ICS Breach - At a Manufacturing Plant Near You Soon
30 November 2015



Following the cyber attack on the Iranian nuclear facility in 2010 the cyber threat to national security and critical national infrastructure has become an area of increasing concern for governments. Although the cyber threat against national infrastructure is the primary concern to governments and the infrastructure providers, there also exists a real and present threat to industries outside of critical infrastructure. Any industry or business that implements Industrial Control Systems (ICS) including Distributed Control Systems (DCS) or Supervisory Control and Data Acquisition Systems (SCADA) is now a target from a broad spectrum of threat actors with wide ranging motives. The threat of cyber attack against any industrial or manufacturing process is now an area of significant concern requiring immediate consideration and swift action to reduce the risks.

Historically ICS/SCADA systems were not designed with security in mind. The threats and vulnerabilities we see today were not around when many of these systems were designed and implemented. More modern systems may have added some security features however there is little evidence to show that ICS/SCADA security is being adequately addressed. In some instances manufacturing plant implemented many years ago has been expanded over a period of time thus integrating disparate or proprietary technologies. The attack vectors on ICS/SCADA have been compounded by aggressive business drivers to integrate manufacturing processes with back-end business systems. Integration intended to drive productivity and financial efficiencies has also increased the points of network connectivity. As such any ICS/SCADA system connected to a corporate network is vulnerable to global attack.

The security threat to ICS/SCADA systems was widely publicised and documented following the Stuxnet attack in 2010. The Stuxnet attack demonstrated the potential to compromise and significantly disrupt a specific critical manufacturing process within Iran's nuclear industry. Stuxnet caused discrete but highly critical changes to Programmable Logic Controllers (PLCs) that controlled centrifuge spin speeds within the uranium enrichment process. This significantly impacted Iran's nuclear programme and resulted in over 1000 centrifuges to be destroyed. Stuxnet was reported as being the most sophisticated malware seen at the time. Figure 1 and the steps below summarise the key stages of the Stuxnet malware attack;

1. USB Flash drive is infected with initial malware.

2. User knowingly or unknowingly connects infected USB flash drive to PC.

3. If connectivity is available the malware will contact a command and control server (C&CS).

4. Malware exploits various MS Windows vulnerabilities and spreads to network file shares.

5. The computer(s) used to programme PLCs become infected via the network.

6. The malware infects PLC programming software.

7. Infected PLC programming software injects malicious logic into PLC programme when uploaded to PLCs. This technique bridges air-gapped control systems and environments.

8. PLCs run corrupted logic programme to disrupt plant and machinery.

9. Malware also suppresses alarms and hides any indication to operators that control parameters have been exceeded or systems are malfunctioning.

Fig 1 – Simplified Anatomy of Stuxnet

In 2013 new malware targeting ICS/SCADA systems was discovered. The malware known as Havex (aka Energetic Bear RAT) initially targeted defence and aviation companies before focusing on the energy sector. The group behind the attacks knows as, 'The Energetic Bear Group' or 'Dragonfly Group', compromised over 100 systems in 84 countries over an 18 month period. It allowed the attackers to monitor the energy consumption of power plants in real time. The malware also had the capability to sabotage the systems had the attackers chosen to do so. Figure 2 and the steps below summarise the key stages of the Havex malware attack;

1. Attackers compromise legitimate industry sector websites such that visitors to the site are infected with malware. The malware provides remote access into the target network

2. Attackers compromise legitimate ICS/SCADA vendor web sites/servers and infect ICS product updates. This creates Trojan versions of legitimate ICS software updates.

3. The victim visits legitimate industry sector website and becomes infected with initial remote access malware.

4. The targeted ICS system becomes infected when the Trojan/infected ICS product updates are downloaded from the vendor.

5. Malware delivered to the target establishes a connection with the attacker’s command and control server (C&CS) to download various payloads.

6. Downloaded payloads include modules that use Open Platform Communications (OPC) to discover ICS components.

7. The malware collects information about the ICS/SCADA system. This data is sent back to the attackers C&CS. The attack has the capability to control and sabotage the ICS system.

Fig 2 – Simplified Anatomy of Havex

Attacks against ICS/SCADA systems are not exclusive to the Energetic Bear Group. Many groups and individuals currently attacking the business sector all have the capability to transfer their knowledge and focus on attacking the industrial sector including manufacturing. This shift in focus is feasible due to the increase in IP connectivity within the industrial and manufacturing landscape. Open standards for network and system connectivity massively expands the threat landscape which was historically local to ICS systems within isolated manufacturing environments. Typically local threat actors and agents may include internal disgruntled staff, contractors or third party personnel with legitimate site access, but now the threat landscape has changed.

