Industrial control systems (ICS) and Supervisory Control And Data Acquisition (SCADA) systems are critical components for the operation of industrial facilities and critical infrastructure. Successful cyberattacks could paralyze internal processes, cause financial losses and potentially lead to the loss of human lives.
Many organizations in critical infrastructure have deployed SCADA/ICS to automate the control of processes and data collection. These systems have become high-value targets for attackers looking to disrupt business operations.
Unfortunately, many ICS are not designed to be resilient to cyberattacks and threat actors are targeting these systems with more intensity.
Most of the attacks against the industrial networks are not complex. Threat actors could use different attack vectors by taking advantage of existing configuration flaws in the industrial devices and network segmentation, as well as OS vulnerabilities.
The majority of security experts involved in the testing of corporate information systems revealed that they have insufficient perimeter protection against external attacks and industrial networks are not properly isolated from corporate systems.
The Stuxnet Attack Legacy
Since the Stuxnet attack, many other incidents involved ICS/SCADA systems and security experts discovered several threats specifically designed to compromise these families of devices, including Duqu/Flame/Gauss (2011), Shamoon (2012), Havex (2013), Dragonfly (2014), Black Energy (2015) and Triton (2017).
The above threats targeted systems used in nuclear plants, electric grids, dams, gas pipelines, water facilities and industrial environments. These events confirm that ICS/SCADA components are prime targets for both crooks and nation-state actors.
According to a Forrester study, 56% of organizations using SCADA/ICS reported a breach in the second half of 2018 through the first half of 2019. Only 11% indicate they have never been breached.
In many cases, attackers exploit vulnerabilities affecting industrial control systems (ICS). For this reason, it is interesting to analyze which issues were disclosed in 2019 and potentially exploitable in attacks in the wild.
116 Unique Types Of Flaws
ICS security firm Dragos analyzed 438 ICS vulnerabilities that were reported in 212 security advisories in 2019, and revealed that 26% of advisories are related to zero-day flaws. This circumstance is worrisome because attackers exploiting zero-day vulnerabilities in their attacks could have had a significant likelihood of success.
The experts classified the issue in 116 unique types of flaws, most of the flaws discovered in 2019 were improper input validation, stack-based buffer overflow, cross-site scripting (XSS), the use of hard-coded credentials and uncontrolled resource consumption (i.e., DoS) issues.
Vulnerabilities Deep Within
The experts revealed that 77% of the assessed vulnerabilities were residing deep within a control system network; the flaws only affect products that belong on engineering workstations, human-machine interface (HMI) systems, operator panels, industrial network equipment and field devices themselves. The researchers pointed out that their exploitation requires some existing access to a control systems network.
According to the experts, only 9% of advisories were related to flaws in products associated with border systems (e.g., data historians, OPC servers, cross-domain web applications and VPN services). Their exploitation could potentially allow attackers to move from the IT to the OT networks.
Most of the advisories (roughly 75%) are related to vulnerabilities that could be exploited from the network, while the remaining flaws could be only exploited by attackers with local or physical access to the targeted machine.
The experts also analyzed the potential operational impact on industrial control processes for each issue focusing on the loss of view and the loss of control.
50% of advisories are related to vulnerabilities that could cause both a loss of view and a loss of control, while 5% of advisories could only cause a loss of view (but no loss of control) via exploitation and 2% could result in a loss of control.
The risk of attacks exploiting the flaws related to the advisories issued in 2019 is very high: 26% of them had no patch available when the initial advisory was disclosed and 76% of the advisories which had no patch did not offer mitigation advice.
SCADA attack surface
Before introducing the most common ICS/SCADA threats, let us understand the architectures of SCADA systems and how the internal components interact with each other.
The main components of a SCADA system are:
- A human–machine interface (HMI) is the component responsible for data presentation to a human operator. It consists of a console that allows the operator to monitor and control the process
- Remote terminal units (RTUs) are microprocessor-controlled electronic devices that interface the sensors to SCADA by transmitting telemetry data
- The supervisory system is responsible for data acquisition and for control activities on the process
- Programmable logic controllers (PLCs) are the final actuators used as field devices
- Communication infrastructure connecting the supervisory system to the remote terminal units
- Various process and analytical instrumentation
In a real attack scenario, hackers could target one of the above components with different techniques and means. Malware, for example, could be used to infect the supervisory system or the HMI by exploiting known vulnerabilities in the underlying OS. Malware might infect the system through a USB stick or a network interface.
Most common ICS/SCADA security issues and threats
One of the biggest problems for ICS/SCADA systems is that they often run on legacy software that lacks sufficient security. Most of this type of software doesn’t implement security fundamentals such as user/system authentication and data integrity checking features, allowing attackers to carry out a broad range of attacks against the ICS components.
It is very common to find internet-facing ICS/SCADA systems that are not properly protected and hosted on a misconfigured network. In many cases, firewalls employed as a defense measure for the industrial networks fail to detect/block malicious activity launched by external attackers, allowing them to access the OT systems.
In some cases, SCADA systems are connected to unaudited dial-up lines, or operators of the industrial environment have wrongly configured remote-access servers that could give attackers a path to access to the OT network as well as the corporate LAN.
