Biggest threats to ICS/SCADA systems
Imagine a scenario where two nations are at war. One nation has the capability to attack the other’s industrial infrastructure, like the electrical grid, oil and gas plants, water treatment plants, nuclear plants and so on. What would be the consequences if plant operations were controlled remotely and maliciously?
Industrial Control System (ICS)
ICS is used to control industrial processes such as manufacturing, production and distribution. It includes various components that work together to achieve an industrial objective. On a higher level, it is a part of Operational Technology (OT). Today, ICS is mostly used in energy, water, gas and oil, electricity and traffic control systems.
Industrial Control Systems (ICS) consist of different types of control systems such as Supervisory Control and Data Acquisition (SCADA), Distributed Control System (DCS), Programmable Logical Computer (PLC), Remote Terminal Units (RTU) and Intelligent Electronic Devices (IED).
ICS is becoming a prime target for cyberattacks. Security concerns increased after the Stuxnet attack on an Iranian uranium enrichment facility in 2010. Similarly, BlackEnergy malware was used against the Ukrainian power grid in 2015.
ICS lacks basic security practices. Let’s look at the major vulnerabilities and threats to ICS/SCADA.
1. Exposure over the internet
Prior to the internet, ICS operation was confined to the plant. With increase in operations, integration with other platforms and for ease of access, some companies have connected their ICS or part of the ICS setup to the internet. Insecure connections may allow backdoor access for malicious parties to enter the ICS environment.
External access is often provided to vendors for maintenance purposes. Systems used by the external vendor may threaten security, as they don’t adhere to the client company’s security policies. Insecure VPN configuration may also lead to compromised systems by not restricting the access.
2. Weak segregation
Weak segregation between IT and OT environments is one of the common factors resulting in ICS compromise. Weak access control may allow a machine connected to the IT network to reach a device on the ICS network, and a malware attack on the IT system may allow malware to spread to the OT setup.
3. Default configuration
Patches have been created for vulnerabilities within the ICS environment and vendor systems. Not all companies can afford downtime for patching, as it leads to decreased production and lost revenue. Some companies feel their ICS is securely isolated or they have no ICS security policy that addresses patches, so they continue in the default configuration.
4. Weakness in ICS protocols
The original protocols used in ICS were not designed with security in mind. The same protocols are used in the current ICS setup.
For example, the MODBUS protocol uses cleartext communication, which may allow the attacker to eavesdrop on traffic. The MODBUS protocol does not have proper authorization, which may lead to unauthorized actions like updating the ladder logic program or shutting down the PLC.
5. Weakness in ICS applications
Applications related to ICS and HMI are sometimes vulnerable to the web or thick client-based attacks like SQL Injection, Command Injection, or Parameter manipulation. Lack of encryption protocol leads to credential sniffing. Cross-site Scripting attack can lead to Session Hijacking.
6. Lack of security awareness
Due to lack of security awareness, employees often become a victim of social engineering, phishing and spearphishing attacks. Sometimes it takes just a click by the victim to get compromised. From this compromised machine, an attacker can move further into the network by lateral movement.
1. Malware threats
Portable forms of media are often used by the company employees in the office and ICS environment. Removable media such as USBs, CDs, DVDs and SD cards can be used to transfer malware. The malware can be easily embedded in .JPG or .PDF files. The media storage devices can then be used to bypass physical security and infect the ICS environment.
Employees often carry their office USB flash drive home and connect to their personal laptops. Personal laptops may have malware, as it might not have working antivirus protection and the employee isn’t required to follow their employer’s cybersecurity policies when using personal property. In fact, the first known attack of the Stuxnet malware entered the Siemens ICS when an infected pen drive, brought from home by an engineer, was used at Siemens.
2. Insider attack
Insider attacks are a significant threat within organizations. Malpractice by internal employees (whether intentionally or unintentionally) often leads to compromises. Attacks often come from disgruntled employees or insiders paid to attack or steal assets.
Organizations frequently neglect to follow the principle of least privilege, allowing an employee to perform other sensitive and unauthorized actions. Failure to enact access revocation policies for employees leaving the company also weakens the company’s ICS security.
3. Denial of service
Wired and wireless connections are used in ICS. Attacks on these connections may lead to interruption of real-time communication between ICS components. In ICS, delays of seconds may have severe negative impacts on the operation.
Another way to perform a DoS attack is to attack the components, such as PLCs. PLCs are fragile in nature. A heavy port scan may crash the PLCs and easily result in disruption of operations.
4. Third-party threats
With increased outsourcing of system support for ICS setups, the infected machines of support staff present a threat of compromise. Since client companies don’t have direct control over third-party service providers’ infrastructure, there is an increased risk of exploit propagation.
5. Technical or physical malfunction
Component-level failure like power, hard disk failure, system crash and cable breakage may lead to runtime failure. Runtime errors in software can also disrupt operations until the software or system is reset or repaired.
6. Threats from terrorists and hackers
Critical infrastructure is a key target for terrorist groups who wish to cause fear, damage, and loss of life. Air traffic control, power grids and nuclear plants are particularly vulnerable. Hackers paid by industry rivals, terrorist groups or other malicious parties may cause significant damage, leading to financial losses and a damaged company reputation.
ICS is increasingly exposed to the same cyberthreats as IT. The consequences of an ICS breach may result in physical damage, and daily increases in attack vectors also increase ICS threats. Swift identification, control and mitigation of security threats and vulnerabilities are critical to a secure ICS.