The threat to manufacturing industries will grow rapidly as all of the elements to facilitate ICS/SCADA attacks are already in place. Criminal networks, hacktavists, malicious hacking groups all have well established attack paths over the internet. Highly skilled groups and individuals collaborate globally to undertake cyber attacks. Many of the skills and sophisticated techniques currently used to attack enterprise systems and networks are directly transferable to attacking ICS/SCADA manufacturing systems. Malware development, social engineering and processes to monetise attacks are all mature aspects of today's cyber criminals. Other threats that do not have a financial goal such as hactivism and cyber vandalism are all applicable to industrial automation and manufacturing industries.

Many of the lessons learned in defending traditional business IT systems and data networks are applicable to combat the increasing threat and reducing the risk to ICS/SCADA systems. It is however import to recognise that due to the architecture, design and operation of ICS/SCADA systems, some security best practices cannot be easily applied. These include operating system (OS) and application patching, robust penetration testing and granular access control. These are a particular constraint in safety critical processes. Such constraints mean that more robust and detailed attention needs to be given to the broad range of security controls, methods and technologies available to mitigate and reduce the risks.

Deployment of a protective monitoring solution should form part of the overall ICS/SCADA security strategy. Many of the components of a protective monitoring architecture including, Anti-Virus(AV), Firewalls(FW), Intrusion Detection Systems(IDS) and Security Incident and Event Monitoring (SIEM), may already be in place within the enterprise network. However, these typically do not have the functionality to address ICS/SCADA security issues. It is therefore necessary to consider the more specific and specialised ICS/SCADA security controls required in these environments.

Recognising the potential speed and frequency at which cyber attacks against ICS/SCADA is likely to increase is essential to addressing the issues. Early adoption of a detailed strategy specific to the security of ICS/SCADA systems is paramount in defending and responding to cyber attacks on industrial and manufacturing systems.

An ICS/SCADA security strategy within the manufacturing industry should typically include;

1. Identification of industrial and associated digital assets including; Location, Purpose, Criticality, Control methods, Physical access points, Logical access points, Connectivity methods, Connected systems, Authorised users.

2. Identification of skill base and capability particularly to support legacy plant, machinery and controls.

3. Detailed design documentation of control system including; All communication ingress and egress points, Business system integration and connectivity, Detailed and accurate list of all ports and protocols traversing ingress and egress points.

4. Backups of all control software and configurations inc PLCs.

5. Documented and tested incident response plan.

6. Review or produce ICS/SCADA security policy document set.

7. ICS/SCADA security awareness programme.

8. Employee vetting and re-vetting.

9. Assessment of existing technical security controls, or feasibility of additional controls, including; Firewalls Data diodes, Access controls, Intrusion Detection System (IDS), Security Incident and Event Monitoring (SIEM), Audit and Vulnerability scanning tools

10. Review of physical security and controls.

11. Review of operations processes and procedures.

In addition to applying due care within an organisations own facilities, the security of the industrial and manufacturing processes within the supply chain, in particular that of critical component suppliers, should be reviewed or included in the due diligence process.

Organised threat actors and sophisticated malware to attack and significantly impact the industrial sector already exists. Attacks against industrial control systems across all sectors are certain to increase. No sector will be immune and the manufacturing industry will be a prime target. A broad range of threat actors will participate in attacks; individual hacker kudos, cyber vandalism, hactivism, industrial espionage and terrorism will all be included. Painful lessons have been learned within the business sector over the last decade due to inadequate or lax security of their business systems. The speed at which cyber crime has grown and the types of sophisticated attacks that have evolved has made it difficult for the security industry to keep pace. The problem of defending against attacks has historically been exacerbated partly due to the slow response from businesses to prioritise security and assign adequate resources. It is therefore imperative that businesses apply lessons learnt and take prompt and suitably resourced action to prepare for what will become a significant problem within the industrial sector including energy, utilities and manufacturing. Prompt action to consider and implement recommended best practice will narrow the attack vectors, reduce the risk, reduce the likelihood of becoming a victim and prepare an organisation to react and swiftly recover from a breach when it happens.

varlogsecurity blog
The place where I share my personal opinion and observations on the world of IT security.

© 2013

Modified heading photo. Original photo by Rick Audet. Creative Commons Attribution