Connect with us

Hi, what are you looking for?



Son of Stuxnet: Is SCADA the New Low Hanging Hacker Fruit?

Industrial Control Systems Security

Stuxnet Showed that Control Systems are Strategic Targets of Larger Powers and That the Consequences can be Extremely Critical.

Industrial Control Systems Security

Stuxnet Showed that Control Systems are Strategic Targets of Larger Powers and That the Consequences can be Extremely Critical.

At this year’s Real Time ACS conference, a few consistent themes surfaced from some of the best minds in the industry. Some of the points that bubbled to the top are worthy of repetition: one is that while Stuxnet was extremely sophisticated and targeted, there are many broader and simpler attacks that are now not only possible, but easy. This was most evident when Ralph Langner showed how to shut down a control process with just 14 bytes of code. Note that he was not backed by a nation-state or cyber-terrorist group; he was one man (albeit a very talented one). Another common theme was that Industrial Control Systems are now in the limelight. For reasons ranging from individual hacker pride to military cyber strategy, control systems have become a prime target for hackers. In other words, industrial control systems are the new “low hanging fruit” of cyber security, and hackers have developed a taste for them. Bon appétit!

My own presentation, though hindered by a few technical difficulties, highlighted that there is a problem in how we run security operations within critical facilities that exacerbates this new hunger for easy-to-reach fructose. Our security operations, no matter how robust or well trained, are still separated from SCADA and ICS systems. That is, IT security is still disjointed and removed from the needs and concerns of the control system. Even worse is that the fancy tools that fill long banks of high definition monitors with colorful bar charts and graphs are almost completely blind the very systems that are the ultimate target of the new industrial hacker. This is a problem, because the primary requisite for situational awareness is perception (followed shortly by decision making and a reaction based on that perception). If you’re blind to what’s going on in the control system that initial perception will be incomplete, leading to a situational awareness “fail.”

At first, this seems to contradict one of the primary recommendations in my Book, “Industrial Network Security,” where I state very plainly that network separation should be enforced in every possible area. If two systems don’t need to communicate, separate them and prevent that communication from occurring at all. Business systems and SCADA systems certainly fall into these two categories, as do SCADA and ICS systems. For those who don’t read my regular column on SecurityWeek, or who are unfamiliar with the distinction between SCADA and ICS, let me elaborate: SCADA systems provide supervision and control to an industrial process, while the Industrial Control System or ICS is what makes up the industrial process itself. So how is it possible to implement network separation between Business, SCADA, and ICS networks while also providing better end-to-end visibility across all three?

The answer lies in motive and intent: the sweet reward of hacking a control system is the ability to manipulate controls, while the aim of cyber security monitoring is simply to see what’s going on. In plainer terms: one is about control, the other is about visibility.

If the goal of hacking a control system is to take control, than we strive to lock down access to those controls using the full arsenal available to us. We build physical and cyber barriers to lock down all access and control to only those few users and devices that are authorized. In my book I use the term “enclaves” to define those selective groups of users and devices that should be allowed to communicate because the term is so fitting. According to Webster, and enclave is “a distinct territorial, cultural, or social unit enclosed within or as if within foreign territory.” The term stems from diplomacy and basically implies an area of control and trust that is isolated within an area that lacks control and trust. In cyber security terminology, we group trusted and authorized users and systems together, and keep a suspicious eye at everything around us. We use network-based security controls to harden perimeters, while using host-based security controls to strengthen the interior.

By applying this methodology to cyber security, we can create secure enclaves for the Business network, the SCADA systems, the ICS, and perhaps some DMZs. Each is treated like an encampment behind enemy lines, and the borders are diligently protected. We can also create secure enclaves-within-enclaves inside the Business network, the SCADA network and the ICS for the sole purposes of security monitoring. This provides localized visibility within each area, which is one half of the battle. To provide security operators with visibility across many enclaves at once, controlled information flows then need to be established between each new cyber security enclave. Think of it as a military information corps or a secret service agency, delivering critical intelligence to the front; special privileges are granted to facilitate the exchange of needed intelligence. In terms of cyber security, information security personnel replace secret agents and they are armed with log analysis and forensics toolkits rather than side arms. Networked information paths replace bridges and roads, and Security Information and Event Management systems replace RADAR.

Advertisement. Scroll to continue reading.

The shift from fruit analogies to military ones is not coincidental. Low-hanging fruit or not, Stuxnet showed us that control systems are strategic targets of larger powers and that the consequences can be extremely critical. Build your cyber security plan around the later and the trend of casual control systems hacking can be nipped in the bud, because hackers looking for low hanging fruit are going to find themselves buying off more than they can chew.

Related Reading: Industrial Control Systems Security One Year After Stuxnet

Related Reading: Bridging the Air Gap: Examining Attack Vectors into Industrial Control Systems

Related Reading: Are Industrial Control Systems Secure?

Related Reading: How to Make the Smart Grid Smarter than Cyber Attackers

Related Reading: The Increasing Importance of Securing The Smart Grid

Related Reading: Stuck on Stuxnet – Are Grid Providers Prepared for Future Assaults?

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...


Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).


Cybersecurity firm Forescout shows how various ICS vulnerabilities can be chained for an exploit that allows hackers to cause damage to a bridge.


More than 1,300 ICS vulnerabilities were discovered in 2022, including nearly 1,000 that have a high or critical severity rating.


Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...


Siemens and Schneider Electric address nearly 100 vulnerabilities across several of their products with their February 2023 Patch Tuesday advisories.