Security Experts:

Connect with us

Hi, what are you looking for?



Dam Hackers! The Rising Risks to ICS and SCADA Environments

A German steel mill, a Ukrainian power grid, and an American dam all walk into a bar… Okay, so what could be the beginning of a bad joke is anything but a joke. No longer are data and dollars the only things at risk in cyber attacks. More and more, hackers are targeting critical infrastructure with the potential to disrupt operations and cause physical damage.

A German steel mill, a Ukrainian power grid, and an American dam all walk into a bar… Okay, so what could be the beginning of a bad joke is anything but a joke. No longer are data and dollars the only things at risk in cyber attacks. More and more, hackers are targeting critical infrastructure with the potential to disrupt operations and cause physical damage.

According to the 2015 Dell Security Annual Threat Report, worldwide SCADA attacks increased from 91,676 incidents in January 2012 to 163,228 in January 2013 to 675,186 in January 2014. As per Ponemon Institute’s 2014 study, Critical Infrastructure: Security Preparedness and Maturity, 67 percent of companies surveyed had suffered at least one cyber attack on their ICS/SCADA systems in that past year, and 78 percent said they were expecting a successful attack within the next two years.

So what’s causing the upsurge? For one, more industrial control systems are being connected to the Internet. For companies on the lookout for ways to do more with less and gain a competitive edge, it’d be tough to ignore the promises of the Industrial Internet of Things (IIoT): improved efficiency, increased productivity, lowered costs, enhanced automation, and, even superior safety. But as with most things in life, having it all is tough to achieve and IIoT is no exception. Lurking behind all the bright and shiny positives Internet connectivity can bring remain the many vulnerabilities endemic to the IT world.

Industrial Facility

Old Systems, New Vulnerabilities

In a sense, industrial control environments are like an old man—fragile, slow-paced, and not overly adept at dealing with change. Traffic in these environments is exceedingly low compared to a regular IT network and, for the most part, the technology has been in place for 10+ years and was not developed with Internet connectivity in mind, let alone cybersecurity. Systems were physically isolated and security measures revolved around policy, air gapping, and preventing outside exposure. Like with that old man, the introduction of anything new and different has the potential to quickly wreak havoc.

By definition, an air-gapped system is neither connected to the Internet nor any other unsecured networks. No doubt, hacking experts would advise on maintaining air gaps and not connecting to the Internet, but there’s considerable debate over whether this advice is feasible. Indeed, can business and control networks really remain separate, and should they?

Even air-gapped systems are vulnerable to infected USB flash drives or malicious, careless, or bamboozled insiders. Hackers used spear-phishing to infiltrate the German steel mill and prevent a blast furnace from shutting down. Google dorking got the alleged Iranian hackers into the New York dam control system and, had a certain sluice valve not been disconnected for maintenance, it might have meant flood gates opening.

Air-gapped or not, it’s probably wise to assume perimeters are penetrable and to establish additional defenses based on that supposition.

Bring It Home

The industrial sector is replete with geographically dispersed and remote facilities, most of which lack dedicated IT/OT resources and security expertise or, worse (at least from a security perspective), are lights-out, locked-down, and without a soul around. To get to them involves time, personnel, and expense—none of which is good, especially during an emergency.

Unfortunately, centralized administration can be difficult when designated monitoring networks are isolated and unavailable. Companies could arm every substation with dedicated advanced detection tools, but that becomes somewhat expensive when you add a multiplier—50, 100, 1,000 remote locations? And really, beyond the cost concern, it’s probably not necessary. From a data traffic standpoint, if you only have 10 megs of traffic, there’s no need for a box capable of processing a gig. It’s overkill.

A better tack would be to route traffic back to a central processor for inspection.

NERC CIP provides a framework of security controls that is very open to interpretation and multi-method approaches. As an example, one company may satisfy a control by monitoring packet data, another via the correlation of log data, and yet another by simply reducing exposure through air gaps and segmentation.

For companies interested in extending the capabilities of advanced cybersecurity tools at the centralized production environment to substations, implementing an out-of-band transport network to get visibility into both packet data and syslog traffic can be very beneficial. One way of achieving this while maintaining segmentation of the ICS network is to insert a passive network TAP between a local syslog server and reporting endpoints, isolate the syslog traffic via an IP filter, and tunnel it back via an out-of-band network to a central monitoring location. (Like NSA Chief Hacker Rob Joyce said, out-of-band network TAPS are a nightmare to hack.)

Centralization is a way to maintain “air-gappedness” while enabling one-way monitoring that can’t be used as a potential attack vector and can be used to gain intelligence on how a system might be targeted, as well as detect and respond to a host of threats, immediately and remotely. 

Related: Learn More at the ICS Cyber Security Conference 

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...


Cybersecurity firm Forescout shows how various ICS vulnerabilities can be chained for an exploit that allows hackers to cause damage to a bridge.


Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.


More than 1,300 ICS vulnerabilities were discovered in 2022, including nearly 1,000 that have a high or critical severity rating.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...


Siemens and Schneider Electric address nearly 100 vulnerabilities across several of their products with their February 2023 Patch Tuesday advisories.


White hat hackers received $180,000 at Pwn2Own Miami 2023 for exploits targeting widely used ICS products.