Fighting the Fight

Cyber attacks on industrial control systems are increasing. What can you do?

IN JANUARY this year a team from Schneider Electric, which sells industrial control systems, presented an analysis of a cyber attack that exploited a previously unknown vulnerability in the firmware of its Triconex Tricon safety system.

The attackers targeted one of Schneider’s customer’s industrial plants and were able to compromise operator workstations and the devices in their safety systems and install a remote access trojan (RAT). This gave them easy access to the system at any time, which they could then use to make changes to safety settings and operating limits.

By gaining this remote control the attackers could compromise the system and cause systematic widespread failures, including the disabling of the plant safety systems. However, while they were conducting a reconnaissance of the systems they accidentally triggered the emergency shutdown procedures. The investigation into why the plant shut down then led to the discovery of the attack, now known as “Triton”.

In this case the attackers were looking to develop the skills and tools that would allow them to compromise these kinds of systems. Their motives might be to extract money from the plant owners, if they were an organised crime gang, or to cause disruption and unrest for political reasons if they were a nation  state, as was the case for the Black Energy attacks in Ukraine.

The example of the Buncefield explosion at an oil storage terminal in December 2005 in the UK, which was caused by the failure of two safety systems, shows the potential impact these kinds of attacks could have. That explosion caused damage estimated at £1bn and displaced major organisations from their premises for many months.

Post mortem

Even though the Triton attack failed, we can be sure that the attackers will not have given up. They will have conducted a post-mortem into what went wrong for them this time, fixed the problem and they will have found another target to attack and use to develop their skills further. The reality is that there is now a growing list of attacks on industrial control systems (ICS)/SCADA systems, and that should worry anyone running operational technology systems within their organisation.

If that’s you, you should be asking three key questions:

• who owns the systems the attackers hope to infiltrate next time?
• what will the attackers do once they have perfected their capabilities?
• are your systems at risk once the attackers have acquired these new skills?

It is important to recognise that while this attack compromised a specific type of controller from one manufacturer, the attacks on ICS/SCADA to date have been on a range of products from different suppliers. It would be wrong to assume that just because other products have yet to be compromised, they will not be in the future. Software and control system infrastructures are highly complex and the probability of a vulnerability existing is higher than many people think. Every one of the manufacturers of the products that have been compromised did not realise they had a problem until they found out the hard way.

Every one of the manufacturers of the products that have been compromised did not realise they had a problem until they found out the hard way

A key problem with ICS/SCADA systems is that they were originally designed to be isolated from external systems and were not designed with cyber security in mind. Cyber security risks have then been created by senior management focussing on doing things faster, better, cheaper. As a result we now often have ICS/SCADA systems connected to the enterprise systems that manage performance and resource planning. These connections then allow remote access over the internet for third-party suppliers and support functions, creating further vulnerabilities. That also means that attackers have the potential to discover your systems using tools such as SHODAN and Autosploit.

Once the attackers find out about the systems they can look for ways to infiltrate and compromise them, and many of them have very advanced capability in these areas. UK government assessments have found that organised crime gangs are only four or five years behind the ability of the advanced nation state cyber operations.

High impact

Attackers acting on behalf of nation states have their own obvious agendas and many are not afraid to conduct overt operations that can be easily traced back to them. They know that disrupting critical national infrastructure is an easy way to cause widespread unrest and dissatisfaction among the population. Equally, they can cause major economic damage by attacking high impact targets.

As businesses connected control systems to IT networks, PCs with dual network cards to effect separation were commonplace, but were a weak solution. Thankfully, much more robust solutions are available for implementing connections to the top levels of control systems. However even now, level 0 and 1 devices (ie the plant level sensors, transmitters and actuators) do not have the capability to operate securely. While there is an ISA working group looking at the issue at the moment, it is clear that more needs to be done to improve the security of these systems.

What can you do?

Given these growing threats, the question that plant operators need to be asking is how they can identify just what kind of risks they face, and then work out the most cost-effective way to manage those risks? There isn’t a one-size-fits-all answer because the technologies, processes and various chemicals and compounds in use vary so widely from one plant to another. However, the first step is to accept that there is a heightened degree of risk. Organisations also need to recognise that there are increasing legislative changes coming into effect around the world that require them to actively manage the cyber risks to their ICS/SCADA assets.

One example of this is the UK’s updating of the scope of the Control of Major Accident Hazards (COMAH) regulations to include these requirements for dutyholders to include management of cyber security risks for the first time. These changes are aligned with the new guidance contained in the updated IEC61511¹ and the forthcoming Network and Information Systems Directive.

The next step is to focus on risk identification and management, taking into account the specialist nature of the ICS/SCADA infrastructure. There is a range of guidance available to support this work, including work PA has done, published by the UK National Cyber Security Centre, on the security of ICS²   which outlines good practice in an eight-point guide:

• establish ongoing governance
• manage the business risk
• manage industrial control systems lifecycle
• improve awareness and skills
• select and implement security improvements
• manage vulnerabilities
• manage third-party risks
• establish response capabilities

The first of these actions is crucial. Unless your organisation has an effective and intelligent governance function to manage and understand risks and threats, the other activity will not happen. It is the governance team which provides support, justification and budget for the other seven steps in the process.

That governance should be underpinned by a recognition that compliance does not necessarily equal security. There is a real danger of creating a false sense of security from simply conducting a tick-box exercise without an intelligent and context-based assessment of the threats, risks and impacts that apply to each organisation and to each location owned and operated by it.

That work needs to be supported by using a proven approach to conducting ICS/SCADA health checks. This should provide an intelligent analysis of the threats based on the context and be carried out by a mixture of ICS and risk experts. Those risk experts should also have their own background of working in ICS/SCADA over many years so that they understand the issues, know the right questions to ask and can follow up with additional focussed questions to help them identify the aspects that are unique to each operation.

The unique qualities of an organisation will not just be about the technology. They extend to the people and processes relating to ICS/SCADA. Risks and vulnerabilities can be found as much in these factors as in the technology, and the appropriate security controls will need to be focussed on a combination of all three.

It is also vital to review the high-level security architecture and identify any changes that need to be made in the way the overall network is designed and built. Our experience working in a range of sectors has shown us that some simple changes can provide a significant reduction in risk. These include:

• use specialist protective monitoring tools and techniques to understand process data flows and look for suspicious activity
• select and use industrial firewalls to defend against out-of-range changes to settings
• engage specialists in security reviews of ICS/SCADA systems to review the security architecture
• run additional awareness and training sessions for the operators and process engineers to make them aware of the risks and threats
• ensure that senior management are aware of the risks and the capability of attackers so that they have an accurate understanding and can re-evaluate their risk appetite and the resources required to manage risk effectively

A further complication in this work is that the increasing availability of Internet of Things (IoT) devices and their deployment in plants brings many security risks that have yet to be properly evaluated. Before looking to deploy them in your environment, the risks they bring must be considered along with the advantages. Many of these devices do not have any real security capability and they are often very easy to compromise. That means taking a long, hard look at your risk appetite, considering the potential for bad as well as good, and then getting some advice from experts who know how to build ICS/SCADA/IoT infrastructures that manage risks in a way that’s aligned to your business and plant operations and can demonstrate value for money.

As the Triton attack showed, the risks are not going to go away. The battle to defend control systems from attackers will be an ongoing one and needs to be, and remain, at the top of the business agenda.

References

1. IEC61511: Functional safety - Safety instrumented systems for the process industry sector

2. https://www.ncsc.gov.uk/guidance-security-industrial-control-systems