Industrial Control Systems and the Threat of Cyber AttackMike Farish | July 19, 2016
Hacking and cyber attacks are familiar terms to most people who use a computer in their work or personal life. Many people have suffered the vexations that can be caused by a malicious virus.
But computing power is also essential to the daily operation of much wider critical infrastructure – transport and communication networks, healthcare services and all forms industry. The systems involved are also increasingly liable to attack whether for criminal gain, political hostility or malicious vandalism.
Devices and associated communications that constitute Industrial Control Systems (ICS) are particularly susceptible to such attacks. For one thing, unlike office-based systems, which often consist of only a few software programs from a single vendor running on standardized hardware, ICS often comprises multiple types of software and hardware elements. Moreover, they may incorporate both modern and legacy elements – even occasionally operating systems as antiquated as MS-DOS - and similarly both customized and off-the-shelf components.
That characterization of challenges faced by ICS is provided by Andrey Suvorov, head of critical infrastructure protection business development for Kaspersky Lab, the Russian company probably best known for its computer security products for the desktop environment.
Moscow-based Suvorov says that the company identified infrastructure protection as a significant area of activity four years ago and has been working to develop appropriate products and services, some in cooperation with providers of relevant industrial technology and users. In April 2016 Kaspersky launched a package of software and support services which it calls KICS (Kaspersky Industrial CyberSecurity).
But Suvorov emphasises that feedback from industrial companies has made Kaspersky aware of a fundamental requirement for any set of products. One requirement is that products must be entirely “passive” in relation to the operations they protect and not interfere with them in any way. He also says protection must be active at all three of the levels of ICS: overall supervisory control and data acquisition (SCADA) software, networking, and the programmable logic controllers (PLCs) installed on the actual hardware involved. He says that protection at just one or two of those levels is insufficient and indeed potentially dangerously “illusory.”
(Read "Preventing a Cybersecurity Nightmare.")
Suvorov also says that the scale and complexity of ensuring ICS cyber-security means that by itself the industrial equivalent of the firewall and anti-virus software packages found in personal computing are inadequate.
“We can easily install a solution to provide basic protection such as on a new device in an industrial network or for a new type of communication between two nodes in that network,” he says. But in an ICS environment, there are also “specific issues which are related to the industry, the individual plant and even particular processes at that plant.”
Take, for instance, the hypothetical example of a terminal for offloading oil from a tanker vessel into some other form of storage. This, Suvorov says, indicates just the sort of scenario in which a cyber attack might take place. For example, an attempt might be made to compromise the control software for a pump in order to produce a disparity between the real and apparent volume of oil offloaded. Kaspersky's research has at least a handful of cases where attempts have been made “to use a SCADA environment for industrial fraud.” The goal, therefore, is “not to destroy an IT infrastructure but to exploit deep knowledge of it to steal a physical asset.”
Nor is there any shortage of real such incidents. One cited by Kaspersky's founder and CEO Eugene Kaspersky was the hacking of a computer system at the port of Antwerp in Belgium. That event allowed the selective unloading of containers that were being used to smuggle illegal narcotics. Criminals, he said in April, certainly do “recognize the power of cyber.” An intriguing point about such criminality, he added, is that unlike a more conventional form of robbery, the victims “may not even be aware of what has happened.”
Another complicating factor is the increasing connectivity of ICS networks to other IT systems that may be external and that possibly are connected over the Internet, for instance to provide “board level” management information in real-time. But, as Suvorov says, such a configuration may compromise the isolation of ICS installations from wider networks. And isolation has generally been a fundamental design criteria.
Moreover, the individual elements that make up ICS installations were “designed without a deep assessment of real threats.” As such almost all current PLCs “have at least a couple of vulnerabilities that can be exploited by attackers.”
In July 2016 Kaspersky released a report on worldwide ICS vulnerabilities based on its own research. Its findings underlined the sheer scale of the potential for mayhem. The research identified 188,019 “host” computing installations around the world that have ICS components. Nearly a third of these (57,417) are in the United States. Some 92% of these installations contain identifiable vulnerabilities most which are classified as “medium” risk. A small minority, however, is classed as “critical.”
Perhaps the most unsettling figure to emerge from the research, though, is that vulnerabilities appear to be getting worse not better – over the period 2010-2015 the number of identified ICS vulnerabilities increased from 19 to 189 with human machine interfaces (HMIs) and SCADA systems among the most vulnerable. By far the most consistent factor – in more than 170,000 cases – is “weak Internet connection protocols.”
In response, Kaspersky is opening of what it says will be the first in a series of dedicated education and training centers in ICS cyber-security for industrial engineers and managers. This initial Centre of Industrial Security Competences is in Innopolis in the Russian region of Tatarstan, some 40 miles from the local capital Kazan and aimed specifically at engineers and managers in the region's oil and gas industries. Indeed, Suvorov says that unless appropriate awareness and training is provided at three distinct levels within a company – business management, general IT and operational technology – security measures will not be effective. As such, one of the Centre’s activities will be be a strategy game in which participants can test their response to a cyber attack on a critical infrastructure installation.
Suvorov says that the initiative is not simply about the providing training for Kaspersky products but to get across a more fundamental message: “We have to make the people involved aware that their processes can be remotely accessed and compromised by someone using no more than a keyboard.”
The Centre’s basic product offering will be a three-day training course aimed at educating participants on the full range of threats that a “connected world” can pose to industrial operations.
Some of those threats can be surprising. For example, something as seemingly innocent as the use of social networks by engineering personnel can provide an opportunity for malicious outsiders. Posting a photo of themselves in their work environment that shows display screens, for instance, may reveal to someone with the appropriate technical competence the SCADA software being used and other details that might help them hack into the system from outside.
What is certain is that the threat involved will not go away and will instead continue to evolve. Suvorov identifies two categories of future challenges. The first is “external” and derives from the “new behavior of attackers,” specifically the fact that they are now perceptibly shifting their attacks from financial targets such as banks to industrial operations. The second is “internal” and requires a change in the mindset of organizations so that they recognize the potential of what Suvorov terms “industrial cyber risk” to have real and deleterious consequences.