Cybersecurity: Overcoming Challenges of Protecting Industrial Automation and Control Systems (IACS)

  • May 13, 2016
  • News

By Carolyn Crandall, Chief Marketing Officer, Attivo Networks, Inc.

Just before Christmas 2015, a cyberattack on a local energy provider causes a blackout in a wide swath of Ukraine.  In 2014, an attack at a South Korean nuclear reactor results in data that was leaked, albeit non-critical data, according to officials.  In 2012, another breach disabled 30,000 computers at a Saudi Aramco facility.

According to a 2014 study conducted by the Ponemon Institute, 2014 Global Report on the Cost of Cyber Crime, companies in the energy and utilities sector suffered the highest mean annualized losses from cyber crimes ($13.2 million).

The implementation of a comprehensive cyber security plan to protect critical industrial automation and control systems (IACS), or what is also referred to as supervisory control and data acquisition (SCADA) systems, is a cornerstone of ensuring the availability of infrastructure assets and company information. It also aids compliance with federal, state and local laws and regulations, and maintaining safe and reliable operations.

A defense-in-depth approach to cyber security reduces risk with each effective layer of protection and combines a mix of defensive and offensive measures for the most protection against a breach.  A new frontier in defense-in-depth is the implementation of dynamic deception solutions that takes a favorite hacker strategy – deception – and uses it again them. Dynamic deception provides the real-time visibility into threats that have bypassed firewalls, intrusion detection and other prevention solutions. It also provides the detailed forensics required to block, quarantine and remediate the infected device or network.

The Unique Challenges of Manufacturing and Factory IACS – SCADA Systems

Cyber attacks are often sophisticated in behavior and are becoming more difficult to detect and stop with standard firewalls and other perimeter defenses.  The realization that U.S. critical infrastructure, such as manufacturing and factory operations, needs better protection from imminent cyber attacks has resulted in heightened awareness.  In many cases, it has also led to accelerated development and implementation of additional safeguards.  Attacks on manufacturing and factory operation infrastructure have the potential to be not only an inconvenience, but also could result in major destruction with long-lasting ripple effects.

Securing these automation and control systems presents a unique set of challenges. The myriad of devices, such as sensors, wireless transmitters, remote terminal units (RTUs), programmable logic controllers (PLCs) and operator interface terminals (OITs), that are deployed generally have a long life cycle.  There are often thousands of these devices within a given manufacturing or factory operation.  Hardening these devices can be a challenge, since design for function was the primary mind set of component manufacturers, not security.  As a result, these older devices are often less resistant to denial-of-service attacks.

While newer devices reflect the changed security landscape, replacing the large number of manufacturing and factory IACS devices, deployed by the typical operation, will result in lag time and higher cost.  Consequently, many older devices will remain in place for some time.  

Because automation and control systems often operate 24/7, the time between maintenance projects is generally longer than in other industries, leaving devices without required patches or updates for longer periods of time.

The original developers of SCADA systems had focused on monitoring critical production processes without considering security consequences.  Today, however, IT teams are connecting SCADA systems to the corporate IT infrastructure and the Internet, increasing their vulnerability to cyber attacks.

Strategies to Protect Manufacturing and Factory IACS – SCADA Systems

There is no silver bullet solution that is going to protect a manufacturing or factory automation and control system.  The most effective strategy is to apply prevention and detection solutions together for multiple layers of security. These solutions protect the IACS and detect infections when prevention solutions fail.  The risk of having a security breach is reduced with each layer of security that is added to protect the asset.  A complete defense-in-depth approach will include administrative controls, such as policies and procedures; physical controls, such as cabinet locks and badged door access; and technical controls, such as firewalls, intrusion prevention systems (IPS), intrusion detection systems (IDS), and deception for inside-the-network threat detection.

Introducing Deception Technology

Deception is the newest “layer” in the defense-in-depth approach. It is a different and effective solution for protecting IACS- SCADA environments since it does not rely on knowing attack signatures or patterns, and it does not need to monitor all traffic to look for suspicious behavior.  Deception also does not require software to be loaded or maintained on the IACS-SCADA device.  Instead, a deception solution confuses, delays and redirects a cyber attack by incorporating ambiguity and misdirecting its operation.  Drawn to the deception engagement server, attackers are tricked into engaging and assuming they have succeeded in their attack.  The deception server contains a “sinkhole” so that once engaged, IT and security teams can study the attack without the risk of additional harm.  Once attackers engage, there is no way of hiding.  The IT and security team can see the attacker's IP addresses and the deception engagement server will analyze collected attack forensics so that an actionable, substantiated alert can be sent. This enables the prompt blocking, quarantining and remediation of the infected device. 

By design, deception will detect both reconnaissance and stolen credential attacks and will reduce attack detection time by identifying infected clients, including sleeper and time-triggered agents.  Regardless of whether the virus is old or new, the deception engagement server can quickly and accurately detect the attack. Deception can also be used to detect and analyze ransomware attacks, including phishing and CryptoLocker attacks.  For example, deception would have been an effective solution to detect the Black Energy KillDisk malware, prior to the impact it caused to Ukrainian power grid.

