In 2010, the Stuxnet computer worm was identified as the first-ever cyber-weapon to attack a particular industrial target. Specifically aimed at the SCADA systems used for supervisory control of industrial processes, the malware was developed both to spy on and to reprogram industrial systems, while camouflaging the modifications. The critical nature of the systems concerned (hydroelectric or nuclear power plants, drinking water distribution systems, oil pipelines) caused considerable alarm among IT managers across the world. Other malware threats soon followed.\n\n\nIndustrial control systems are vulnerable because they use proprietary hardware and software. Most were designed before the age of computer networks, when security simply involved physical access control (i.e., securing the premises), so they have no mechanisms for authentication, checking authorizations or ensuring data integrity and confidentiality. Another source of vulnerabilities stems from the fear of breaking something that already works, leaving SCADA software to run on obsolete and unpatched operating systems for years.\n\n\nSome hackers take control of SCADA systems by modifying the PLC micro-program after infecting parts of the system with malware. Others take control by exploiting vulnerabilities of the Modbus protocol on unprotected and uninsulated networks. Hackers can also deploy malware to unpatched and unprotected systems, giving them access to a specific target running on the network, just as they access any other system.\n\n\nThese attacks affect system availability, system-wide integrity, confidentiality of sensitive data, and the traceability of IT events, and organizations must be vigilant in preventing them.It\u2019s not enough to isolate these systems by disconnecting them from the Internet; they also must not be linked to other environments with Internet connections and, therefore, at risk of infection from malware.\n\n\nWhen external access must be granted to such environments, this access must be granted with extreme care and understanding of who is accessing, from where and from what device. Once this interrogation is complete, access must be granted in the narrowest way possible, with all activity logged and monitored.\n\n\nVital lines of defence for IT security include:\n\nRaising user awareness of risks\n\nMany incidents happen because users are free to install software, unaware of the associated malware risks. If you understand the risk, however, you can develop plans to ensure that any threats are contained and quarantined as soon as they hit the device or network. Provide continuous training for employees on the potential risks affecting the industrial systems in their workplace.\n\n\nImplementing preventive measures\n\n\nProtect systems from unauthorized access by implementing a strict user account management policy:\nChange default passwords immediately after an attack (from a trusted system)\nMonitor where data is going\nNever allow plaintext passwords in the code of applications, operating procedures or stored data\nImplement sound management of profiles and file access permissions\nIdentify behaviours that puts systems at risk and take the necessary steps to eliminate the vulnerability gap\nDeactivation of non-secure protocols\nOnline modifications of control programs authorized without verification\nReloading the start-up configuration viaUSB stick or MMC17\nInstall patch updates of operating systems, applications, firmware immediately\nImplement solutions to detect virus signatures and security incidents\nUse technologies that combat the main network threat vectors\n\n\nThese are very targeted attacks, affecting a niche industry. But, often with large gaps between software vendors\u2019 update patches, internal IT teams must understand how to cost-effectively go above and beyond to protect the network and data. They also must understand the difference between authorized and unauthorized requests, since this is where data breaches can occur. Review all changes and requests in real time, and follow the steps above to protect endpoints from such attacks.