Threat actors always attempt to exploit devices that still use factory settings, which are well known to the hackers. Factory settings, including default passwords, allow the attackers to compromise a device and easily enumerate and compromise other OT systems in the same network.
Almost any legacy ICS and industrial protocol does not use encryption to protect communication, allowing threat actors to eavesdrop on the traffic in order to capture authentication credentials and carry out man-in-the-middle attacks. Attackers could leverage unencrypted communication protocols to target ICS, HMI and workstations delivering malicious code — for example, by pushing rogue updates that are able to compromise these components.
Threat actors could attempt to sabotage OT systems by launching DDoS attacks on vulnerable unpatched systems that are exposed online and improperly protected. It could be very easy for hackers to locate these systems by using specific search engines like Shodan. The popular search engine allows attackers to retrieve all the information that could be used to find a potential target exposed online.
The disconcerting news is that most OT systems exposed online lack proper authentication mechanisms and, in many cases, are not updated.
Threat actors continually specifically design malware that compromises ICS systems and interferes with their operations. Additionally, ICS systems are often exposed to other threats that are not specifically designed to target this family of devices.
Web Application Attacks
Threat actors are increasingly targeting OT systems that are exposed online via their web interface. Hackers attempt to carry out web applications attacks to exploit vulnerabilities (e.g., SQL injection, cross-site scripting in the interface of OT components such as human-management interfaces and programmable logic computers).
Command Injection and Parameters Manipulation
ICS systems may be targeted with command injection attacks that allow attackers to execute arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are caused by the lack of validation of user supplied data.
Defending SCADA Systems
We have described the SCADA attack surface and the most common issues and threats related to industrial control devices. It is time to explore the ways to defend them from attacks.
Organizations using ICS/SCADA systems in their infrastructure have to keep their systems up to date by applying security patches and updates released by the vendors. Operators of critical infrastructure have to deploy security measures that can defend against cyberattacks, some of them are based on the National Institute of Standards and Technology’s NIST’s guide to ICS security.
Below is a short list of recommendations to secure ICS/SCADA systems:
- Use virtual patching to help manage updates and patches. Patch management is critical in industrial systems where the deployment of an update could cause downtime. Virtual patching can help manage vulnerabilities and prevent cyberattacks when it is not possible to immediately apply the patches
- Implement network segmentation to prevent the spread of malware and lateral movements of the attackers once they have compromised the target network. By segmenting the network, it is possible to drastically minimize the exposure of sensitive information
- Separate the ICS network from the corporate network, using adequate security measures like firewalls in order to prevent the lateral movement of attacks from one to another
- Prevent the use of untrusted removable devices that could be used as attack vectors by threat actors
- Manage authorization and user accounts. Experts recommend monitoring and assessing the authorizations and accesses to SCADA systems. Monitor the creation of administrator accounts by third-party vendors
- Protect engineering workstations connected to SCADA for device programming and control adjustments with endpoint protection
- Employ strict policies to regulate how devices can connect to SCADA networks. Deploy secure remote access methods such as Virtual Private Networks (VPNs) for remote access
- Restrict the roles of transitory SCADA nodes to a single purpose. Having a single purpose for transitory nodes lowers the chances of unknowingly exposing these nodes or having them accessed by unauthorized users
- Using a web application firewall (WAF) to scan and patch vulnerable web applications
- Remove, disable or rename any default system accounts
According to a report published by Fortinet, many organizations using SCADA/ICS plan to increase spending on security technologies this year:
“Nearly three-quarters of organizations plan to increase IoT security spending, with 36% of them increasing spending by 5% or more. More than 7 in 10 plan to spend more on OT security, and nearly 4 in 10 plan to increase spending by at least 5%. Another 7 in 10 will spend more on OT infrastructure this year, with 37% planning a hike of 5% or more.”
The data on the investments confirms an increased awareness of the cyber risks for ICS/SCADA systems and a commitment to OT and the security standards and controls needed to protect those systems.
- More than 400 flaws affecting industrial control systems (ICS) were disclosed in 2019, more than 100 were zero-day vulnerabilities., Security Affairs
- 2019 ICS Year in Review, Dragos
- Independent Study Pinpoints Significant SCADA/ICS Security Risks, Fortinet
- One Flaw too Many: Vulnerabilities in SCADA Systems, Trend Micro
- Industrial companies: attack vectors, Positive Technologies
- Top 10 Critical Infrastructure and SCADA/ICS Cybersecurity Vulnerabilities and Threats, Check Point
- Perfect Citizen, US vulnerability assessment program on critical infrastructures, Security Affairs
- History of Industrial Control System Cyber Incidents, OSTI.gov
- US considers preemptive action to prevent ‘Cyber Pearl Harbor’, Infosecurity
- Security vulnerabilities in critical infrastructure up 600%, Infosecurity
- Vulnerability Threat Trends: A Decade in Review, Transition on the Way, NSS Labs
- Digital Bond Archives, Dale Peterson
- New attacks against SCADA, old vulnerabilities, very old issues, Security Affairs
- ReVuln – SCADA 0-day vulnerabilities, ReVuln (Vimeo)
- Resource Library, McAfee