SCADA Attacks Continue to Rise

Wednesday, April 15, 2015 @ 05:04 PM gHale

By Gregory Hale
SCADA attacks are on the rise, but a look below the surface from ICS security experts shows a murky and frenetic environment learning how to come to grips with a set of problems growing each day.

SCADA attacks grew over close to four times to 675,186 in January 2014 from 163,228 in 2013, according to the just released Dell Security Annual Threat Report. They went on to say SCADA attacks tend to be political in nature, since they target operational capabilities within power plants, factories, and refineries.

Security a Differentiator for Users
Security: A Presidential Mandate
Security Spending to Increase in ‘15
Talk to Me: Elevating Security Awareness

“We are seeing industrial systems being the new frontier of hacking and we see that growing exponentially in the coming years, especially with the advances in the Internet of Things,” said George Wrenn, cyber security officer and vice president cyber security at Schneider Electric and research affiliate at the MIT Sloan School of Management.

ICS security experts, however, said yes, there are external attacks, but most seem to be coming from inside.

“We are not seeing external attacks, we are seeing accidental or internal incidents,” said Marco Ayala, senior project manager at aeSolutions. “It is really getting crazy right now. Unintentional attacks are pretty high on the mark.”

When you see the accidental internal attacks it could end up attributed to a lack of a security plan.

“There is no governance, no model right now. In one case, right now a one guy in a global operation can VPN in to any system anywhere. There is a lack of zones and conduits for systems. Yes, you can isolate, but that is not everything. It is kind of like me leaving my keys locked in the house, but my sons and daughter have their own set and I don’t know who just drove off with my car.”

“The (attack) trend is increasing for several reasons I believe, on is there is a greater number of SCADA systems out there to hack,” said Dan Schaffer, Business Development Manager for Networking and Security at Phoenix Contact. “The systems are more frequently ‘online’ and accessible via open Internet or with really non-secure tools. There is more awareness from nation states, organized crime, and ‘hacktivists,’ where interrupting production at a Shell or BP is a huge feather for green hackers.”

Top Vulnerability
The report also said buffer overflow vulnerabilities continue to be the primary attack method, accounting for 25 percent of the attacks.

“Buffer overflows prey on software/firmware that never had been designed with security in mind,” Schaffer said. “It’s an easy hack with lots of tools and reference code available. But there are plenty of other vectors. I’d guess ‘social attacks’ and ‘spear phishing’ will start to be used more heavily. It’s an easy vector if the same PC used by an engineer to check his/her email is also used to program a PLC or create HMI screens.”

“I see the trend of the weapon payload being used toward the objective and outcome of the attack,” Wrenn said. He added if an attacker wanted to bring down a system, he would not use a buffer overflow, but rather a denial of service that could easily shut down a system. It all depends on the objective of the attack.

Unreported Attacks
The report also found SCADA attacks often go unreported. As a result, other industrial companies within the space might not even know a SCADA threat exists until they end up targeted themselves.

“Most (incidents) go unreported so it is not a surprise that other companies might not know about attacks,” said John Cusimano, director of industrial cybersecurity at aeSolutions. “Nobody wants to report unless they have to.”

“Lack of sharing is a problem, but I think there are more groups around where people are more willing to share data,” said Graham Speake, vice president and chief product architect at NexDefense, Inc. “Particularly in the U.S., there are forums for sharing data and these ISACs are becoming more attractive for people to join. This is being duplicated in other countries as well, and these are also sharing data between ISACs globally.”

Wrenn said there is also a move toward using ICS-CERT as a clearing house for gathering information.

“I think the bigger issue than ‘not reporting’ and ‘not sharing’ information about a breach/hack is not even ‘knowing’ they’ve been hit,” Schaffer said. “Unless the attack immediately and obviously affects production, most plants don’t do any sort of network base lining, configuration verification, anti-malware (such as AV, whitelisting or CIFS Integrity Monitoring).”

With manufacturing and critical infrastructure being a big attack target, manufacturers should know what to look for in a security solution or program.

One word of warning is there are quite a few of the huge IT companies trying to make inroads into the manufacturing space and they sound good, but in reality, do not have a real good understanding of what industrial security is all about.

“Make sure the organization knows ICS,” Ayala said. “Give them a test and see if they pass.”

Leave a Reply

You must be logged in to post a comment.