In the last few years there has been an increase within the worldwide security community consciousness of the risks related to cyber-attacks against critical infrastructures of a countries; an event considered by principal security experts extremely likely.
Probably the strongest jolt has been caused by events such as the spread of the cyber weapon Stuxnet. This represented a historic change in the conception of military conflict: by using a malicious code, an actor in cyberspace could cause serious damages to entire populations.
Stuxnet is considered the first virus used to hit the critical infrastructures of foreign governments; in particular, the malicious code hit the SCADA (Supervisory Control And Data Acquisition) used for the control and monitoring of industrial processes.
But SCADA systems related to industrial processes are broken up into manufacturing, production, electric grids and large communication systems that make large use of these technologies.
The principal question is: are governments able to secure their infrastructures from cyber-attacks?
SCADA components are considered privileged targets for cyber-attacks. By using cyber tools, it is possible to destroy an industrial process. This was the idea used on the attack to the nuclear plant in Natanz, in order to interfere with Iranian nuclear program.
Despite the fact that western countries have been the first to explore the possibility of a cyber-offensive using a cyber-weapon, and in spite of the high interest of the US government in the matter, governments are conscious that the infrastructures of respective countries are still vulnerable to cyber-attacks.
Janet Napolitano, head of Homeland Security, recently warned that a “cyber 9/11”, which could cripple critical infrastructures such as telecommunication, water, electricity and gas, may be “imminent.” She argued before Congress to pass a cyber-attack bill, exactly what outgoing US Secretary of Defense Leon Panetta has contemplated as a hypothesis on more than one occasion.
“We shouldn’t wait until there is a 9/11 in the cyber world. There are things we can and should be doing right now that, if not prevent, would mitigate the extent of damage,” Napolitano said.
The US government has understood the destructive power of a cyber-attack; the equivalent of a conventional military attack, but much more subtle and difficult to identify in time.
A cyber-attack could shut down a telecommunication system or interrupt financial services, events that could cause the blockage of vital operations of a country. The chairman of the House Intelligence Committee, Mike Rogers, declared that 95 percent of private sector networks are vulnerable, and most have already been hit. This is a worrying scenario that reveals the fragility of IT infrastructure of the nation. Rogers was responsible for introducing the Cyber Intelligence Sharing and Protection Act (CISPA) in November 2011, where he confirmed that hackers have increased their pressure on US infrastructures and pointed to China and Iran, considered the most active countries against US cyber infrastructure.
“They’re taking blueprints back, not just military documents, but civilian innovation that companies are going touse to create production lines to build things,”
“They’re stealing that, repurposing it back in nations like China, and competing in the international market.” Rogers told CBS that the US government has essentially “set up lawn chairs, told the burglars where the silver is … and opened the case of beer and watched them do it,” Rogers said.
The possibility of an attack on the SCADA system’s critical infrastructure could undermine the safety of millions of individuals and can compromise homeland security. Thousands of installations all over the world are potentially vulnerable to attacks from anywhere on the planet in what is considered an “asymmetric war.”
Various actors in cyber space could move on an attack against a critical infrastructure;from cyber terrorists to hacktivists, but the most active appear to be state-sponsored hackers.
New attacks, old technologies
What changed from discovery of Stuxnet in 2010 and what effects has it had on the global IT community?
The hunt for vulnerabilities in the major SCADA systems has increased, as the value related to the knowledge of a bug has growth exponentially for both for those who intend to carry out an attack and for the producers of these systems considered critical for the functions that they perform.
Vulnerabilities in critical infrastructures like the energy grid, water supply facilities, telecommunication systems and transportation have skyrocketed 600% since 2010, according to data reported in NSS Labs’ Vulnerability Threat Report.
Figure 1 – Vulnerabilities, Vendors, Products – NSS Labs
The report revealed a significant increase in hardware and software vulnerabilities related to industry. Furthermore, the research demonstrates that too many SCADA systems are aging and out of date.
The following are key findings from the report:
- The five year long trend in decreasing vulnerability disclosures ended abruptly in 2012 with a +12% increase.
- More than 90 percent of the vulnerabilities disclosed are moderately or highly critical and therefore relevant 9 percent of vulnerabilities disclosed in 2012 are extremely critical (with CVSS score>9.9) paired with low attack/exploitation complexity.
- On average, around one percent of vendors account for 31 percent of the vulnerabilities disclosed per year.
- Only one of the top 10 vendors managed to reduce vulnerability disclosures in 2012 compared to the average disclosures of the ten preceding years.
- Microsoft and Apple operating system vulnerabilities decreased significantly from 2011 to 2012, by 56 per cent and 53 percent respectively.
