Attacks on Industrial Control Systems are becoming increasingly frequent, yet they lack novelty.
Imagine it is 1903, and you are standing in front of a large inn on a remote peninsula in Poldhu, Cornwall, England. Despite the large antenna next to the inn and a large kite occasionally lifting the antenna higher, you might not realize that you are at the site of a historic wireless telegraph communication, or the sorrowful place of the first victim of a wireless network attack. Guglielmo Marconi, an Italian known as the inventor of radio and the father of wireless transmission, was preparing to wirelessly transmit a telegram message to the Royal Society in London, 300 miles away. Before Marconi began sending the telegram, the receiving device emitted a Morse code signal from another, stronger radio signal:
“Rats… Rats… Rats… Rats.”
Soon, malicious remarks targeting Marconi followed. It turned out that a wired telegraph company had hired British magician and radio enthusiast Nevil Maskelyne to sabotage Marconi’s demonstration, aiming to prove that open wireless communication was not a “safe and private” channel.
The U.S. Department of Energy’s report on the “History of Cyber Incidents in Industrial Control Systems” indicates that this was one of the earliest recorded attacks on Industrial Control Systems (ICS). Although wireless telegraphy had not yet been fully “industrialized” at that time, this incident still highlighted the potential risks introduced by critical ICS that society relies on.
ICS are computers that control the operations of industrial technologies such as power plants, water treatment facilities, gas facilities, communication infrastructure, and manufacturing, sometimes using highly specialized dedicated computers. ICS also includes Supervisory Control and Data Acquisition (SCADA) systems, which are computers that remotely monitor ICS operational technology (OT).
While ICS devices are often highly specialized, the software and hardware vulnerabilities that plague traditional computers can also affect ICS devices. For a long time, security experts have warned companies that hackers also target ICS, and recent incidents like the Colonial Pipeline ransomware attack have proven this (many technology observers, including WatchGuard, predicted this situation years ago). More concerning is that in the past five years, ICS attacks have become more frequent and the consequences have become increasingly severe.
However, we can protect these systems, especially as we learn from historical lessons. Below are five important security lessons we can learn from past ICS attacks:
1. Malicious insiders can threaten even the most secure systems
In 2008, the Maroochy Water Services in Queensland, Australia, began experiencing sewage pump failures, resulting in the accidental discharge of millions of gallons of untreated wastewater. No alarms were triggered at the time of the failure. The final investigation revealed that a disgruntled contractor had stolen computers and radio equipment and deliberately sabotaged the sewage pumps to vent his frustration over not being offered a permanent position. Protecting against malicious insiders is not easy, but implementing strong asset management controls and a quick process for revoking former employee access can help. Additionally, this attack made MWS aware that their equipment’s wireless communication was not encrypted. If using publicly accessible communication media, encryption protection must be in place.
2. Secrecy and physical isolation do not equate to impenetrable security
In 2010, the Stuxnet attack on Iran’s nuclear facilities opened the Pandora’s box of state-sponsored ICS cyber attacks. This sophisticated attack caused Iranian uranium enrichment centrifuges to spin out of control and ultimately shatter. The attack utilized four zero-day vulnerabilities and the first-ever programmable logic controller (PLC) rootkit targeting specialized equipment, along with a so-called double agent carrying malware that breached physical isolation. If there is one lesson to learn from the Stuxnet incident, it is that with enough time, money, and will, even the most secure facilities can be breached. If critical systems are to be protected, very advanced security controls and procedures must be established to withstand the continuous attacks from state-sponsored hackers.
3. Beware of spear phishing
Between 2014 and 2015, Russian hackers reportedly installed BlackEnergy malware on the computers of a Ukrainian power company through spear phishing (using bait-laden Word documents). This malware allowed hackers to interrupt power supply to nearly 250,000 Ukrainians for six hours. (A similar incident occurred again in 2016 using CRASHOVERRIDE malware.) This is just one of many ICS attacks that began with spear phishing, including the 2012 Shamoon data-wiping malware, the 2012 U.S. gas pipeline attack, and the 2014 German steel mill hacking incident. The lesson is clear: spear phishing is an extremely common tactic in ICS attacks. Regular employee training on how to identify and avoid spear phishing emails is essential.
4. Digital attacks can lead to physical harm and death
In 2017, experts discovered highly specialized ICS malware while investigating a system failure at a petrochemical plant in Saudi Arabia. This malware was designed to shut down emergency shutdown and safety systems, causing physical damage. The industry widely considers TRITON to be the first cyber attack aimed at causing human casualties. Protecting ICS systems is crucial not only because we need the services they provide but also for our personal safety.
5. ICS are vulnerable to ransomware attacks
Historically, ICS attacks seemed to belong to the realm of state-sponsored hackers and terrorist hackers, but now cybercriminals have also joined the ranks of those launching ICS attacks. For example, global aluminum giant Norsk Hydro suffered a ransomware infection that forced it to shut down some production lines and revert to manual processes. Such incidents vividly validate the ICS predictions made in 2019. As for more recent events, consider the ransomware attack on Colonial Pipeline. Although the origins of these incidents vary, they indicate that cybercriminals now possess the technology to breach ICS companies, which are attractive targets for ransomware. This also reflects that the operational technology of ICS in 2020 is largely inadequate. To operate an ICS company, it is best to have a detailed business continuity plan and disaster recovery plan in place to quickly restore services in the event of a ransomware attack or similar disaster.
These are just a few lessons we have learned from several ICS cyber attacks. Many other lessons exist, and similar cases seem likely to occur more frequently in the future.
Long press to add attention, safeguarding you!