Cyber Espionage comes to SCADA Security | Automation.com

Cyber Espionage comes to SCADA Security

February 062012
Cyber Espionage comes to SCADA Security

By Eric Byres, Tofino Security

Anyone working with SCADA or industrial control systems (ICS) is aware of the pressure to increase productivity and reduce costs through network integration. For example, sharing real-time data from field operations with management is standard practice for most companies. Similarly, the demand for remote support has made many control systems accessible via Internet-based technologies.

At the same time, SCADA systems themselves have changed radically. Proprietary networks have been replaced with equipment using Ethernet technology. Single purpose operator stations have been replaced with computers running Windows™, and IT software such as PDF readers and web browsers are installed in every station or control center.

These new technologies are enabling companies to implement agile, cost effective business practices. Unfortunately, they also come at a cost; many of the same security vulnerabilities that have plagued business systems now appear in SCADA systems. Control systems are now exposed to cyber security threats they were never designed for.

Stuxnet - The Game Changer


Cyber attacks on automation systems were considered by many to be a theoretical problem until the discovery of the Stuxnet worm in July, 2010. At that moment the world changed, not only for ICS operators, but also for automation vendors, hackers, criminals and even governments.

Stuxnet was specifically designed to attack Siemens automation products. It was capable of downloading proprietary process information, making changes to logic in PLCs, and covering its tracks. It used previously unknown vulnerabilities to spread. It was powerful enough to evade state-of-the-art security technologies.

Stuxnet’s intended target was the uranium enrichment centrifuges used by Iran in its nuclear armaments program. Seizing control of the automation system, the worm was able to reconfigure the centrifuge drive controllers, causing the equipment to slowly destroy itself.

Stuxnet had a specific target, but like all attacks, cyber or conventional, there was collateral damage. Several companies in the US had PLCs that were reconfigured by Stuxnet, probably by accident. No real damage, but a lot of labor charges and shutdowns.

Even these problems soon stopped; software patches and anti-virus signatures soon drove Stuxnet into extinction. Unfortunately, the problem did not end there.

Stuxnet’s Children Have Arrived

The real impact of Stuxnet began to appear after the worm itself was history. Thanks to Stuxnet’s publicity, hackers and criminals discovered that SCADA/ICS products are attractive targets. These systems soon became targets of choice for public security disclosures; in 2011 the US ICS-CERT released 104 security advisories for SCADA/ICS products from 39 different vendors. Prior to Stuxnet, only 5 SCADA vulnerabilities had ever been reported.

What was particularly concerning was that attack code was released for 40% of these vulnerabilities. This meant that the bad guys knew both where to find holes in SCADA/ICS products, and had the software to exploit them.

Stuxnet also showed the world the power of a well-designed ICS worm. It could steal corporate secrets, destroy equipment and shut down critical systems. And while Stuxnet appeared to have been created for political reasons, the opportunities for corporate exploitation were obvious to governments and criminals alike. It was only a matter of time before someone reused the techniques from Stuxnet to go after other victims.

By February 2011, a new attack against industry was exposed. A paper titled “Global Energy Cyberattacks: Night Dragon,” described cyber threat activity that was stealing sensitive data such as oil field bids and SCADA operations data from energy and petrochemical companies.

In early October 2011, a variety of sources announced the discovery of a new Trojan named “Duqu.” This targeted malware used a lot of the same source code as Stuxnet. Unlike Stuxnet, it is an information stealer and doesn’t appear to directly target PLC systems. However, according to Symantec:
“Duqu’s purpose is to gather intelligence data and assets from entities such as industrial infrastructure and system manufacturers… The attackers are looking for information such as design documents that could help them mount a future attack on various industries, including industrial control system facilities.”

At the end of October, Symantec released details of a third attack directed at 25 companies involved in the manufacturing of chemicals and advanced materials. Calling these attacks the “Nitro Attacks,” Symantec reported that:
“The purpose of the attacks appears to be industrial espionage, collecting intellectual property for competitive advantage.”

Why do they do it?

When most people consider the motivation of worm creators and hackers, they think of the destructive focus of early cyber events like the Slammer worm in 2003. That worm shut down vast portions of the Internet and affected companies around the world.

Today’s new attacks show a different focus – subtle and persistent attempts to steal valuable information - information that can be used to make a counterfeit product, out-bid a rival for an oil exploration lease, or coordinate a short selling campaign against a company’s stock.

Theft of operations information for commercial espionage has been around long before networks and cyber-security showed up. Check out the article "The Pizza Plot" for an example of how production data from a Kraft food plant was used by a competitor to reshape the $2.3 billion pizza market. Today the profit potential for SCADA information theft can be even bigger.

These worms could also be precursors to later destructive attacks against automation systems. Clearly, the Stuxnet designers collected detailed process information on their victim prior to actually creating their worm. Could the Duqu worm be a forerunner to a more destructive attack?

It is worth noting that the goal of Stuxnet was to impact Iran’s production rather than to harm people. So it is possible that the goal of this next generation of malware is to quietly stop production at a utility or pipeline somewhere in the world. Impacting the production of a rival, short selling the shares of a company or extorting money under the threat of a disruption are all profitable activities for a criminal or nation-state group.

The Current SCADA Security Challenge
In the last decade you have connected your SCADA or ICS to the business network, adopted commercial-off-the-shelf technologies and improved process efficiencies.  You may not have focused on cyber security, thinking that hackers were not interested in your industry or that your plant is safe because your process networks are not directly connected to the Internet or that you still employ enough proprietary technology to flummox interlopers.

Well, wake up, there is a new reality. Industrial control systems are now favored targets for security researchers, so much so that in 2012 I am predicting that more than 500 ICS vulnerabilities will be made public.

Additionally, ICS malware is different from worms of the past.  It is more sophisticated and while its aim may be process disruption, it is more likely to be cyber espionage. You do not want to be the engineer surprised to learn that key business secrets have been stolen by malware on your network.

Given this new reality, what is the way forward?  Well, it involves better cyber security practices and a concept called defense-in-depth.   Stay tuned for my next article where I explain the steps you need to take to improve your plant’s defenses.

References and Further Reading:

 

 

Did you Enjoy this Article?

Check out our free e-newsletters
to read more great articles.

Subscribe Now

MORE ARTICLES

VIEW ALL

RELATED