- Industry control systems (ICS/SCADA) saw more than six fold increase in vulnerabilities from 2010 to 2012.
The study revealed that vulnerabilities disclosed in 2012 affected an impressive number of vendors; there were flaws in over 2,600 products from 1,330 vendors. But what is incredible is that 73% of these are new vendors for which there were no notifications on vulnerabilities during the last couple of years. Research demonstrated that the threat landscape continues to be highly dynamic, with new vendors continually emerging as technologies (and threats) evolve.
Figure 2 – Criticality of Vulnerabilities – NSS Labs
Another factor to consider is one that emerged from an interesting study related to the level of complexity needed to successfully conduct an attack against industrial systems, once an attacker gained access to the target. The results revealed that the share of low complexity vulnerabilities decreased from a high of over 90% in 2000 to 48% in 2012. Meanwhile, during the same period, medium-complex vulnerabilities increased their share from 5% to 47%, to 2,431 in 2012. Disclosures of highly complex vulnerabilities have been mostly stable in the last decade, with an average share of 4%.
Figure 3 – Required Attack complexity – NSS Labs
According to security experts, the main problem related to SCADA is that they weren’t designed to be connected to the internet; the principal issues related to security aspects weren’t considered during their development phase.
Security professional Dale G. Peterson reminded us that last year the Digital Bond’s Project Basecamp exposed a meaningful number of vulnerabilities in industrial PLCs manufactured by major vendors such as General Electric, Rockwell and Schneider.
“They were embarrassingly easy to compromise” “It was pretty trivial to cause serious damage. And this is 10 years after 9/11. They should know better,” Peterson declared.
Another serious aspect emerging from the results of Project Basecamp is the inaction of manufacturers that, when informed of the flaws, did not respond.
“They have gone years without having to fix these problems. Some of them think they can go another 10 years without fixing anything,” Peterson lamented.
Which is attack surface of SCADA?
We have discussed critical vulnerabilities and security flaws related to principal SCADA systems. But to better understand which agents could hit these components, it is necessary to analyze their infrastructures and relationship between the internal components.
On the market, it is possible to find a huge quantity of products with different characteristics depending on the final use. It is likewise possible to provide a description of the typical structure of a SCADA system, composed of the following components:
- A human–machine interface or HMI is the component responsible for data presentation to a human operator, typically it is composed by a console that makes it possible tomonitor and control of the process.
- Remote terminal units (RTUs) are microprocessor-controlled electronic devices that interface the sensors to SCADA by transmitting telemetry data.
- The supervisory system is responsible for data acquisition and for control activities on the process.
- Programmable logic controllers (PLCs) are the final actuators used to as field devices.
- Communication infrastructure connecting the supervisory system to the remote terminal units.
- Various process and analytical instrumentation
Attackers have several entry points to compromise the system; a malware, for example could be used to infect the supervisory component that is usually computer-based on a commercial OS. The OSs could be compromised exploiting 0-day vulnerabilities or other well-known flaws. In many cases, it is quite simple to retrieve an internet exploit kit to do conduct the attacks. SCADA could be infected in various ways: a virus could be inoculated through a USB stick or via a network interface. For this reason, it is fundamental that the perimeter of this devices is protected properly, utilizing best practices adopted by personnel that have access to the system. SCADA systems are menaced daily by thousands of potential cyber-attacks by group of hackers that, for different purposes, are exploring the possibility of hitting critical infrastructures that can inflict serious damage. The need for security discovered by the IT community has created a new market, in which the offer is focused on consulting services to analyze and discover principal vulnerabilities in industrial systems.
The cyber strategy of any state makes the security of critical infrastructures their topmost priority; in particular, the global energy industry. An analysis from Frost & Sullivan reveals market-earned revenues of $18.31 billion in 2011, with estimates to reach $31.27 billion in 2021. The investments are driven by the growth of the sector and related need of physical and cyber security.
Anshul Sharma, Senior Research Analyst at Frost & Sullivan Aerospace, Defence & Security, declared:
“Global oil and gas companies are investing capital in new infrastructure projects, driving the need for security solutions at these facilities,” “With increasing awareness of threats, companies are adopting a security-risk management approach and implementing risk assessment of their facilities to ensure security Return on Investment (ROI).” “The threats may vary from information theft to a terrorist attack, but the economic impact and financial damage in case of an attack will be much more significant,” “It would also depend on the motive of the attacker. For example, a cyber attack to remotely control a SCADA system can have more serious consequences than a cyber attack to steal information.”
