By Rob Sloan, cybersecurity research director, WSJ Pro
The risk of industrial-control systems being targeted with cyberattacks has long concerned operators, governments and vendors, but fears of widespread attacks crippling critical infrastructure have so far failed to materialize. Now, that risk only appears to be growing because of the availability of attack tools, and evolving motivation of digital adversaries.
Industrial-control systems, or ICS, are found mainly in energy production and distribution, oil and gas production, utilities and manufacturing. ICS collect data from sensors and monitoring software and use that information to regulate processes, switches, valves, motors and controllers, often distributed over large geographic areas. Any industry relying on ICS technology is exposed to risk that could seriously damage operational capability.
The challenge of securing industrial-control systems has been discussed for well over a decade, but significant problems remain. In June, the Washington Post reported that hackers affiliated with the Russian government have built a strain of malicious software that has “the potential to be the most disruptive yet against electric systems that Americans depend on for daily life.”
According to a recent report from security vendor TrapX Security Inc., the problems started following the 2003 power blackout in the northeastern U.S.
To increase resilience, operators connected ICS to the internet, but this inadvertently led to systems becoming vulnerable simply because they were connected to the web.
“The majority of industrial control systems deployed across the many thousands of power plants and manufacturing facilities globally are all susceptible in varying degrees to the cyber-attacks,” the report concluded.
TrapX researchers also warned that “even with the best perimeter, endpoint, intrusion detection and defense in depth cyber defense strategy… attackers will successfully breach ICS networks.”
Nation State Hacking
The threat comes mainly, but not exclusively, from nation states. States have the capability, developed at considerable expense over long periods of time, and the intent to attack systems with a strategic goal: namely to be able to degrade, disrupt or deny the ability for a victim’s system to function.
“I fully expect every nation state has a program developing offensive cyber weapons to be used when and if necessary in the future,” said Eddie Habibi, chief executive of Houston-based PAS Global, LLC. “Attacks can be implanted today and activated any time in the future. The consequences of a simultaneous attack on the critical national infrastructure would be devastating”.
“Chief financial officers are seeing cybersecurity as a business risk that they need to measure,” said Mr. Habibi. The risk of share price impact and the rising cost of cyberinsurance for organizations without robust cybersecurity policies and procedures is driving action. Mr. Habibi added: “Boards of directors are making ICS a top priority for their chief information officers.”
The first widely known attack against ICS was the 2011 Stuxnet attack, widely believed to be a U.S.-Israeli intelligence operation aimed at disrupting the Iranian nuclear weapons program.
Often, though, the details of what exactly happened, and who was responsible, aren’t fully understood.
Vulnerabilities often stem from a lack of cyber hygiene. ICS technology is often critical to the operation of entire power plants or refineries, and taking them offline to perform security updates could result in serious disruption to operations. The result is ICS often run on old, unsupported, versions of operating systems that are easier to hack.
The cybersecurity company ESET LLC recently analyzed malware which is believed to have been used to disrupt power grids in Ukraine in December 2015. The malware, attributed by other firms to Russian hackers, targeted electrical substations and contains a ‘wiper’ capable of deleting all data from infected machines, frustrating investigative and restorative efforts after an attack.
With freely available tools, hackers can conduct damaging attacks without consideration of the consequences, which include loss of life and physical damage in addition to operational disruption.
The U.S. government response was the formation of the Industrial Control System Computer Emergency Response Team, part of the Department of Homeland Security. Known as ICS-CERT, the team aims to reduce risks across critical infrastructure sectors that deploy ICS by collating and sharing best practices and intelligence gathered from government and private sector partners to help operators defend their systems.
The power industry, driven by regulations, “leads the pack” in terms of security maturity according to Mr. Habibi. The oil and gas industry is close behind with a focus on best practice and protecting their business, rather than compliance.
“The challenge with cyber, in contrast to safety for example, is that the culture of sharing hasn’t developed,” said Mr. Habibi, who believes more can be done to learn from incidents.
There is likely to continued interest in attacking systems as more states develop their capabilities. Future conflicts are increasingly likely to feature cyberattacks on infrastructure to disrupt an adversary’s ability to function, though for now at least, natural disasters seems a far more likely cause of power outages and manufacturing disruption.
(Rob Sloan is cybersecurity research director at WSJ Pro. Previously, Rob has worked as response director for a specialist IT security consultancy in London and built a team focused on detecting, investigating and protecting against cyber intrusions and responding to incidents, especially state-sponsored attacks. Rob started his career working for the U.K. government, looking at some of the earliest cyberattacks against the critical national infrastructure. Rob’s main interest is the requirements, motivations and technical capabilities of threat actors.)