Like water flowing downhill, attackers will take the path of least resistance to compromise a system. Old technology that doesn’t learn new tricks is a prime target.
The ACM published an article in the Communications of the ACM by Keith Kirkpatrick which delves into security issues with SCADA systems.
Read on about SCADA systems and the security implications of old technology.
What are SCADA Systems?
SCADA stands for Supervisory Control and Data Acquisition Systems. SCADA is at the heart of many industrial operations and utilities. They are often overlooked as we tend to take the amazing infrastructure systems we have for granted.
There are several reasons why SCADA Systems are a prime target:
- Simple Design – they were not architected for complexity and security
- Air Gapped – they were initially designed to be air gapped systems (meaning not connected to an outside computer network i.e. Internet). When SCADA Systems were modernized they were network connected but designed to be air gapped.
- Thin Protocols – lacked the complexity of handling security in modern systems.
These characteristics make them weak and relatively insecure. They are soft targets with a big payoff. So what kind of things can happen if they are compromised?
Large Attack Surface and Big Payoffs
When the prize for something is so big and the risk one takes getting caught is minimal, you can be assured there will be attacks.
Because SCADA systems are designed to connect and control a huge amount of industrial equipment, malevolent actors see significant value to infiltrating or controlling these systems and the operational technology networks through which they send and receive data.Keith Kirkpatrick – Communications of the ACM – Oct 2019
Here are a few big and recent incidents involving an attack on SCADA systems:
Perhaps the most powerful attack on SCADA systems is also the most well researched – Stuxnet. Malware attributable to a joint operation between the United States and Israel was used to sabotage a nuclear facility in Iran. It is widely considered that this prevented a war.
BlackEnergy was a Trojan Horse virus used by Russian attackers to infect Ukrainian power plants. It was a massive DDoS attack using a sophisticated root kit. This is by some considered the first time a nation state has deployed a cyber attack to conduct war.
Similar to BlackEnergy, malware known as “Crash Override” was deployed by Russian attackers once again targeting Ukraine. Attackers struck an electrical transmission stations in Kiev causing a short blackout.
In 2017 the Triton malware was launched against a petrochemical plant in Saudi Arabia. It is thought this was done by Iran as retribution for Stuxnet. Both nations are competing for regional dominance.
Nation State Actors and Ransomeware
Perhaps the most dangerous scenario is that bad actors, likely cyber teams from or working on behalf of foreign governments, could plant malware that lies dormant in a power plant, electrical distribution grid, or a municipal water supply plant, so it may be used as a point of leverage at a future date.Keith Kirkpatrick – Communications of the ACM – Oct 2019
Sometimes the intent is physical damage, others gaining intelligence, and others to annoy and frustrate and intimidate. Ransomeware is used as extortion. In the above examples, the Countries involved are well known; however, attacks by Nation-State actors bring with them the problem of attribution i.e. who really was behind the attack?
Humans are the Weakest Link
If SCADA systems are the weakest link in modern computer systems then humans are the weakest link to getting access to them. Social engineering is widely effective as it manipulates the human – not an encryption algorithm.
Social engineering leads into an attack mechanism that uses organizations insiders. This insider threat is one most places ignore. The Stuxnet attack was brought into the Iranian nuclear facility on a USB drive by a human. For all their security in the desert the weak link was found and exploited.
Sober Risk Assessment
Organizations need to conduct risk assessments of their resources (infrastructure, data, etc.) that adequately prepares them for when disaster strikes.
Someone will get in…it’s about identifying when it happens and being able to respond to it and basically remediate as quickly as possible. But the cost to implement the security, in a lot of cases, is greater than the immediate cost to recover from an attackMike Trojecky – Communications of the ACM – Oct 2019
There are 2 conceptual ways to look at securing computer systems: protect and detect. Protect is the typical end point protection we all know e.g. AV. It is like locking your doors. Detection is the dog in your house which alerts you of an intruder. You need both as a layer security solution to maximize your safety.
When it comes to attacks and breaches, organizations don’t look long term or at corporate espionage. As long as the cost of security is greater than the cost to recover from attack then nothing will change.
NIST has published a Framework for Improving Critical Infrastructure Cybersecurity. It would be wise if we followed their guidelines to prevent future attacks.
Lastly, I want to take a moment to mention my favorite InfoSec podcast – Darknet Diaries. If you like hearing well told stories about real exploits, breaches, and cyber attacks you will love this podcast. To point out a few relevant to this post I recommend you check out:
- Stuxnet – also check out Countdown to Zero Day by Kim Zetter
If you liked this post then you might also like my recent post about The Fake News of Big Data
Do you care about InfoSec and Privacy? Then YOU need to use a VPN.