According to a report from the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), three instances of malware were discovered fortuitously after a scan of a USB drive used to back up control systems configurations. The concerning news is that the level of sophistication of the malicious code used was very high, suggesting the eventual success of groups comprised of high skilled professionals dedicated to researching the flaws in the targets.
The report reinforces the need to adopt appropriate and elementary defense measurements ignored for a long time:
“While the implementation of an antivirus solution presents some challenges in a control system environment, it could have been effective in identifying both the common and the sophisticated malware discovered on the USB drive and the engineering workstations,”
It must be considered that despite the strong commitment of governments, a majority of control systems are privately owned, and the leak of investments in security creates the optimal condition for the attackers. Similar incidents are not rare; in October, ISC-CERT reported the infection of 10 computers linked to another power company’s turbine – always via a USB drive.
The list is long – here is a summary of the vulnerability analysis proposed by ICS-CERT:
“In fiscal year 2012, ICS-CERT tracked 171 unique vulnerabilities affecting ICS products. ICS-CERT coordinated the vulnerabilities with 55 different vendors. The total number of different vulnerabilities increased from FY 2011 to FY 2012, but buffer overflows still remained as the most common vulnerability type”
Figure 4 – Vulnerabilities by type ICS-CERT 2012
Figure 5 – ICS-CERT Incident by Sector 2012
It’s clear that new opportunities for cyber security experts will be created in the incoming years, as top managers recognize what’s needed to sustain a safe and profitable business.
Executive orders and cyber strategies focused on critical infrastructures
Recently, many organizations addressed security level critical infrastructures. The European Network and Information Security Agency (ENISA) published the report
titled “ENISA Threat Landscape – Responding to the Evolving Threat Environment” that summarizes principal cyber threats; once again, the critical infrastructures are considered privileged targets for emerging trends.
Practically every sector is exposed to the risk of cyber-attacks: public health, energy production, and tele-communication are all sectors menaced by cyber threats, urging the establishment of security countermeasures.
Hackers increasingly targeted critical infrastructures of countries: the department’s Industrial Control Systems-Cyber Emergency Response Team (ICS-CERT) responded to 198 cyber-incidents against critical infrastructures in 2012, while the number of incidents in 2011 was 130 (+52%). The sector that most suffered the attacks in 2012 is the energy, accounting for 41 percent of reported events, followed by water with 15 percent.
Which are the strategies of the governments on global scale to protect critical infrastructures?
Last week Catherine Ashton, the High Representative of the European Union for Foreign Affairs and Security Policy, and the European Commission have submitted to the Council and the European Parliament a draft of “Cybersecurity Strategy of the European Union”.
The document designs a cyber-strategy strategy to preserve information and communications technology between the countries of the EU, contributing to ensure a cyberspace that’s “open, safe and secure,” in collaboration with other national and international authorities.
“All these factors explain why governments across the world have started to develop cybersecurity strategies and to consider cyberspace as an increasingly important international issue. The time has come for the EU to step up its actions in this area.”
The report confirmed the increase of the number of cyber threats moved by various actors and related impact on social fabric:
“Information and communications technology has become the backbone of our economic growth and is a critical resource which all economic sectors rely on. It now underpins the complex systems which keep our economies running in key sectors such as finance, health, energy and transport; while many business models are built on the uninterrupted availability of the Internet and the smooth functioning of information system”
The document is logically organized in the following sections:
- Principles for cybersecurity
- Strategic priorities and actions
- Roles and responsibilities
Cybercrime is considered a primary menace; the more we live in a digital world, the more opportunities cyber criminals have to exploit, and its fundamental to rapidly reduce its impact. Cybercrime is considered the most aggressive form of crime with the fastest growing trend.
The principal actions to reduce the cybercrime are:
- definition of a strong and effective legislation
- enhanced operational capability to combat cybercrime
- Improve coordination at EU level
“Cyber-defense capability development should concentrate on detection, response and recovery from sophisticated cyber threats.”
The document promotes the development of industrial and technological resources for cyber-security in member countries through the promotion of a single market for cyber-security products and fostering R&D investments and innovation. The last aspect described in the draft is the establishment of a cyber-space International Policy of the European Union.
Overseas, the situation is substantially unchanged; President Barack Obama just signed an executive order on cyber-security with the primary goal to improve the network security of “critical infrastructure”of US. It assigns to the National Institute of Standards and Technology the responsibility of developing a framework of best practices for operators in critical sectors of the country (e.g. industry, transportation, water and health) in the next 240 days. The policy places at the base of the reform process the following three strategic principles:
- Enhance the level of security of national critical infrastructures and their resilience to cyber-attacks through clear assumption of the roles and responsibilities of each governmental entity.
