You feel violated when internet intruders (hackers) cause digital harm (theft of social security numbers, credit cards, logins, e-mails or addresses), however, it’s frightening when organized cyber attacks destroy critical physical infrastructure (disrupt water, power or gas). Its annoying having to update passwords or get a new credit card. How unnerved would you be if the power is out of weeks our you don’t have gas for your car? This is the new age of cyber-terrorism awaiting us as we connect more of our critical infrastructure to the Internet.
Security is an After Thought Until you Have a “Pearl Harbor”
The SANS Institute, a security training company, in a 2013 survey of professionals working with Supervisory Control and Data Acquisition (SCADA) and industrial process control systems (ICS), which are used in utilities, healthcare, transportation, oil and gas, chemical production, and other industrial manufacturing found that of the 700 respondents, 70% believed that their SCADA systems to have a high or severe risk and a third of those surveyed suspected that they have already been infiltrated.
The main problem is that these critical SCADA or ICS are being connected to the Internet and/or mobile devices making them vulnerable to cyber attack risk that they were never designed to protect against (Figure 1). Many of these SCADA or ICS systems were confined to a building or facility. A master panel or computer is the central control point. These SCADA or ICS systems had little or no outside access. However, today these SCADA and ICS “islands” are being linked and controlled remotely.
Figure 1: Typical Cyber Attack Through Corporate Database to Control System Database
“It is only a matter of the ‘when,’ not the ‘if’ that we are going to see something dramatic. I fully expect that during my time as the commander we are going to be tasked to help defend critical infrastructure.”
— Michael Rodgers, director of the NSA and commander of the U.S. Cyber Command, House Intelligence Committee, November 20, 2014
SCADA and industrial process control systems are built to be in-place for decades, unlike computer systems or consumer products, with limited lives or updated through frequent patching. Updating firmware of a industrial control system may require a “hard restart”— bringing the entire system and the control equipment down first to install the entire firmware (not a patch). This may not be reasonable for many industrial systems like manufacturing and utilities that are in operation continuously. There are significant differences between securing the corporate IT infrastructure versus that of the industrial control organization (Table A).
Table A: Comparison of IT and ICS and Differences in Security Requirements
| style=”width: 590px” | [TABLE] border=”1″
| style=”width: 126px” |
| style=”width: 210px; text-align: center” | IT Systems
| style=”width: 239px; text-align: center” | Control Systems (ICS)
| style=”width: 126px” | Support Lifetime
| style=”width: 210px; text-align: center” |
| style=”width: 239px; text-align: center” | 10-20 years
Few (if ever) upgrades
| style=”width: 126px” | System Availability:
| style=”width: 210px; text-align: center” |
| style=”width: 239px; text-align: center” | Real-Time
| style=”width: 126px” | Software Updates
| style=”width: 210px; text-align: center” | Easily Implemented
Enterprise wide, remote and automated.
| style=”width: 239px; text-align: center” |
Long Implementation Runway
Changes must be thoroughly
tested and applied incrementally.
Nearly impossible “Reboot” given real-time
| style=”width: 126px” | Key Risks
| style=”width: 210px; text-align: center” | Loss of Data
Fault Tolerance Non-Critical
| style=”width: 239px; text-align: center” |
Loss of Process Equip. or Production
Fault Tolerance Critical
| style=”width: 126px” | Security
| style=”width: 210px; text-align: center” | Protect IT Assets
(Assets concentrated –
| style=”width: 239px; text-align: center” |
Protect Field Equipment
(Assets distributed & remote –
in-field, control , PLCs, sensors/actuators)
Source: Derived from the 2009 Homeland Security – Recommended Practice: Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies
Regardless, security is likely an afterthought in most industrial systems or embedded systems. In 2011, Mocana, a developer of security software for mobile devices, conducted a survey of 800 engineers and developers who work on embedded devices which showed that only 41% thought their employers spent enough time and money to make their products secure. Furthermore, 25% of those surveyed said they personally know of a product their company shipped in full knowledge of a potentially serious security flaw that was left unaddressed and that had not been disclosed to customers or the public. Question, do you ship a product with a generic password? Have you changed the generic password on you home wireless router?
HD Moore, a respected Internet security expert and Metasploit author, at the 2013 Australian Computer Emergency Response Team (AusCERT) Conference believes that embedded systems vendors are acting carelessly. “You can probably own five percent of the total internet without even blinking.” Moore noted that there are 75 million vulnerable Simple Network Management Protocol (SNMP) systems (routers, switches, modems, etc.) worldwide, and about six percent of all Cisco devices visible on the Web offered SNMP read access.
