In 2009/2010 one of the most infamous cyber security attacks against an industrial plant took place: the Stuxnet attack. Stuxnet was specifically designed to carry out malicious damage to industrial systems. Allegedly state sponsored, the malicious software attacked industrial control systems (ICSs) used to mange automated industrial processes. Stuxnet's infamy comes from the target, the Iranian nuclear facility, where it damaged a number of centrifuges, leading to a temporary closure of the facility. The NATO Defense Center described Stuxnet as the first real example of cyber warfare.
The Industrial Cyber Threat Landscape
Since the Stuxnet incident, industrially based cyber attacks have continued unabated. In Dell's 2015 Annual Security Threat Report , the company found that attacks against supervisory control and data acquisition systems (SCADAs) had increased by 100% between 2013 and 2014—this increase was at least in part due to the increased Internet connectivity of SCADA systems.
Along with the potential threat that Internet connectivity poses, we are also seeing specialist cybercriminal gangs that primarily target Industrial Control Systems (ICSs), including SCADA and other systems, such as Programmable Logic Controllers (PLC). One such gang, known as 'Dragonfly', focused on ICS attacks, specifically against SCADA systems, within the energy, manufacturing and pharmaceutical industries, mainly targeting companies in Europe and the USA. The gang used a variety of attack vectors, such as phishing emails and watering holes, whereby normally trusted websites are infected with malware. They also directly attacked ICS software updates using a Trojan malware virus known as 'Havex RAT' , which they used to infect the updates—a particularly sinister move since companies use patches to fix security issues, not create them.
What Does This Mean For My Company
All organizations, of all sizes are vulnerable to cyber threats. This is especially true with the advent of Internet connectivity. ICS and SCADA systems that have external connectivity are at particular risk for cyber attacks. However, industrial cyber attacks can have a much deeper and more lasting impacts. At the very least they can create disruption to systems and services, and at worst, such attacks could lead to severe compromise of critical infrastructures and worse still, costs in terms of human lives.
The cyber attack on the oil company Saudi Aramco in 2012 is an example of a lower impact attack, but one that incurred significant business costs. This attack involved a virus that infected 30,000 of the company's PCs. The virus damaged all of the data on Saudi Aramco's computers and cost the company 10 days of downtime to rectify the breach. This time the attack didn't directly affect a critical infrastructure. However, the 2014 attack on the U.S. National Oceanic and Atmospheric Administration (NOAA) was described by inspectors as creating a "risk in national critical mission". In another example, one in which the impact on a company's systems was taken to the next level, a German steel mill mill was breached, resulting in the failure of multiple components. The attack started out as a spear phishing email, targeting key employees, which resulted in stolen credentials being used to access the plant's network. The company experienced massive damage to their hardware.
One of the issues surrounding attacks against industrial control systems like SCADA is that they often involve malware known as an Advanced Persistent Threat or APT. APTs are designed to work "under the radar". They aren't picked up by anti-virus software because they are designed to dynamically update via a "command and control center" controlled by a remote hacker. They can cause massive damage over months and even years if they remain undetected.
Mitigation of Industrial Cyber Threats
We can see that it's only a matter of time before one of these attacks against an industrial target results not only in damage to property and equipment, but also in environmental damage and even lost lives. And, with the advent of even greater Internet connectivity in the form of the Internet of Things (IoT), we will see the cyber threat landscape become even more dangerous. Although the level of sophistication of these threats has increased and detection has become more difficult, there have been developments in the security industry to push these threats back into their box. We can no longer rely on old security tools to function adequately in such a dynamic landscape and instead we need to be watchful for changing events. To implement the best security practices in an industrial setting, we need to look to tools that can perform more dynamically and more flexibly, i.e. tools that allow us to monitor our environment using security intelligence. This involves full scale logging of all network activity to create reports that can then be forensically analyzed, enabling appropriate action to be taken when an event is spotted. The types of functionality we need to be looking for in a product are as follows:
Intelligent identification - being able to spot malicious activity and unusual behavior
Knowledge acquisition - learning from your accumulated insights, building up a database of security intelligence
Sharing security intelligence - gives us greater power to confront cyber threats. Data sharing can happen both within an organization and between individual organizations. This type of co-operation is exemplified in the Financial Industry's Information Sharing and Analysis Center (FSISAC).
DATATRONiQ and Datatron have been designed to provide the modern functionality needed to help you build a first class security strategy that can deal with the emerging threats to our industrial systems.