In 2010, the Stuxnet computer worm was identified as the first-ever cyber-weapon to attack a particular industrial target. Specifically aimed at the SCADA systems used for supervisory control of industrial processes, the malware was developed both to spy on and to reprogram industrial systems, while camouflaging the modifications. The critical nature of the systems concerned (hydroelectric or nuclear power plants, drinking water distribution systems, oil pipelines) caused considerable alarm among IT managers across the world. Other malware threats soon followed.
Industrial control systems are vulnerable because they use proprietary hardware and software. Most were designed before the age of computer networks, when security simply involved physical access control (i.e., securing the premises), so they have no mechanisms for authentication, checking authorizations or ensuring data integrity and confidentiality. Another source of vulnerabilities stems from the fear of breaking something that already works, leaving SCADA software to run on obsolete and unpatched operating systems for years.
Some hackers take control of SCADA systems by modifying the PLC micro-program after infecting parts of the system with malware. Others take control by exploiting vulnerabilities of the Modbus protocol on unprotected and uninsulated networks. Hackers can also deploy malware to unpatched and unprotected systems, giving them access to a specific target running on the network, just as they access any other system.
These attacks affect system availability, system-wide integrity, confidentiality of sensitive data, and the traceability of IT events, and organizations must be vigilant in preventing them.It’s not enough to isolate these systems by disconnecting them from the Internet; they also must not be linked to other environments with Internet connections and, therefore, at risk of infection from malware.
When external access must be granted to such environments, this access must be granted with extreme care and understanding of who is accessing, from where and from what device. Once this interrogation is complete, access must be granted in the narrowest way possible, with all activity logged and monitored.
Vital lines of defence for IT security include:
Raising user awareness of risks
Many incidents happen because users are free to install software, unaware of the associated malware risks. If you understand the risk, however, you can develop plans to ensure that any threats are contained and quarantined as soon as they hit the device or network. Provide continuous training for employees on the potential risks affecting the industrial systems in their workplace.
Implementing preventive measures
- Protect systems from unauthorized access by implementing a strict user account management policy:
- Change default passwords immediately after an attack (from a trusted system)
- Monitor where data is going
- Never allow plaintext passwords in the code of applications, operating procedures or stored data
- Implement sound management of profiles and file access permissions
- Identify behaviours that puts systems at risk and take the necessary steps to eliminate the vulnerability gap
- Deactivation of non-secure protocols
- Online modifications of control programs authorized without verification
- Reloading the start-up configuration viaUSB stick or MMC17
- Install patch updates of operating systems, applications, firmware immediately
- Implement solutions to detect virus signatures and security incidents
- Use technologies that combat the main network threat vectors
These are very targeted attacks, affecting a niche industry. But, often with large gaps between software vendors’ update patches, internal IT teams must understand how to cost-effectively go above and beyond to protect the network and data. They also must understand the difference between authorized and unauthorized requests, since this is where data breaches can occur. Review all changes and requests in real time, and follow the steps above to protect endpoints from such attacks.