Five myths of industrial control system security by David Emm

23/08/2015 19:29

Despite growing awareness of cyber-based attacks on industrial control systems, many IT security models continue to adhere to the outdated belief that physically isolating systems and 'security by obscurity' is enough, says David Emm.

David Emm, principal security researcher, global research & analysis team, Kaspersky Lab
David Emm, principal security researcher, global research & analysis team, Kaspersky Lab

Myth # 1: our industrial automation systems are not connected to the internet, so they're secure

Bust: The average Industrial Control System (ICS) has 11 direct connections to the internet. If you think yours is an exception, it might be worth taking another look.

An internal survey  at a major, representative energy company, found that the majority of business units' management believed control systems were not connected to the business network; whereas an audit showed that 89 per cent of systems were in fact connected.

What's more, business network security was geared towards general business processes only, with no regard to critical process systems. Multiple connection types between the enterprise network and the internet were in place, including intranets, direct internet connection, wireless and dial-up modems.

This kind of patchy security can leave you wide open. Take the "Slammer" worm for example. It affected critical infrastructure as diverse as emergency services, air traffic control and ATMs, achieved its full scanning rate (55 million per second) in under three minutes — thanks to the internet. Ironically, the only thing that slowed it down was a lack of bandwidth on the networks it infiltrated, including:

  • Davis-Besse nuclear power plant's process computers and safety display systems were infected via a contractor T1 line, taking its safety monitoring capability offline for five hours.
  • The North American Electric Reliability Council found that, of the electrical companies hit by Slammer, one distinct cause was infection via a VPN connection to a remote computer. How was that computer infected? Via the corporate network. The worm propagated, blocking SCADA traffic .
  • Harrisburg Water Systems in the US was infiltrated via an infected employee laptop. The cybercriminal used the worker's remote access to infiltrate a SCADA HMI and install malware and spyware.

Myth # 2: we've got a firewall, so we're safe from outside threats

Bust: Firewalls offer a degree of protection, but they're certainly not impenetrable. A study  of 37 firewalls from financial, energy, telecommunications, media and auto companies found that:

  • Almost 80 per cent allowed "Any" services on inbound rules as well as unsecured access to the firewalls and demilitarized zone.
  • Almost 70 per cent permitted machines outside the network perimeter to access and manage the firewall.

Myth # 3: hackers don't understand SCADA/DCS/PLC    

Bust: These days, SCADA and process control systems are common topics at hackers' "Blackhat" conferences. There's a good reason for it: cybercrime has become very lucrative financially, with zero-day exploits selling to organized crime for as much as $80k per exploit. If you don't think hackers have the interest or capabilities to target industrial control systems, here are a few reasons why you might want to revisit that thinking:

  • Targeted worms and other exploits are now being tailored for specific applications or targets.
  • Off-the-shelf SCADA specifications can be bought or readily accessed online. These make great reading for hackers, providing a level of understanding that they would not have had otherwise.
  • The Shodan search engine makes it easy to locate unsecured industrial devices and systems globally. Criminals are all-too-aware that, in many instances, these devices are still operating under factory settings, with generic passwords and login details such as "admin" and "1234"
  • Project Basecamp, Nessu plug-ins and Metasploit modules help with pen testing — but can also be used for criminal purposes.

Myth # 4: our facility is not a target

Bust: This is dangerous thinking. Even if we get past the fact that there is no way you actually could know this, there's a host of reasons why it's irrelevant.

Firstly, your organisation does not have to be the target of an attack, to become a victim — 80 per cent of control system security incidents were unintentional, but harmful . Slammer, for instance, was aimed at taking down as many systems globally as possible. It didn't specifically target energy companies or emergency services, but it had a significant impact on many of them.

Secondly, many systems are already exposed and vulnerable to attacks, thanks to the insecure operating systems they are based on.  Extensive research by Kaspersky Lab, using data from the Kaspersky Security Network (KSN) indicates that there is a growing number of computers running SCADA software that encounter the same malware afflicting business systems (IT), including (but not limited to) well known culprits such as Trojans viruses, worms, potentially unwanted and dangerous programs (PUPs) and other exploits targeting vulnerabilities in the Windows operating system.

Kaspersky research shows that many industrial PCs are infected with the same malware afflicting business systems (IT).

Myth # 5: our safety system will protect us from harm

Bust: This is where we get a little technical, but it's important to understand that most currently available safety systems are technically flawed. This is precisely the reason Kaspersky Lab is currently working on a secure operating system that has been built from the very beginning with security in mind (rather than an afterthought). Some of the main issues with the current systems are that:

  • IEC 61508 Certification (SIL) doesn't evaluate security .
  • Modern SIS are micro-processor-based, programmable systems that are configured with a Windows PC.
  • It has become commonplace to integrate control and safety systems using Ethernet communication with open insecure protocols (Modbus TCP, OPC.)
  • Many SIS communication interface modules run embedded OS and Ethernet stacks that have known vulnerabilities.
  • LOGIIC SIS Project (ICSJWG): SIS-ICS integration imposes risks, default configurations are not secure.

Ok… so what can we do?

To successfully defend against attacks in the process-centric, high availability industrial control environment, security systems need to meet specific requirements.

While air-gaps and perimeter based approaches are important first lines of defence, protection must also take place inside the perimeter, on the very vulnerable systems and devices that are being targeted.

As cyber-criminal activity, including targeted attacks and Advanced Persistent Threats (APTs), continue to grow in frequency and sophistication, security systems should be continually reviewed and reappraised. And any beliefs about ICS that you might once have clung to, should be subject to the same treatment.

Contributed by David Emm, principal security researcher, global research & analysis team, Kaspersky Lab