While data, particularly financial data, are the most common prey for hackers, there’s a growing concern about a more vulnerable target. Hackers are increasingly taking aim at industrial control systems (ICS), which are technologies and networks used to operate manufacturing, power generation or other machinery — together with the supervisory control and data acquisition systems (SCADA) and networks that oversee ICS.
ICSs were hit with 198 cyber-attacks in 2012, and the numbers are increasing this year, according to the Department of Homeland Security (DHS). The agency’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) found that 53 percent of this year’s attacks have been on energy companies. Water utilities are the next most popular target, followed by the critical manufacturing sector, which covers the production of primary metals; machinery and electrical equipment; and vehicles, railroads, and aircraft.
ICS hackers aren’t seeking cash or data. They are attempting to remotely access control systems for the purpose of causing damage to machinery and injury to workers, or taking whole systems such as power grids and water offline.
Not long ago, security for ICS and SCADA was felt to be unnecessary. Many of these systems weren’t connected to the Internet, so virtual break-ins were impossible. Today, remote administration has given hackers, who typically find the ICS and SCADA systems via simple Google searches, an “in” into these control systems. The most worrisome aspect of this is what little has been done to prevent cyber-attacks even in the most heavily targeted industries.
“The electric industry has done very little to secure their systems…even into nuclear,” Joe Weiss, managing partner of Applied Control Solutions LLC, told IMT. “They’ve done a great job with compliance and checking a box, but they are not securing their systems.”
Weiss is currently working with what he believes is the only utility in the U.S. that has become a test bed for ICS security systems. He notes that given the difficulty in getting large ICS interests to secure their systems, most small organizations have literally no protection.
“There was a hack on a water company in Illinois a few years ago,” said Weiss. “People kept saying, ‘Who would want to hack a small water system in Missouri?’ The truth is that the small utilities are connected to the big ones. They are a trusted back door into the large utilities. It’s a mistake to assume that the big guys are the only target.”
Weiss said this problem is compounded by the lack of forensic IT audits that can positively identify a problem as a cyber-attack. To date, there have been four major cyber-related electric outages in the U.S. that have yet to be formally identified as cyber-attacks, he said.
While U.S.-based hackers bear some responsibility, most attacks come from abroad. A research paper by Trend Micro Inc. that tracked ICS attacks found that 35 percent originated in China, followed by 19 percent in the U.S., and 17 percent in Laos. Attacks originating in the UK and Russia were also common. Disturbingly, these attacks show a pattern of repeat attempts rather than what’s known as “drive-by” attacks.
The majority of attempts involved hackers trying to sabotage industrial equipment by modifying fan settings on the CPUs used to monitor and control the equipment, Trend Micro reported. While attacks by sophisticated state-sponsored hackers get the lion’s share of press, many attacks are perpetrated by individuals or unsophisticated groups seeking to cause chaos, make money, or gain attention for political causes.
Experts say most SCADA systems are still too vulnerable. Last year, a test by security firms found nearly 50 vulnerabilities in SCADA products, many of which have yet to be corrected. Security vendors often apply equipment designed for IT systems to ICS devices, a practice that is not only ineffective, but also could be harmful.
“The discrepancy between IT and OT [operational technology] cyber security has multiple reasons,” Earl Eiland, senior ICS cyber security engineer for TÜV SÜD America, told IMT. “A major contributor is the difference in the useful lives and duty cycles of the equipment. IT equipment may have to be replaced after five years or so and can be taken offline virtually at will for upgrades. OT equipment may have a 20+ year useful life and may be difficult to take out of service for upgrades. Indeed, it may not even be possible to add cyber security to a 15-year-old ICS device.”
Eiland adds that robust encryption takes considerable computing horsepower, something that may be in short supply in an OT device. In such systems, encryption would cause delays, slowing down the device’s response time. In time-critical operations, such as an emergency shutdown, the delay could result in property damage, injury, or even death.
At a minimum, companies should take steps to build in what’s called the “Three Rs” of ICS security, said Eiland. The first is “resistance,” or making it difficult for hackers to access services and assets. The second is “resilience,” which means ensuring that if the system is attacked, perpetrators cannot cause damage. Finally, there is “recoverability,” or ensuring that if harm does occur, normal operations can be restored quickly.
There is little evidence that ICS operators are heeding the warnings, even if they are aware of the risks. While the Obama administration has made some efforts to build policy for national cyber security, many say it hasn’t gone far enough and that cyber-attacks on critical equipment will become more common. Real action will be taken only when major and irreversible harm to the nation occurs, some say.