ICS/SCADA Social Engineering Attacks
Introduction
ICS/SCADA systems are essential to the daily operations of utility companies and industrial manufacturers. Due to their importance, these vulnerable systems are targets for attack. These threats can have wide-reaching and devastating effects on the affected businesses and the community.
There’s a common misconception that SCADA systems are difficult to attack and exploit because they’re so isolated. However, SCADA systems are victimized at an alarming rate, according to a recent report by Fortinet:
Learn ICS/SCADA Security
- Among organizations that use SCADA or ICS, almost 60% experienced a data breach in the last year. Only 11% report that they have never experienced a breach
- 63% of organizations reported that the SCADA/ICS security breach affected the safety of their employees
- A major impact on financial stability was reported by another 58% of organizations
With the SCADA market predicted to grow to $13.43 billion by 2022, we can expect the frequency and intensity of attacks to grow.
Attacks by exotic cyberweapons like Stuxnet and Flame made headlines in the early 2010s and fostered a fear that similar weapons may be on the way. However, cybersecurity experts warn that attacks from run-of-the-mill sources like phishing campaigns are more likely and equally as dangerous.
In this article, we’ll define some of the most common social engineering attacks used against ICS/SCADA systems. We’ll also discuss which groups are most likely to attack industrial control systems.
Common threat actors
Attackers targeting SCADA networks come in all shapes and sizes. Knowing who’s spearheading the attack will give you insight into the attacker’s motivation, goals and the resources they have at their disposal. It can also help administrators gauge the potential impact of the attack. Common threat actors include:
- Hostile nations
- Industrial spies
- Disgruntled employees
- Terrorists
- Hackers
- Criminal groups
- Hacktivists
Common social engineering threats
Cybersecurity experts have rightfully pointed out a number of security flaws in SCADA, but the biggest weak point is the user. Attackers utilize social engineering to trick employees into divulging information or providing access to the system. Compared to highly complex threats like Stuxnet, social engineering is much easier to execute and doesn’t require the same level of skill or resources.
Let’s take a look at the most common social engineering threats facing ICS/SCADA systems today.
Phishing
Phishing attacks are the most common threat across the cyber landscape, and industrial control systems are no exception. Infosec describes phishing attacks as using “emails, social media, and instant messaging, and SMS to trick victims into providing sensitive information or visiting malicious URLs in the attempt to compromise their systems.” While a phishing attack may not be enough to bring down an entire power grid overnight, it can provide attackers with the foothold they need to escalate the attack.
Most phishing attacks against SCADA networks are carried out with the goal of surveillance, not infection. The attackers want to know more about the system itself, including how it works and whether or not they can maintain a backdoor to exploit in the future.
Spearphishing
A power grid going down in the dead of winter and stranding nearly a quarter-million people without power sounds like the plot of a spy thriller, but it actually happened in Ukraine in December 2015. The attack began with a spearphishing campaign that targeted system administrators and IT staff at three Ukrainian electric companies.
Unlike plain-old phishing, spearphishing is tailored to a particular individual. Attackers attempt to trick the victim by carefully crafting a false sense of legitimacy, such as sending an email that appears to come from a trusted source. It’s common for attackers to research the intended target prior to sending the email so that it appears as personal and authentic as possible.
So how did this play out in Ukraine? Workers received emails containing a malicious attachment disguised as an innocent Word document. Upon opening the document, the recipient was prompted to enable macros which installed a program that opened a backdoor to the intruders.
Pretexting
Pretexting is the “practice of presenting oneself as someone else to obtain private information. Usually, attackers create a fake identity and use it to manipulate the receipt of information,” according to Infosec. Like other forms of social engineering attacks, pretexting relies on manipulation instead of high-tech worms and cyberweapons.
Several attempted attacks have been launched against utility companies via phone call. The attackers set up the attack by figuring out which third-party vendors the utility companies worked with. Next, they called personnel at the companies, posing as vendor representatives, and tried to convince them there was a problem. To solve the problem they would need, you guessed it, remote access to the system.