How Deception Thwarts a Cyber Attack

First, the deception engagement server plays a key role in attacker deception and must appear authentic, so the attacker is decieved into believing the network information the server provides is real. Ideally, the manufacturing or factory operation’s IT team will install its own Open Platform Communications (OPC) software, be able to run popular protocols and use real operating systems for the highest level of authenticity.  Popular protocols include Siemen’s S7 PLC, Modbus, Bacnet, IPMI, SNMP MIB, Veedor-Root Tank software emulation, Common Industrial Protocol (CIP) and CNP3.

Substantiated alerts are another critical part of the solution.  Many of a manufacturing or factory operates devices 24/7 and taking them offline can have an impact in both finance and production.  Alerts must provide both irrefutable evidence of an infected device and the detail required to remediate the infection.  Additionally, reporting should be available in PCAP, IOC, STIX syslog and other formats, so prevention systems can be updated to block against future attacks. More advanced systems will also provide integrations for automated remediation with popular SE and other firewall prevention solutions.

The diagram below illustrates a defense-in-depth approach to cyber security with physical, technical, administrative and dynamic deception layers.  The dynamic deception layer bridges the security gap that occurs when an attacker bypasses prevention solutions and mounts an attack inside the network.  Deception also provides increased visibility into the potential intrusions on IACS devices that can occur from both internal and external threats. Comprehensive deception solutions can also detect the use of stolen credentials, in addition to the reconnaissance and lateral movement of an attacker.

Defense in depth that includes dynamic deception creates a new level of security for manufacturing and factory operations’ SCADA networks.

What To Look for in a Deception Solution

While every manufacturing and factory SCADA facility and SCADA system is different, there are several core features IT teams should seek out when exploring dynamic deception solutions as part of their defense-in-depth strategy.  Among these:

  • Dynamic deception should provide upstream and downstream threat detection for business, process controls and field sensors.
  • The solution should be able to detect threats from reconnaissance, stolen credentials, phishing, and ransomware attacks and provide visibility to external, inside and third party threats as they move laterally through the network.
  • It should set traps and provide the visibility required to quickly detect and stop an attack, regardless of whether the malware originates from a USB device, from clicking on a phishing email or other point of access.
  • Ideally, the solution should be effective at detecting zero-day attacks and not depend on signatures or attack pattern look up.
  • The deception solution should run real operating systems, extensive protocol emulations and have the ability to load a manufacturing or factory operation’s OPC software, which makes the deception engagement server indistinguishable from production SCADA devices.  This is critical as the solution uses server and application deceptions as “bait” to lure attackers to its engagement servers.
  • IT and security teams should be able to insert the deception solution’s endpoint credentials on each SCADA device so that attackers are deceived into thinking they have stolen valuable user credentials, which in fact lead them to the “sinkhole.”
  • Deployment should simple and straightforward.  It should be frictionless and take less than an hour to deploy. To facilitate a non-disruptive deployment and to mitigate the need for appliances with large processing engines, it is recommended that the deception engagement server not be an inline device. 
  • The engagement server should be self-healing, which provides automatic rebuilding of engagement servers after an attack, eliminating the need for manual rebuilds or maintenance.
  • All alerts should occur in real time, based upon the detection of an attacker. Alerts should include forensics with substantiated, actionable detail to identify the infected device, identify the attacker IP and be able to communicate with the Command and Control to capture attacker methods and tools.   Because alerts are based on actual attacks and provide attack detail, IT and security teams can quickly quarantine a device and remediate the attack.
  • The deception solution should include a threat intelligence dashboard that provides the ability to customize settings and gives a centralized view of all alerts. The dashboard should be able to drill down deeply into attack detail and have the option to create multiple report formats, such as IOC, PCAP, STIX, and CSV to share attack information detail.  It should also integrate with third party SIEM solutions, such as Splunk, ArcSight, QRadar and Nitro and other prevention systems.


Perimeters of networks continue to disappear, and business and process control networks continue to become increasingly connected. Dynamic deception provides a new and powerful approach for the prompt detection of threats, that have bypassed prevention solutions, inside the network.  It also provides real-time visibility into internal and external threat actor inside-the-network activity, empowering an organization to go on the offensive, to proactively protect their automation and control systems from the risk of attack.  Deception systems are not all created equal, though they all offer the benefit of deceiving and detecting the attacker, giving organizations the much needed time and visibility to derail an attack.

About the Author

Carolyn has more than 25 years of experience in high tech marketing and sales management. At Attivo Networks, she is the Chief Marketing Officer responsible for overall marketing strategy. She has built leading brand strategy and awareness, high-impact demand generation programs and strong partnerships for some of the industry’s fasted growing high-tech companies including Cisco Systems, Juniper Networks, Riverbed, and, Nimble Storage.

Learn More

Did you enjoy this great article?

Check out our free e-newsletters to read more great articles..