Moore concludes one of the biggest security issues is the length of the supply chain in the embedded space where the embedded software may ship from on vendor, be transformed into a module by another vendor, integrated into a finished system by a third vendor or original design manufacturer (ODM) and branded by yet another. The key issue – none of the vendors along the supply chain are considering end-user security issues or design.
Reported Cyber Attacks — Physical Damage and Destruction
Many physical cyber attacks are likely not reported to the public for fear and security reasons. In researching this article I found the following reported instances going back to 2009 and just now reported of cyber attacks resulting physical destruction:
Baku-Tbilisi-Ceyhan (BTC) Pipeline (2008): The BTC runs 1,099 miles from the Caspian Sea to the Mediterranean was build to be one of the most secure in the world — every mile monitored with sensors. The BTC pipeline follows a route through the former Soviet Union mapped out over Russian objections. Eleven companies BP (majority owner), Azerbaijan State Oil Company, Chevron Corp., and Statoil ASA Norway built the pipeline that has carried more than two billion barrels of crude since 2006.
Bloomberg reported: “Hackers shut down alarms, cut off communications and super-pressurized the crude oil in the line, according to four people familiar with the incident who asked not to be identified because details of the investigation are confidential. The main weapon at valve station 30 on August 5, 2008 was a keyboard.” The result was an explosion that sent flames 150 feet in the air and the control room didn’t learn about the blast until 40 minutes after it happened.
The cyber attackers found a computer running Windows OS that was in charge of the alarm-management network and placed a malicious program on the OS.
This cyber attack is one on the earliest and was years before Stuxnet, which was discovered in 2010. Also, it’s likely the attack was made by nation-state given its sophistication.
Scarred yet? According to the Transportation Security Agency, in the United States there are 182,000 miles of pipelines that carry oil, chemicals and other hazardous liquids. There are 325,000 miles of pipelines that transport natural gas in bulk between states and 2.2 million miles of pipelines that bring natural gas to homes and businesses.
You can read more about the attack and its implications at Bloomberg here.
Iran’s Uranium Centrifuges and Stuxnet (2010): A 500-kilobyte computer-worm that infected the software of a least 14 industrial sites in Iran, including centrifuges used to enrich uranium for weapons. Stuxnet caused the centrifuges to cause the rapidly spinning centrifuges to spin to a speed causing them to tear themselves apart.
Stuxnet was a very targeted computer-worm as it had at least three components: First, it targeted Microsoft Windows based machines and networks, repeatedly replicating itself. Second, it sought out Siemens Step7 software; also MS Windows based, and used for industrial control systems that operate things like centrifuges. Finally, it compromised the heart of a ICS – the programmable logic controllers (PLCs). Stuxnet, could spread among computers running MS Windows, regardless of them being connected to the internet all it took was a harmless USB drive connected to a computer.
One of the difficulties of Stuxnet is while it targeted MS Windows, Siemens Step7 software and PLCs it likely didn’t stop in Iran and it proliferated worldwide. This fear was realized as in November of 2012 Chevron confirmed that Stuxnet had spread across its industrial machines.
In October 2012, Leon Panetta, United States Defense Secretary warned that the United States was vulnerable to a “cyber Pearl Harbor” that could derail trains, poison water supplies, and cripple power grids.
An interesting account of Stuxnet and what it portends can be found in the Smithsonian article titled: “Richard Clarke on Who Was Behind the Stuxnet Attack”
Saudi Aramco (2012): A group calling themselves the Cutting Sword of Justice launched an cyber attack to stop the oil and gas production of the largest exporter of the Organization of the Petroleum Exporting Countries (OPEC), according to reports from Lockheed Martin Corporation. The attack crippled 30,000 computers and disrupted Saudi Aramco for months.
The Shamoon Malware was likely used in the cyber attack. Luckily, the malware while infecting 30,000 enterprise computers did not penetrate the industrial control systems or PLCs of the refining operations. Its does amplify the fact that oil and gas refiners and transporters need to step-up their security to cyber threats and possible attacks.
German Steel Mill (2014): A report published by Germany’s Federal Office for Information Security (BSI), reported that sophisticated attackers used spear-phishing and social engineering to gain access to the office network of a yet, unnamed steel plant. From the network, the cyber attackers were able to access the steel mills industrial control network, PLCs and production machines. The steel mill suffered outages and the shutting down of a blast furnace.
