ICS/SCADA Malware Threats
ICS systems at risk
Historically, malware threats for Industrial Control Systems (ICS) have been largely hypothetical, as incidents involving malware designed specifically for ICS have been rare. The 2017 attack by the Triton malware, which targeted critical systems and spread quickly, showed the potential destruction that these types of threats can bring. With the convergence of operations technology (OT) and internet technology (IT), as well as the robust adoption of the Industrial Internet of Things (IIoT) by ICS operators, risks have grown.
An overview of the ICS threat landscape
Industrial control systems and their graphical user interface systems, SCADA (which stands for supervisory control and data acquisition) have increasingly become a cause of concern ever since they started connecting to the internet. Considered secure in the past because they were isolated from the outside world, ICS/SCADA are now exposed. Like any other computer systems, they’re vulnerable to exploits by attackers.
A quick search of the National Vulnerability Database maintained by NIST shows that researchers discovered 5,634 ICS vulnerabilities in 2008. By 2018, that number had more than doubled, to 16,516. As a 2016 Department of Homeland Security ICS malware trends whitepaper pointed out, the growing number of incidents reported to ICS-CERT (Industrial Control Systems Cyber Emergency Response Team) suggested that “the discovery of vulnerabilities in ICS devices is still a growing field and that the number of discoveries is likely to increase as researcher interest expands.”
The challenge with ICS/SCADA, as with other operational technology, is that the slow patching processes leave a wider window for attackers to compromise an organization. At the same time, the number of IT-based attacks targeting industrial OT is growing. According to a 2019 Fortinet report on ICS/SCADA threats, no ICS vendor’s products are immune from attacks, and exploits targeting almost every vendor have increased both in volume and prevalence in 2018.
Known ICS malware
As noted earlier, there are only a few known malware examples targeting specifically targeting ICS so far. These include:
- Triton (also known as Trison or Trisis): Designed originally to target Triconex safety instrumented systems (SIS) controllers that are common in the energy sector, Triton is a multi-stage, sophisticated malware framework that exploited a zero-day flaw. Discovered in 2017 after an attack on a Middle East petrochemical plant’s SIS, Triton took offline six emergency shutdown systems that are typically overseen by engineering rather than security teams. The malware contained a remote access Trojan (RAT) and replaced the SIS logic remotely, preventing the safety systems from working correctly
- Stuxnet: First discovered in 2010, Stuxnet is perhaps the most well-known malware targeting SCADA. Dubbed by some as “the world’s first digital weapon,” Stuxnet was involved in a 2009 attack against an uranium-enrichment plant in Iran and other industrial targets. The worm, which targeted programmable logic controllers (PLCs), exploited several zero-day flaws in Windows machines and spread via USB flash drives rather than the internet
- Havex: Discovered in 2013, the Havex RAT targeted ICS such as energy grid operators as part of an espionage campaign. Havex reportedly impacted as many as 2,000 infrastructure sites in the United States and Europe. The multi-phase campaign started with spearphishing, used watering hole attacks against legitimate websites and primarily included RAT and command-and-control (C2) modules while also leveraging a universal ICS communications protocol known as OPC (open platform communications)
- Industroyer: Also known as CrashOverride, this malware targets the electric grid and is believed to have been behind a 2016 cyberattack that caused a blackout in Ukraine’s capital. Industroyer includes several modules, including a RAT/backdoor, C2 and a data wiper that could do things like clearing registry keys and overwriting generic Windows files. While the malware was designed to cause power outages, researchers believe it could be repurposed for other sectors with a few other modules
Other malware threats
Other types of malware can also impact ICS/SCADA, particularly when these systems run on vulnerable or older versions of operating systems. Ransomware could cause long-term service disruptions like those of NotPetya, which shut down the operating systems of pharmaceutical company Merk and caused significant impact to the operations of shipping company O.P. Moller-Maersk.
According to an analysis by the intelligence team of ICS cybersecurity company Dragos, more than 60 percent of the vulnerabilities reported in 2018 could lead to operations outage, and 55 percent could result in loss of control.
Because of the high stakes involved, ISC/SCADA attacks require high sophistication, and the campaigns are often sponsored by nation-states. As the so-called Industry 4.0 trend marches on, with more computers connecting and communicating with each other without human intervention, and as threat actors continue to become more sophisticated, more ISC/SCADA-designed malware families will be developed.
- Triton is the world’s most murderous malware, and it’s spreading, MIT Technology Review
- National Vulnerability Database, NIST
- Malware Trends, NCCIC
- Fortinet 2019 Operational Technology Security Trends Report: An Update on the Threat Landscape for ISC and SCADA Systems, Fortinet
- Triton/Trisis Attack Was More Widespread Than Publicly Known, Dark Reading
- Schneider Electric: TRITON/TRISIS Attack Used 0-Day Flaw in Its Safety Controller System, and a RAT, Dark Reading
- What is Stuxnet, who created it and how does it work?, CSO
- Havex, NJCCIC
- CRASHOVERRIDE: Analysis to the Electric Grid Operations, Dragos
- Year in Review: Industrial Controls Systems Vulnerabilities, Dragos