Despite modern automation, protection and control systems being highly specialised IT systems, many use commercial off-the-shelf components along with standardised IP-based communication protocols. In addition, they can be distributed and highly interconnected systems that use mobile devices and storage media. All of which leads to an increased attack surface in modern industrial control systems when compared to isolated or even legacy systems. Here, Ragnar Schierholz debunks several myths surrounding cyber security and offers concise views on how to minimise the impact of attack episodes on safety, health, the environment and finances.
There’s enough proof that the threats are real and have an actual safety, health, environmental and financial impact. As Marty Edwards, managing director of The Automation Federation, has stated: “You will be attacked or infected. It’s only a matter of time. Only by acting now can you minimise the resulting damage and reduce the spread of infection.”
SMEs often believe that they are too small or not interesting enough for hackers to disrupt their business through cyber attack. Yet hackers find value in data and often work on the premise that if it’s worth having then it’s worth stealing. What matters to hackers is that the targeted assets are valuable to their owners, their competitors or other third parties. Attackers’ own business models are often built on economies of scale. Many small targets make a profitable attack, as observed of late with the increasing impact of ransomware.
Furthermore, critical infrastructure is often a network of smaller entities. Many small entities failing can destabilise critical infrastructure, which is what happened in the Ukraine when its power blackout was discovered to be the result of a cyber attack. Small entities may be the attack vector to larger entities.
Another myth is that investing in protection against cyber attacks doesn’t pay off. The truth is that an industrial control system (ICS) that has been compromised in some way is no longer reliable and trustworthy and can become a safety risk. A common mistake that leads to this perception is the imbalance between investment in security capabilities in technology and investment in security capabilities in processes and people. Furthermore, insuring an ICS to ensure business continuity may prove difficult – if not impossible – if the system has been previously penetrated. Fines for non-compliance can reach up to US$ 1 million per day.
Many companies believe that their systems are ‘air-gapped’ so that there’s simply no way in for attackers. Yet everyday data is imported into, as well as exported from, the control system, whether that be production schedules, engineering updates, production progress detail, equipment health information or emission reports. Entirely isolated systems are extremely cumbersome and expensive to operate. If no communication is built-in, convenient workarounds are improvised, such as unapproved networks, temporary connections and portable media.
Finally, some believe that just because a control system doesn’t have a direct connection to the Internet, there’s no way in for attackers. However, many incidents are staged attacks such as phishing to compromise legitimate user accounts or perimeter networks. Lateral movement often helps criminals to access far more interesting targets.
The biggest challenges
The table below shows the complexity of the challenges facing industry today.
|Requirements||Enterprise IT||Industrial IoT|
|What’s protected?||Data||Physical processes|
|Impact area||Disclosure of information, financial loss||Safety, availability, financial, environment|
|Security objective||Confidentiality and privacy||Availability and integrity|
|Operating systems||Windows, Linux…||Windows at HMI, RTOS at field devices|
|Availability requirements||99 %||99.9% to 99.999%|
|System lifetime||3 to 10 years||5 to 25 years|
|Logging and forensics||Standard practice||Limited|
|Patching||Standard schedule, can be expedited||Non-standard/possible long time between updates|
Types of attack
Both white noise and targeted attacks commonly manifest themselves through the Internet or enterprise IT network or personal devices and affect the operational technology. Attacks usually start with phishing or perimeter compromise. General attacks come in the form of generic malware from the IT world which exploit system vulnerabilities, usually at Level 5 to Level 3. Targeted attacks come in the form of custom malware designed specifically to target a certain environment and can cut across the control infrastructure from Level 5 to Level 1.
While the consequences of a white noise attack can be limited to moderate damage and, as such, receive little or no public attention, targeted attacks can have a wider impact and attract much public attention. However, white noise attacks occur at much higher frequency, so the aggregated impact of these is considerable as well.
In March last year, Microsoft released a patch to fix a vulnerability in one of the Internet’s most ancient networking protocols, namely Server Message Block version 1 (SMBv1), which was reported by the NSA after detection of a leak. A month later, the hacker group called The Shadow Brokers released Eternalblue, an exploit for the SMBv1 vulnerability as part of a larger set of attack tools.
Then, in May 2017, the WannaCry ransomware outbreak was reported and quickly spread over hundreds of thousands of computers. It targeted computers running the Microsoft operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency of $300 per computer.
The ransomware spread autonomously using the Eternalblue exploit and the SMBv1 vulnerability. A security researcher found a ‘kill switch’ which slowed down the infection rate substantially. However, according to Europol, over 200,000 computers were infected across 150 countries. Nissan Motor Manufacturing in the UK and Renault in France both halted production in an attempt to stop the spread of the ransomware.
Those that were unprepared for an attack left themselves exposed as they were unaware of the status of patches. Many were unwilling to patch a live system or were intimidated by the patch process itself. The end result was that those who fell a year behind were hundreds of patches adrift of a secure system.
When the ransomware hit, questions ranged from “Shall we pay?” to “Do we have a back-up?” Those organisations that had prepared were simply not affected in any way.
Objectives of a targeted attack against an ICS
An attack against an ICS usually results in the loss, denial or manipulation of the control system and/or the operator’s view, which in turn leads to a denial or manipulation of safety. The results can be equipment damage and infringement of safety limits. Production failure can lead to poor quality and higher operating and maintenance costs. Compliance violation can affect safety, pollution and even contractual agreements.
What are the attackers after, exactly? Campaigns targeting private companies are stealing design documents, formulas, manufacturing processes and research materials.
It’s important to consider cyber security across the complete life-cycle of an ICS. One approach is the defence-in-depth method. This comprises a series of eight steps that, over time, build to make the system secure. These include cyber security consultation, hardening, monitoring, securing perimeters, white listing, host network detection, host intrusion detection and secure configuration and securing the interior.
The white noise attacks can be tackled using some basic countermeasures. Targeted attacks adapted to individual circumstances are difficult to counter. These attackers are always looking for weaknesses in the existing protective measures. These measures merely raise the bar, but cannot stop adequately motivated and financed attackers.
In addition, it’s necessary to recognise, analyse and counteract targeted attacks that are at an early stage in preparation using countermeasures tuned to the detected attack. This requires security monitoring (including anomaly detection) and incident response.
Introducing cyber security management into control system operations is a major change and can be overwhelming. Early steps must work towards a solid understanding of context-specific risks and prioritise them. In parallel, basic controls can be introduced which, experience shows, will be part of any security management system.
Competent partners are available on the market to bridge transition periods or continuously provide services. Don‘t be the deer caught in the headlights. Start out with small steps and look for skilled partners.
Ragnar Schierholz is Head of Cyber Security at ABB Industrial Automation