Industrial Control System, Supervisory Control and Data Acquisition ICS-SCADA are an important element of the Critical Infrastructure in oil, gas refineries, waste water treatment plant, nuclear factories. With the “Stuxnet” it is proven that cyber criminals, Nation State actors can create a war like scenario and cause unprecedented damage by performing attacks on these Critical Infrastructures. In this blog we are going to discuss the different internal and external threats affecting SCADA and the counter measures to prevent them. The pie chart below shows the external threats as well as internal threats acting on the ICS-SCADA environment of a Critical Infrastructure Industry.
External Threats:
These threats act on the ICS-SCADA environment of a critical infrastructure from outside of the organization. These external threats are explained below in detail.
- Social Engineering: By using Social Engineering techniques like baiting, phishing, spear phishing, watering hole, pretexting attackers can try and obtain critical information from ICS targets and deploy malware deep into the ICS networks for further control.
Controls: Training and Awareness, Mail Content Filtering, Web Content filtering solutions.
- Use of External Hardware to deploy Malware: Employees in an organization use USB flash drives in offices as well as home. Though organizations are enforcing strong controls but ICS networks specifically air gapped networks where endpoint security updated are done manually are more vulnerable. These USB drives can be infected by malware in the insecure perimeters of the corporate networks. These infected USB Drives when used in an ICS network and easily take control leading to further attacks and data leakage.
Controls: Training and Awareness, Endpoint Security with Behavioral analysis and sandboxing, Endpoint device control and Data Security
- Use of Remote Access for Interference: In ICS/SCADA network s remote telemetry systems like VAST, leaded lines, WAN circuits are typically used to connect PLC and RTU with the central control systems for maintenance and administration activities. By using brute force technique attacker can attack on the password protected access points and obtain the login details through which he can get unauthorized external access to the ICS network. In addition to that they can exploit 0 days vulnerabilities in these systems take control on PLC’s. A review of IP ranges on shodan.io/ will show thousands of PLC/RTU exposed remotely
Controls: UTM/Next Gen Firewalls supporting SCADA protocols, Access control mechanisms, End to end VPN and Secure Client VPS, with SIEM and Incident Response.
- Distributed Denial of Service Attack: ICS components communicate with each other by using wired and wireless mediums of communication. This communication medium can be flooded with junk traffic from distributed threat sources in order to prevent the transmission of the mission critical SCADA traffic using DDoS attack. DDoS attack can interrupt the processing logic of the PLC which can hinder the functionality or even cause the PLC to crash.
Controls: UTM/Next Gen Firewalls supporting DDOS protection.
Internal Threats:
These are the threats which are present within an organization or an insider. These threats have a wider knowledge of the ICS Infrastructure and can cause significant impact to the ICS/SCADA Infrastructure. The internal threats are explained below.
- Lack of Protocol Security: Some of the protocols which are used in SCADA have no security. MODBUS protocol has lack of authentication remote terminal will accept commands from any machine that claims it is a master. DNP 3 protocol also has lack of security. Such type of vulnerabilities in the protocol can allow the attackers to gain unauthorized access into the ICS network easily.
Controls: Usage of Secure protocols like OPC UA etc.
- Erosion of Isolation:In early days SCADA systems were isolated from the outside world or the so called air gap networks. But nowadays SCADA systems are connected to the corporate networks for changing business models due to which there is always a threat of opening a path of SCADA network to the whole world. By exploiting the vulnerabilities in the corporate network attacker can exploit the erosion of isolation.
Controls: Data Diode Firewalls and SCADA firewalls.
- Configurations: Wireless networks are used in SCADA environment for easy of communication in tightly spaced SCADA infrastructure where wired medium can create problems. These wireless systems might be running with default passwords without strong encryption protocols. Attackers can exploit the poorly configured systems through remote access and local access.
Controls: Strong Industrial wireless encryption protocols, improved visibility through SIEM and Incident response capabilities.
Note: Recently I came across a framework called crozono (http://www.crozono.com/) for Testing Security perimeter with drones and robots. It’s a quite interesting tool to verify the strengths of ICS wireless networks.
- Vendor Backdoor: It is a way to gain unauthorized access to the system through the hardware and software. Vendors use these backdoors for remote support. They are hidden. These vendor backdoors can be malicious or non-malicious.
Controls: Improved visibility through SIEM and Incident response capabilities.
- Human Error: As SCADA systems are becoming more interconnected there are more chances of human error in an ICS environment. Human errors can occur due to entering wrong values and due to lack of training. Human error can also occur due to the internal employees of the organization as well as due to the people who come from outside for maintenance. Suppose if infected USB is left on the floor by mistake and worker inserts the infected USB into the system there are the chances that malware can be transmitted to the system.
Controls: Proper Change Control Process, Identity and Access management and Privileged Account Management.
- Unpatched and Un updated Systems: In some cases Industrial Control System needs to be operated 24 hours and if these systems are not updated and patched regularly then it becomes easy for an attacker to gain unauthorized access to the ICS network.Attacker can exploit this vulnerability if the Operating System is not patched and can gain illegal access to the ICS network.
Controls: Proper Change Control Process, Patch Management and Vulnerability Management and Prioritization.
- Improper Physical Security: The Distributed Control System used in an organization can be distributed at different locations which can be unmanned. The attacker can interfere the SCADA equipment and can try to damage it. Due to this attackers can damage the SCADA equipment and can change configurations.
Controls: Enhanced Physical Security with Biometrics Access controls manned guards etc,SIEM to correlate Physical security control logs and SCADA Systems.
- Compromising of Smart Phones in Production Environment:It possible to alter the operations of SCADA through the smart phones.By performing attack on the communication channels of ICS, an attacker can perform Man in the Middle Attack on ICS network. In addition to that an attacker can also perform reverse engineering of the used protocol.
Controls: Mobile Device management, Strong Physical Security controls.
References:
- https://www.allianz-fuer-cybersicherheit.de/ACS/DE/_/downloads/BSI-CS_005E.pdf?__blob=publicationFile&v=3
- http://ewic.bcs.org/upload/pdf/ewic_icscsr13_paper4.pdf
About Hrishikesh,
Hrishikesh is an Intern at “ iSecurion Technology and Consulting Pvt Ltd ” Who is passionate in ICS-SCADA Cyber Security &Technology.