Iran-Backed Hackers Target Airlines, Oil, and Electric Power Generating (2014): Bloomberg, quoting a report from Cylance, Inc. a cyber-security firm, disclosed that hackers working for Iran penetrated at least 50 companies and government organizations, looking for vulnerabilities to exploit later for physical attacks. Persons familiar with the report said the targets includes Pakistan International Airlines, Korean Air, Petroleos Mexicanos (9[SUP]th[/SUP] largest oil producer), and Calpine Corp. a power generation company in California, Texas and the mid-Atlantic.
Avoiding Industrial Internet “Insecurity” and a Cyber “Pearl Harbor”
There are things that can be done to lessen the risk of a Cyber “Pearl Harbor”. Key is for industrial companies to share information on attacks and security architectures to develop best practices. Security for real-time, industrial situations cannot be treated in a “set-and-forget” mentality or “Will fix it in the next release” as these industrial systems are in place for decades.
Companies need to CONSTANTLY think about the following:
- What needs to be protected in our ICS?
- What elements will be protected or monitored for intrusion?
- How can we apply updates as we discover attacks or security risks?
- How do we apply context and risk assessment to prioritize security threats?
Here are some more pointed suggestions:
- Layer Security Controls: Security must be applied at all levels or layers of the industrial control system (ICS) — not just at the perimeter. From the microcontrollers, MPU’s, PLCs, sensors systems, network gear, control centers and data centers or cloud. Security and intrusion detection must be applied at all levels of the ICS and network.
- Create Zones and Track Interactions: Look at the various zones in the ICS system and isolate the zones using firewalls, creating demilitarized zones (DMZs) and intrusion detection to protect the control network.
- External Zone (remote operations, business partners);
- Corporate Zone (enterprise servers, corporate e-mail, LAN, WiFi),
- Manufacturing Zone (plant historian, control workstations, manufacturing configuration server), Manufacturing Cell Zone (Control Room workstations, PLCs, sensors/actuators) and
- Safety Zone (manufacturing safety instrumentation, alarms, emergency shutdown controls).
Segmenting networks is traditionally accomplished using multiple routers. Multiple DMZs need to be created to separate functions and access privileges such as corporate LAN/WiFi, control system LAN to SCADA systems, and security servers. Create Security Incident Event Management (SIEM) systems to give security personnel a central view of security tools, firewall logs, intrusion detection system (IDS) logs. Figure 2 displays a zone system with zone firewalls, intrusion detection and SIEM.
- Develop Security Certification Methodologies for Hardware and Software: Given the multiple vendors in the supply chain for embedded systems (IC/components, subsystems, systems ODMs, OEMs, system integrators). Industrial companies, manufacturers and utilities need to consider implementing security certifications along the supply chain and require supply chain vendors to insure they have implemented security procedures and have a methodology for updating their products and disclosing those updates as security issues are discovered. Third party and open source software incorporated into an embedded system must be thoroughly tested, documented and certified. IC vendors to the equipment OEMs must to be able to certify that their products will not have open, identified security flaws.
- Develop Methods to Update SCADA and ICS Software (Incrementally?). This is more of a critical want. In the enterprise world security software is normally patched and sent to all end-points. This will be difficult to do in existing SCADA and ICS architectures as security threats are discovered. Normally, don’t just patch the firmware in a PLC or SCADA system — you need to reinstall the entire firmware which is difficult to do in a real-time system that can’t be off-line for long-periods of time (ie. oil refinery, power grid, water utility). Also, remember that ICS are in place for 15 to 20 years.
- Create Robust Identity, Access Management and Encryption: ICS systems require robust authentication to avoid spoofing, sustained attacks, and session hijacking. Along with authentication there needs to be levels of authorization to limit malicious players gaining access or executing commands that they are not allowed to perform. In addition, some commands and functions should be encrypted on the network and not sent in plain text.
- Monitor the Network and System Rigorously: Monitor network packet flow in both directions (inbound/outbound) and between security zones. Egress Filtering ensures that a Botnet virus cannot “call home” to its control server rendering it useless to an attacker.
- Change Default Accounts and Passwords. Most manufacturers of ICS equipment do not force account or password change on product installation. Simple things like changing the account names and operator passwords on a regular basis can be very effective. Consider implementing strong form passwords throughout the ICS system.
As Andy Grove would say: “Only the paranoid survive.”, it is important to treat security not as an afterthought, but as part of the ICS implementation. We don’t want to have a cyber “Pearl Harbor” and in most cases it is very preventable.
One last thought – digital viruses are everywhere – even in your cell phone USB charger and e-cigarette chargers. Paranoid yet, you should be…