- Encourage and support an effective and efficient exchange of information on cyber threats, the information flow must involve both government and private actors.
- Developing a framework for analysis of data related to cyber threats and occurred incidents for any critical sector of the country, particular attention hasto be reserved to emerging risks.
The executive order is a demonstration of the great importance given by the US government to protect national infrastructures that are daily hit by cyber-attacks. The plan is certainly ambitious and difficult to implement within the time set by the government, but it is a tangible demonstration of its commitment; the strategy needs the active support of intelligence agencies and the effort of every citizen.
Treasure hunt… searching for vulnerabilities
One of the principal problems related to the security of critical infrastructures is the level of awareness related to the effect cyber-attacks. Before the discovery of Stuxnet, the world wide security community has always underestimated the possible effect of a cyber-attack, in many cases refusing the concept of cyber warfare. Fortunately, the event has changed the perception of the cyber threats and any government is approaching the problem through the definition of an efficient cyber strategy.
Another factor very important to consider is the level of knowledge needed for a cyber-attack. Contrary to what a user can believe, to attack a SCADA system is not so hard.There are many techniques that could be adopted to compromise a control system. In several instances, the absence of defense systems, improper configurations, zero-day vulnerabilities
and superficial patch management processes give an advantage to the attacker. The main problem is that potentially, any professional with no particular knowledge could simply gather information on a target choosing for it a readily available exploit kit.
One of the instruments preferred by the attackers is “Shodan Computer Search Engine” that is considered the equivalent of Google for the machines exposed on internet; it in fact provides a search engine for servers, routers, load balances and any other network device.
Finding SCADA systems exposed on the internet is very easy. The popular website has further useful information on the potential targets; what is really alarming is that the majority of these systems leak proper authentication mechanisms and in many cases aren’t updated.
Figure 6 – SHODAN service
An article posted on the web portal ThreatPost titled “Shodan Search Engine Project Enumerates Internet-Facing Critical Infrastructure Devices” demonstrated the use of famous portals to conduct a vulnerability assessment of control systems within critical infrastructures.
Two critical infrastructure protection specialists, Bob Radvanovsky and Jacob Brodsky of the consulting firm InfraCritical, have worked in collaboration with Department of Homeland Security for 9 months to discover all devices present inside US critical infrastructures.They discovered 500,000 devices initially. Many of them are exposed online without proper security defense, typically protected by poor authentication mechanisms based on default passwords. Not only critical infrastructures such as communication, energy and water utilities use SCADA devices, but also common HVAC systems, traffic control systems and building automation control systems. SCADA systems are very diffused and DHS tried to restrict the initial list to most relevant systems, identifying a final list of 7,200 devices.
The ThreatPost article cited research made by another group of experts, Terry McCorkle and Billy Rios, showing “more than 1,000 vulnerabilities in Internet-facing HMI interfaces that translate SCADA data into visualizations of critical infrastructure. More than 90 of those were exploitable flaws, including SQL injection, buffer overflows and more.”
In June, The Pacific Northwest National Laboratory (PNNL), a federal contractor for the U.S. Department of Energy (DOE), in collaboration with McAfee,published an interesting report entitled “Technology Security Assessment for Capabilities and Applicability in Energy Sector Industrial Control Systems: McAfee Application Control, Change Control, Integrity Control.”
The report provides an excellent picture of the current status of critical infrastructures and the effort spent to identify and fix vulnerabilities; in particular it analyzes the value and effectiveness of carefully integrated security solutions necessary to support the national security mission to secure industrial control system environments.
Very meaningful is the statement said by a researcher within the National Security Directorate at the Pacific Northwest National Laboratory, Philip A. Craig Jr, who is also a Senior Cyber Security Research Scientist:
“When early critical infrastructure systems were created, neither security nor misuse of the interconnected network was considered”
“Today, we are still focused on enhancing the security of control systems. Outdated security methods that use a maze of disparate, multi-vendor, and stacked security tools will only delay a cyber-attack, providing numerous opportunities for a more advanced and modern cyber adversary to attack cyber security postures throughout critical infrastructure.”
The document proposes a list of principal vulnerabilities that have been identified for control systems environments:
- Increased Exposure: Communication networks linking smart grid devices and systems will create many more access points to these devices, resulting in an increased exposure to potential attacks.
- Interconnectivity: Communication networks will be more interconnected, further exposing the system to possible failures and attacks.
- Complexity: The electric system will become significantly more complex as more subsystems are linked together.
- Common Computing Technologies: Smart grid systems will increasingly use common, commercially available computing technologies and will be subject to their weaknesses.