Best practices for defending SCADA networks
Launching an attack against an ICS/SCADA network is no harder than attacking any other network, according to Dave Marcus, director of security research at McAfee. Marcus further explains that cyber forensic investigating and reporting at these facilities is often quite poor, meaning attacks could fly under the radar for a long time before they’re finally detected.
When it comes to deflecting social engineering attacks, Marcus suggests that SCADA network admins do the following:
- Conduct extensive penetration testing
- Train staff in counter social engineering techniques
- Plan for the worst-case scenario and put appropriate countermeasures in place
- Build a solid network with law enforcement
Conclusion
Keeping SCADA networks up and running is challenging without the right security protocols in place. Many networks still rely on outdated technology and legacy software that leaves them vulnerable to attack. When successful, these attacks can be incredibly destructive to financial stability and public safety.
Learn ICS/SCADA Security
Sources
- INSIDE THE CUNNING, UNPRECEDENTED HACK OF UKRAINE'S POWER GRID, Wired
- ICS-CERT: Social Engineering and SCADA Security, Infosec Island
- Independent Study Pinpoints Significant SCADA/ICS Security Risks, Fortinet
- Michael Robinson, “The SCADA Threat Landscape”
Learn ICS/SCADA Security
Build your critical infrastructure security skills with hands-on training in Infosec Skills. Train how you learn best:- Practice realistic scenarios
- Build hands-on skills
- Learn live or on-demand
- Get certified
In this Series
- ICS/SCADA Social Engineering Attacks
- Securing operational technology: Safeguard infrastructure from cyberattack
- Operation technology sees rise in targeted remote access Trojans and ransomware
- Vehicle hacking: A history of connected car vulnerabilities and exploits
- Operational technology compromises: Low sophistication, high-frequency
- ICS/SCADA threats and threat actors
- Incident response and recovery best practices for industrial control systems
- BPCS & SIS
- Security Technologies for ICS/SCADA environments
- Data Loss Protection (DLP) for ICS/SCADA
- ICS/SCADA Wireless Attacks
- Security controls for ICS/SCADA environments
- SCADA & security of critical infrastructures [updated 2020]
- CIP (Common Industrial Protocol): CIP messages, device types, implementation and security in CIP
- Open vs proprietary protocols
- Critical security concerns facing the energy & utility industry
- ICS/SCADA Malware Threats
- Biggest threats to ICS/SCADA systems
- SIEM for ICS/SCADA environments
- Intrusion Detection and Prevention for ICS/SCADA Environments
- Firewalls for ICS/SCADA environments
- ICS/SCADA Security Technologies and Tools
- The state of threats to electric entities: 4 key findings from the 2020 Dragos report
- Modbus, DNP3 and HART
- RS-232 and RS-485
- BACnet
- TASE 2.0 and ICCP
- FOUNDATION Fieldbus
- Account Management Concepts for ICS/SCADA environments
- PROFIBUS and PROFINET
- ICS Strengths and Weaknesses (from security perspective)
- Access Control Implementation in ICS
- ICS Components
- Access Control Models for ICS/SCADA environments
- ICS/SCADA Security Specialist/Technician Role
- Credential Management and Enforcement for ICS/SCADA environments
- IT vs ICS
- Process control network (PCN) evolution
- ICS protocols
- Saving lives with ICS and critical infrastructure security
- ICS/SCADA Access Controls
- Types of ICS
- Physical security for ICS/SCADA environments
- Introduction to SCADA security
- ICS/SCADA security overview
- Who Is Targeting Industrial Facilities and ICS Equipment, and How?
- Configuration of Anti-Virus and Anti-Malware Software within an ICS Environment
- MyPublicWiFi – A Windows Utility to manage ICS
- Situational awareness and ICS Using GRASS MARLIN
- Cyber risks for Industrial environments continue to increase
- Advice to a New SCADA Engineer
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Critical infrastructure
Securing operational technology: Safeguard infrastructure from cyberattack
Critical infrastructure
Operation technology sees rise in targeted remote access Trojans and ransomware
Critical infrastructure
Vehicle hacking: A history of connected car vulnerabilities and exploits
Critical infrastructure
Operational technology compromises: Low sophistication, high-frequency