeted organizations and their ICS networks.
Take for example the well known case of the Stuxnet worm that targeted Iran. According to Siemens, Stuxnet has infected at least 14 plants. It was also reported that the infected organizations included U.S. based Chevron and Russian Civilian Nuclear Power Plants.
Internal Threats - Employees, Contractors with an Axe to Grind
A lot has been said about the insider threat to IT networks - industrial networks are equally at risk. Insiders with legitimate access to ICS networks include employees, contractors and 3rd party integrators. Since most ICS networks don’t have any authentication or encryption mechanisms that restrict user activity, any insider has unfettered access to any device in these network. This includes the SCADA applications and the critical controllers responsible for the entire lifecycle of industrial processes.
A well known example is the case of a disgruntled employee at Maroochy Water Services, Australia: The incident involved an individual who worked for a firm that installed a SCADA system for Maroochy Shire Council in Queensland, Australia. This person applied for a job at the Council, but was not hired. The worker retaliated by using (possibly stolen) equipment to issue unauthorized commands that caused 800,000 liters of raw sewage to spill out into local parks, rivers and even the grounds of a Hyatt Regency hotel. The environmental damage was extensive.
Human Error - Possibly The Biggest Threat to ICS
Human mistakes are inevitable. Yet they can be very costly. For many organizations the risks associated with human error can be more serious than the insider threat. In some cases, it is considered the biggest threat to the ICS system.
Human errors can include incorrect settings, configurations and PLC programming errors causing hazardous changes in the process flow. Human error can cause vulnerabilities that can be exploited by external adversaries. A common example includes temporary connections setup for integrators that remain open after a project has ended.
Some human error scenarios can occur when employees use “creative measures” to get their work done. Like the case of employees that need to remotely connect to ICS networks, but are not provided with secure access. They can set-up unauthorized remote connections on their own. These unsanctioned connections can become infiltration points and expose the industrial network to external attacks.
Securing ICS networks from external and internal threats is a significant challenge since many do not have any authentication or authorization procedures in place. Most also lack controls to enforce access policies, security policies or change-management policies. In addition, there are no audit trails or logs that capture changes and activity to support forensic investigations.
As a result, when operational disruptions occur, it is very difficult to determine if they were caused by a cyber-attack, a malicious insider, human error or mechanical failure. This lack of visibility and controls limits the ability of operations staff to respond to events in a timely manner, raising the overall costs associated with operational disruption and mitigation efforts.
Securing ICS networks
Real-time visibility into industrial networks is the key to ICS security. To protect against external threats, malicious insiders and human error, industrial organizations must monitor all activities - whether executed by an unknown source or a trusted insider, and whether authorized or not.
Monitoring control-plane activity, namely the engineering changes made to industrial controllers either over the network or on the device, is the most effective way to detect unauthorized activities caused by ICS threats. New, specialized monitoring and control technologies designed specifically for ICS networks can provide the deep, real-time visibility required to identify suspicious or malicious activity, and take preventative action to limit or prevent damage.