- Increased Automation: Communication networks will generate, gather, and use data in new and innovative ways as smart grid technologies will automate many functions. Improper use of this data presents new risks to national security and our economy.
As you know, I’m Italian and I support the excellent works made by a couple of Italian security specialists, Luigi Auriemma and Donato Ferrante, founders of the company ReVuln. They published an interesting proof of concept on SCADA systems, “ReVuln – SCADA 0-day vulnerabilities”, and related vulnerabilities.
The video, published by the researchers, is a showcase of some SCADA 0-day exploits owned by ReVuln security company, the 0-day vulnerabilities are all server-side and remotely exploitable. This video shows issues affecting the following vendors: General Electric, Schneider Electric, Kaskad, ABB/Rockwell, Eaton, Siemens … nobody is secure. Note that many other 0-day vulnerabilities owned by ReVuln affecting other well-known SCADA/HMI vendors have been not included in this video.
Luigi Auriemma declared:
“[attackers] can take control of the machine with the maximum privileges (SYSTEM on Windows) granted by the affected service; they can install rootkits and other types of malware or obtain sensitive data (like passwords used on other computers of the same network) and obviously they can control the whole infrastructure.”
The evaluation of the security level of critical infrastructures and industrial control systems managed by private companies is an activity of great interest the governments. The US Government will evaluate the consequences of a cyber-attacks on homeland security and the plan the proper actions to mitigate the cyber threats started the program named “Perfect Citizen” with the main purpose to explore national utilities to discover security vulnerabilities that could be exploited in case of an attack. The project, which will go on at least until September 2014, was originally reported to be a program to develop a smart network of sensors (named Einstein) to detect cyber-attacks against critical infrastructures in both the private and public sector. It is funded by the Comprehensive National Cyber security Initiative and thus far Raytheon, the major American defense contractor and Industrial Corporation, has received a contract for up to $91 million to establish the project.
After recent cyber-attacks against critical infrastructures and with intensification of activities of governments in cyberspace, it is desirable and expected that these initiatives will multiply everywhere. The security infrastructure of a country is a key point in the cyber strategies and priority of any government.
Prevention rather than cure… a key approach
The scenario presented depicts very dynamic cyber threats that continuously evolve. For attackers, it is always easier to retrieve information on their targets or to acquire exploits to use for the attacks. To anticipate hackers, it is fundamental that prevention come through the sharing of information on cyber threats on a global scale and the definition/adoption of best practices. The following are some useful suggestions to increase the security level of any control system:
- Deploy secure remote access methods such as Virtual Private Networks (VPNs) for remote access.
- Remove, disable, or rename any default system accounts (where possible).
- Implement account lockout policies to reduce the risk from brute forcing attempts.
- Implement policies requiring the use of strong passwords.
- Monitor the creation of administrator level accounts by third-party vendors.
- Pay attention to the level of security of critical infrastructures is a duty of all; the risks are high and the consequences could be devastating, there is no time to waste.
To give you an idea of the possible solutions implemented for defensive and preventive purposes, a report proposed by Pacific Northwest Nation Laboratory (PNNL) cites:
- Dynamic Whitelisting –Provides the ability to deny unauthorized applications and code on servers, corporate desktops, and fixed-function devices.
- Memory Protection – Unauthorized execution is denied and vulnerabilities are blocked and reported.
- File Integrity Monitoring – Any file change, addition, deletion, renaming, attribute changes, ACL modification, and owner modification is reported. This includes network shares.
- Write Protection – Writing to hard disks are only authorized to the operating system, application configuration, and log files. All others are denied.
- Read Protection – Read are only authorized for specified files, directories, volumes and scripts. All others are denied.
Because SCADA systems are predicted to be highly targeted in 2013 as a result of state-sponsored operations, it is necessary to have a comprehensive global cyber strategy.
Control systems within critical infrastructures are cyber assets vulnerable to cyber-attacks.Threats are escalating and the industry is aware of risks: we are in the era of cyber warfare. On the other hand, the SCADA systems are increasing in complexity, due the integration of different components, produced in many cases by different manufacturers. It is therefore necessary to address the security level of not only each device, but also of the overall environment. Integration tests are fundamental during the deployment phase. The design approach must totally change and take care of all the possible cyber threats that could arm the systems. The overall security will arrive through a global collaboration and information sharing on the possible cyber threats and the vulnerabilities of every device that is qualified on the market.
The security component must become part of the project of any industrial system; it must be considered as a fundamental requirement – overall security of critical infrastructures must be audited during the entire lifecycle of its components.
Only following these simple recommendations we could defend our nations, and there is no time to wait.