Computing research: Industrial control systems under attack

The systems controlling our nuclear facilities could be 20 years old and unpatched. What could possibly go wrong? John Leonard and Danny Palmer investigate

In his State of the Union speech on 12 February, US president Barack Obama emphasised the need to strengthen the country's cyber-crime defences.

"We know hackers steal people's identities and infiltrate private emails," he said. "We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy."

A week prior to Obama's speech, cyber-activists Anonymous claimed to have hacked into the Federal Reserve, while two days before that the lights went out during the Super Bowl, an event that again was claimed by hackers.

Perception gap

Safeguarding vital infrastructure has become an increasingly urgent concern for governments and corporations. The Stuxnet worm, which attacked the Iranian nuclear programme in 2010, revealed just how much damage could be wrought by targeted malware on a USB stick.

More than any other factor, Stuxnet provided a wake-up call, prompting utilities, transport firms, the energy sector and governments to look at vulnerabilities within industrial control systems (ICS) and supervisory control and data acquisition (SCADA) infrastructure - and what they found worried them.

"There are many more vulnerabilities being discovered in SCADA systems: up from 15 in 2010 to 129 in 2011," Martin Lee, security specialist at Symantec, told Computing. "This is probably the result of more research being undertaken in the field, but most importantly it shows that there are a large number of vulnerabilities that may be exploited in SCADA systems."

The presence of any such vulnerabilities in ICS is extremely unwelcome. In October, US defence secretary Leon Panetta (pictured) painted a chilling picture of what hackers could achieve with the right tools thanks to a lack of infrastructure-based security:

"An aggressor nation or extremist group… could derail passenger trains, or even more dangerous, derail trains loaded with lethal chemicals," he said. "They could contaminate the water supply in major cities or shut down the power grid across large parts of the country."

The motives of attackers are as varied as the list of potential targets.

"We can certainly envisage disruption of SCADA systems as part of conflict, which may or may not be state sponsored," said Lee.

"We can also envisage how financially motivated malware writers may use the disruption (or threat of disruption) to extort money from organisations or to manipulate markets; and how politically motivated hacking collectives may use SCADA vulnerabilities as a means of disrupting operations to further their own agendas."

While nation states do not admit to sponsoring (or turning a blind eye to) hacks originating from within their borders, evidence is building up that some are actively involved. A recent report by US cyber security firm Mandiant suggested that a building used by the Chinese military is home to one of the world's "most prolific cyber espionage groups", responsible for stealing data from at least 141 organisations around the world. And Stuxnet itself is widely believed to be the work of US and Israeli intelligence agencies.

Skills gap

Attacks on ICS can originate from a solitary laptop based anywhere in the world, and no industrialised nation is immune from the threat.

In the UK, a recent report by the National Audit Office (NAO) suggested that much of the country's critical infrastructure is at risk from attack, partially owing to a lack of expertise.

"The UK lacks technical skills and the current pipeline of graduates and practitioners would not meet demand," said the report. "It could take up to 20 years to address the skills gap at all levels of education."

With an ever-increasing threat of major damage to infrastructure, this two decade-wide skills gap is worrying.

"Looking at the problem from a strategic perspective, what you see are often quite fundamental differences between the way that general corporate IT is deployed and the design, installation and operation of complex ICS," said Hugh Boyes, cybersecurity lead at the Institute of Engineering and Technology.

"For example, in the nuclear industry, the control systems are designed to work for the life of the plant and are subject to stringent safety cases and regulatory control. We therefore have in place technology that is 20-plus years old still being operated and maintained. If you compare that with the corporate desktop environment, with a three to five-year refresh cycle on the hardware, you can see a fundamental difference in approach."

Doron Shikmoni, co-founder of ForeScout Technologies, added: "The requirements for stability, safety and availability are so high that a change - any change - to the underlying software can have a devastating effect.

"For this reason, security measures that are even slightly intrusive - such as traditional host anti-virus, host-based IPS, and so on - are often ruled out."

Computing research: Industrial control systems under attack

The systems controlling our nuclear facilities could be 20 years old and unpatched. What could possibly go wrong? John Leonard and Danny Palmer investigate

A lot of planning, co-ordination and expensive downtime is required even for the installation of the most minor patch that requires a reboot. And hot-patching – which eliminates the need for rebooting – is generally considered too risky.

In practical terms, this means that systems tend to remain unpatched, with some experts estimating patching levels as low as 10 per cent to be the norm for SCADA systems. According to Boyes, many vendors actively discourage routine patching because of the risk that a faulty patch could bring the system down.

Air gap

Because of the difficulty in taking SCADA systems offline for patching and maintenance, many rely on “air gaps” to maintain security, with the SCADA network physically separated from the malware-infested internet.

In reality, though, this air gap may be bridged. Some SCADA systems actually ship with internet ports open by default. Others have ports opened during operations, for example as an organisation gets more complex and new connections have to be made to the network.

Holes may also emerge when engineers work on mobile devices that connect to both the internet and to the secure network. Increasingly such devices may have wireless or 3G technologies turned on by default.

“Wireless technologies create a number of security vulnerabilities, both in terms of offering opportunities for unauthorised access and the potential for denial of service,” said Boyes. “The use of wireless technologies is being promoted in a number of areas because it removes the need for expensive cabling and is easier to reconfigure, but the vulnerabilities need to be fully understood.”
One such vulnerability is that targeted malware sitting dormant on the engineer’s device could detect when it is connected to the secure network and then activate itself.

Reliable data on SCADA vulnerabilities and attacks can be hard to come by as companies are reluctant to publish them, but independent researchers are finding an increasing number of vulnerabilities by scanning infrastructure. For example, the search engine Shodan can find SCADA systems with a public IP address and deduce information about the routers, firewalls and so on – many of which turn out to be insecure.

The mere fact that a SCADA system has a public IP address in the first place should ring alarm bells, even before we consider what other sort of information might be revealed by using this simple, publicly available tool. Kits designed to hack SCADA systems are also being traded over the internet.

While industrial systems are becoming increasingly automated, they may not be covered by a holistic risk management strategy. A Computing survey of large corporate organisations found that in more than a third of cases, risk management policy was to some extent fragmented (figure 1).

Base: 104 IT decision makers in large corporate organisations

“We are just seeing the beginning of cyberwarfare,” said Shikmoni. “It’s going to get much more intense. We are going to see more and more attacks on control systems – because they’re there, and because the ‘return’ on a critical infrastructure attack can be enormous. ICS/SCADA security managers need to increase their focus on security and devise an effective, layered approach to defend their systems.”

Why not join our panel of experts on 13 March at 11am when we will be discussing issues of operational risk and attacks on SCADA systems? Register for free for our live web seminar: The new frontier: managing operational risk