The United States has not been the victim of a paralyzing cyber-attack on critical infrastructure like the one that occurred in the Ukraine in 2015. That attack disabled the Ukrainian power grid, leaving more than 700,000 people helpless.
But the United States has had its share of smaller attacks against critical infrastructure. Most of these attacks targeted industrial control systems (ICS) and the engineering personnel who have privileged access.
As early as last year, a U.S. government cybersecurity official at the S4 conference in Miami warned that authorities have seen an increase in attacks that penetrate industrial control system networks. The threat is real.
What are industrial control systems?
ICS includes several types of systems and associated instrumentation to monitor and control industrial processes. They range from simple panel-mounted controllers to large, distributed control systems with thousands of field connections. These systems receive data from remote sensors to make decisions about what command function to apply to control operational technology.
ICS can be a controller that tells a valve when to open or close. It can also control the distribution of power in an energy grid. These systems are used extensively in chemical processing, pulp and paper manufacturing, power generation, oil and gas processing and telecommunications. All are part of our critical infrastructure.
What are the risks?
At one time, ICS was thought to be impervious to cyber-attacks because the computers used to operate them did not access the internet and were separate from the corporate network.
This is no longer true. Systems and network administrators, third-party vendors, industrial system developers and integrators have different levels of internet access and ICS management access. And they have unwittingly created a way in for attackers. For example, an infected laptop can be brought in by a contractor, connect to the network and spread to the controlled ICS environment.
Even worse, the growing prevalence of IoT-connected industrial devices has dramatically increased the ICS attack surface. This was illustrated in a study known as Project SHINE (SHodan INtelligence Extraction). Based on intelligence gathered from the SHODAN search engine between April 2012 and January 2014, the study found over one million ICS devices were remotely accessible on the internet.
The connectivity and integration of traditional information technology with operational technology – IT/OT convergence – is increasing exponentially. The IoT and IT/OT convergence is accelerated by the speed of business and the implementation of AI to drive decisions in ICS environments. In addition, more ICS devices are running commercial operating systems, exposing ICS systems to a wider swath of known vulnerabilities.
There are three categories of documented attacks against critical infrastructure.
- Intentional targeted attacks, such as gaining unauthorized access to computers inside the network, performing a denial-of-service attacks or spoofing.
- Unintentional consequences or collateral damage from worms, viruses or control system failures.
- Unintentional consequences caused by internal personnel or mechanisms. This includes the testing of inappropriate software on operational systems or unauthorized system configuration changes.
Intentional targeted attacks present the greatest risk because a threat actor intends to steal information (e.g., attack on Target via their HVAC contractor) or cause damage (e.g., German steel manufacturer).
An intentional targeted attack requires detailed knowledge of the control system and supporting infrastructure. Unintentional consequences are however more common and are equally important to detect and stop. Unintended behaviors, such as those by operators doing routine work, can introduce risks, making them equally important to monitor.
ICS automation, process control, access control devices, system accounts, and asset information have tremendous value to cyber attackers. The ever-widening attack surface gives them many ways to access an ICS environment.
Attacks against high-value ICS targets are often part of a larger attack campaign perpetrated by skilled cyber criminals. These campaigns typically include the most common phases in an attack lifecycle, including:
- Establishing a foothold inside organizations
- Internal reconnaissance to find critical management systems
- Compromise of administrative systems and accounts to move laterally
- Remotely controlling the attack using hidden tunnels
Attack campaigns can happen over the course of months and they require security analysts to perform a significant amount of data analysis, correlation and research to identify threats and evidence of a cyber-attack.
Examples of attacks on critical infrastructure
Malware targets European energy company – In June 2016, malware – was discovered on the network of an European energy company that created a backdoor on targeted industrial control systems. The backdoor delivered a payload that was used to extract data from, or potentially shut down, the energy grid.
The Windows-based malware was designed to bypass traditional antivirus software and network firewalls, and there was a lack of internal network monitoring to detect the attacker behaviors after the infection occurred.
New York dam attack – In March 2016, the U.S. Justice Department claimed that Iran had attacked U.S. infrastructure by infiltrating the industrial controls of a dam in Rye Brook, N.Y. The attackers compromised the dam’s command-and-control system over a dial-up connection.
This is one of the first major attempts by a foreign government entity to commandeer U.S. critical infrastructure. Although the attack happened in 2013, it wasn’t reported or attributed until 2016. There was a lack of internal network visibility to detect the attack behaviors.
Ukraine power outage – In December 2015, a Ukrainian power company experienced an outage that impacted a large area, including the regional capital of Ivano-Frankivsk. Cyber attackers caused the outage by using malware to exploit the macros in Microsoft Excel documents. The initial intrusion occurred via spear phishing emails and the attackers continued undetected inside the network.
These attacks succeeded because there was a lack of situational awareness by employees and management. This is not surprising, given the increased use of automation and internet connectivity within the industrial control systems.
What can I do about ICS attacks?
In the latest 2017 SANS survey on Securing Industrial Control Systems, four out of 10 practitioners said they lack visibility into their networks. This lack of visibility is one of the primary impediments to securing ICS systems. Security teams need full knowledge of connected and interconnected assets, configurations, and the integrity of communications to successfully protect critical infrastructure.
This might be why 44% of respondents consider the top threat to their ICS to be adding to the network devices that can’t protect themselves. This was followed by accidental internal threats (43%), external threats from hacktivists or nation-states (40%) and ransomware (35%).
Manually monitoring network devices and system administrators presents a challenge to resource-constrained organizations who cannot hire a large security team. Large teams of security analysts must perform the manual analysis required to identify attacks or unapproved behaviors within an ICS-regulated environment.
It is crucial to have visibility inside the network that can adapt to the dynamics of growth and change. Organizations also need technology that automates the real-time analysis of communication, devices, administrators, and human behaviors on a converged network to detect intentional attacks or unintentional consequences.