How to keep Industrial Control Systems safe from cyber attacks
Increasingly sophisticated cyber criminals have exposed vulnerabilities in Industrial Control Systems (ICS) and are continuing to target these systems for commercial gain, terrorist aims or mischievous sabotage. In 2015, facility managers must look to further protect its Supervisory Control and Data Acquisition (SCADA) and ICS from these knowledgeable, well-funded cyber criminals.
A well-known example of an attack came from the Stuxnet computer worm, which was discovered in June 2010. Stuxnet first exposed the vulnerability of ICS by showing how a combination of social engineering, applications, file types and vulnerabilities, for both Windows and ICS software, could be exploited to compromise an industrial control process.
The more recent cyber espionage operation, Energetic Bear, raised the bar in its use of Trojan horse malware residing in ICS software installers. It uses the commonly deployed ICS protocols such as Object Linking and Embedding (OLE) for Process Control to access target systems and conduct industrial espionage. These attacks carry a risk of catastrophic consequences that can include anything from system failure to equipment damage and worker injury or even death. Therefore, understanding these advanced threats and how to mitigate them is very important for Australian facility managers.
Why SCADA and ICS are so vulnerable
Because SCADA and ICS are both used in facility management, they present an attractive target for attackers. Monitoring tasks, from temperature and humidity to airflow and uninterruptable power supplies, offer opportunities for sabotage. It is also important to note that SCADA cyber threats could also be the result of unintentional incidents. These have just as much impact on service disruption as malicious events.
As businesses have become savvier regarding external, internet-based attacks, many have neglected to protect against risks presented by these internal networks. Attackers have realised that they can use weak links such as SCADA and ICS to access an organisation’s valuable data sources. Many SCADA systems are managed by ageing Windows servers and desktops, such as Windows XP, that cannot be upgraded because the control software is not compatible with newer versions of Windows, or the upgrade cost is prohibitive. Protecting these systems is difficult, leaving organisations in a precarious position.
To avoid becoming vulnerable, businesses must implement the right protection measures. The first step is to understand why businesses are now more vulnerable to cyber attacks than in the past. There are a number of reasons for this.
One reason is that commonly-used industrial protocols and tools (such as Modbus) were not originally designed with security in mind, so they lack even basic authentication features. Industry networks were never designed to account for potential intrusions, so they do not have any inbuilt protection. Additionally, there are numerous unpatched and unpatchable systems still in use. The cost of upgrading or replacing these systems is untenable, so they remain in place.
Further, new technologies such as mobile computing, smart metering and the slow-but-inevitable evolution towards IP (internet protocol)-based access exposes operational networks more and more to cyber attacks. These systems were not previously protected because they were not as highly connected as they are now. These factors make it critical that Australian businesses invest to protect their data, employees and operations. Without appropriate security measures in place, the entire system could get affected.
How businesses can protect themselves against cyber attacks
To mitigate the business risks associated with an attack, asset owners need to control network access, block threats and reduce the downtime caused by such incidents. Businesses should deploy a system that will control network traffic and threat prevention, centrally managing the protection of key infrastructure from cyber threats and ensuring network availability for continued operations.
There are five key ways to protect SCADA and ICS networks:
1. Use advanced cyber protection. Measures such as next-generation firewalls work to protect assets and create microsegments across the organisation, which increase visibility to decrease the threat of attacks.
2. Secure access to the SCADA zone. Processes should be put in place to tie security policies with user identities to ensure non-authorised users are denied access. Systems such as a Secure Sockets Layer Virtual Private Network (SSL VPN) can achieve this.
3. Eliminate the risk of having to manage multiple ports. Ensure multiple ports are protected by one firewall.
4. Deploy a complete vulnerability protection framework. An overarching framework will inspect all traffic traversing the SCADA zone for exploits, malware, botnet and targeted threats.
5. Ensure protection from unsupported operating systems. Using a next generation firewall effectively detects and defends against Windows XP and SCADA application-specific attacks across the network so that organisations using SCADA environments have ongoing protection despite Microsoft’s withdrawal of support for Windows XP.
Additional security measures and processes
It is important to note that network segmentation can be an effective method to reduce the scope and risks of SCADA and ICS, but only if it is deployed with the right cyber security technologies in place. In addition, organisations should establish ongoing risk-management procedures, routine self-assessments, periodic security audits and reviews. These measures will deliver the best opportunity to protect valuable operations systems.
Once these strategies are implemented, it is also essential to communicate with employees to ensure they are well-aware of cyber threats, their impacts and what employees can do to help protect the business. Management should also implement IT policies and configurations across both enterprise and control networks. There are additional actions that can be put in place:
- logging and reporting incidents and potential threats
- using and understanding security software
- using software to aggregate logs from all sites to a central point to gain holistic insights into network usage and security incidents, and
- using software to facilitate documentation and completing regular cyber audits.
Palo Alto Networks has identified three additional key security trends for 2015 that organisations should look out for:
1. Projects to virtualise operational technology (OT) data centres
This year will see more OT technology used even in critical infrastructure environments such as utilities and transportation. Many organisations segment their operational data centre away from other networks/zones within the control centre. The emergence of virtualised environments means security architects must consider the traffic between virtual machines – the so-called east-west traffic. 2015 is likely to be the year SCADA and ICS businesses realise the importance of maintaining security for virtualised environments.
2. Growing use of mobility for human-machine interface (HMI) and big data applications
Mobility solutions are gaining traction in manufacturing and utilities industries. While there are some valid security risks, mobility offers benefits in terms of providing on-demand access to important information and it can let users apply controls anywhere, anytime. It is only a matter of time before these technologies become widely used.
3. The emergence of general purpose ICS exploit kits with programming capabilities
Attacks, such as the computer worm Stuxnet and the Energetic Bear operation, have shown there is a need for a specific ICS and SCADA exploit kit that can be used to control processes, essentially lowering the hurdle for cyber/physical attacks. Such a kit, however, may be used by actors to successfully manipulate an industrial process. As usual, the attack will rely on social engineering techniques and zero-day exploits to be successful. Businesses will need to implement the right cyber security to combat this.
Ultimately, the security team should also apply a life cycle approach to threat prevention that controls attack vectors before having to block known and zero-day threats.
As cyber attacks on SCADA and ICS systems become even more targeted, sophisticated and persistent, businesses must invest more time and resources to implement the right countermeasures to guarantee maximum protection of critical infrastructure. Understanding where the threats come from and how to effectively mitigate or respond to them is no longer optional. Businesses that fail to protect their SCADA and ICS systems risk catastrophic ramifications. Putting appropriate threat intelligence and risk prevention measures in place is vital.
Gavin Coulthard is the manager – systems engineering, Australia/New Zealand of Palo Alto Networks.