Security Experts:

Son of Stuxnet: Is SCADA the New Low Hanging Hacker Fruit?

Industrial Control Systems Security

Stuxnet Showed that Control Systems are Strategic Targets of Larger Powers and That the Consequences can be Extremely Critical.

At this year’s Real Time ACS conference, a few consistent themes surfaced from some of the best minds in the industry. Some of the points that bubbled to the top are worthy of repetition: one is that while Stuxnet was extremely sophisticated and targeted, there are many broader and simpler attacks that are now not only possible, but easy. This was most evident when Ralph Langner showed how to shut down a control process with just 14 bytes of code. Note that he was not backed by a nation-state or cyber-terrorist group; he was one man (albeit a very talented one). Another common theme was that Industrial Control Systems are now in the limelight. For reasons ranging from individual hacker pride to military cyber strategy, control systems have become a prime target for hackers. In other words, industrial control systems are the new “low hanging fruit” of cyber security, and hackers have developed a taste for them. Bon appétit!

My own presentation, though hindered by a few technical difficulties, highlighted that there is a problem in how we run security operations within critical facilities that exacerbates this new hunger for easy-to-reach fructose. Our security operations, no matter how robust or well trained, are still separated from SCADA and ICS systems. That is, IT security is still disjointed and removed from the needs and concerns of the control system. Even worse is that the fancy tools that fill long banks of high definition monitors with colorful bar charts and graphs are almost completely blind the very systems that are the ultimate target of the new industrial hacker. This is a problem, because the primary requisite for situational awareness is perception (followed shortly by decision making and a reaction based on that perception). If you’re blind to what’s going on in the control system that initial perception will be incomplete, leading to a situational awareness “fail.”

At first, this seems to contradict one of the primary recommendations in my Book, “Industrial Network Security,” where I state very plainly that network separation should be enforced in every possible area. If two systems don’t need to communicate, separate them and prevent that communication from occurring at all. Business systems and SCADA systems certainly fall into these two categories, as do SCADA and ICS systems. For those who don’t read my regular column on SecurityWeek, or who are unfamiliar with the distinction between SCADA and ICS, let me elaborate: SCADA systems provide supervision and control to an industrial process, while the Industrial Control System or ICS is what makes up the industrial process itself. So how is it possible to implement network separation between Business, SCADA, and ICS networks while also providing better end-to-end visibility across all three?

The answer lies in motive and intent: the sweet reward of hacking a control system is the ability to manipulate controls, while the aim of cyber security monitoring is simply to see what’s going on. In plainer terms: one is about control, the other is about visibility.

If the goal of hacking a control system is to take control, than we strive to lock down access to those controls using the full arsenal available to us. We build physical and cyber barriers to lock down all access and control to only those few users and devices that are authorized. In my book I use the term “enclaves” to define those selective groups of users and devices that should be allowed to communicate because the term is so fitting. According to Webster, and enclave is “a distinct territorial, cultural, or social unit enclosed within or as if within foreign territory.” The term stems from diplomacy and basically implies an area of control and trust that is isolated within an area that lacks control and trust. In cyber security terminology, we group trusted and authorized users and systems together, and keep a suspicious eye at everything around us. We use network-based security controls to harden perimeters, while using host-based security controls to strengthen the interior.

By applying this methodology to cyber security, we can create secure enclaves for the Business network, the SCADA systems, the ICS, and perhaps some DMZs. Each is treated like an encampment behind enemy lines, and the borders are diligently protected. We can also create secure enclaves-within-enclaves inside the Business network, the SCADA network and the ICS for the sole purposes of security monitoring. This provides localized visibility within each area, which is one half of the battle. To provide security operators with visibility across many enclaves at once, controlled information flows then need to be established between each new cyber security enclave. Think of it as a military information corps or a secret service agency, delivering critical intelligence to the front; special privileges are granted to facilitate the exchange of needed intelligence. In terms of cyber security, information security personnel replace secret agents and they are armed with log analysis and forensics toolkits rather than side arms. Networked information paths replace bridges and roads, and Security Information and Event Management systems replace RADAR.

The shift from fruit analogies to military ones is not coincidental. Low-hanging fruit or not, Stuxnet showed us that control systems are strategic targets of larger powers and that the consequences can be extremely critical. Build your cyber security plan around the later and the trend of casual control systems hacking can be nipped in the bud, because hackers looking for low hanging fruit are going to find themselves buying off more than they can chew.

Related Reading: Industrial Control Systems Security One Year After Stuxnet

Related Reading: Bridging the Air Gap: Examining Attack Vectors into Industrial Control Systems

Related Reading: Are Industrial Control Systems Secure?

Related Reading: How to Make the Smart Grid Smarter than Cyber Attackers

Related Reading: The Increasing Importance of Securing The Smart Grid

Related Reading: Stuck on Stuxnet - Are Grid Providers Prepared for Future Assaults?

view counter
Eric D. Knapp (@ericdknapp) is a recognized expert in industrial control systems cyber security, and continues to drive the adoption of new security technology in order to promote safer and more reliable automation infrastructures. Eric is currently the Director of Cyber Security Solutions and Technology for Honeywell, and is the Chief Technical Advisor, North America for the Industrial Cybersecurity Center. He is also the author of “Industrial Network Security: Securing Critical Infrastructure Networks for Smart Grid, SCADA and Other Industrial Control Systems.” His new book, “Applied Cyber Security for Smart Grids” was co-authored with Raj Samani, McAfee CTO EMEA. The opinions expressed here represent Eric's own and are not those of his employer.