The Dangers of Cyber Attacks on Critical Infrastructure
In March of 2016, the command and control system of a water dam in Rye Brook, NY, was breached by cyber attack. A young Iranian, working for Iran's Revolutionary Guard, broke into the dam's control network using a cell phone. His attempts to cause flooding were ultimately foiled, mainly because the particular sluice gates he was attempting to open were temporarily disconnected from the network for maintenance.
Sound like an old story since it happened five years ago? Let's fast forward to something more current then. In February 2021, someone remotely accessed a computer for the Florida City of Oldsmar ’s water treatment system and briefly increased the amount of sodium hydroxide, also known as lye, by a factor of more than 100, but that attacker(s) didn’t need sophisticated state-sponsored skills and goodies, they simply exploited weak passwords. Or how about April of this year, when federal prosecutors indicted a Kansas man for allegedly logging into a computer system at a public water system and tampering with the process for cleaning and disinfecting customers’ drinking water. No state-sponsored high-end hacking power, just a simple insider threat, the 22-year-old alleged suspect was employed by the Post Rock Water District for a year, with duties that included remotely logging in to the water district’s computer system to monitor the plant after hours. At his trial, he said he was “so intoxicated” at the time that he does not even remember messing with the system.
These are not isolated incidents, cyber attacks on critical infrastructure happen throughout the US, Europe and Asia regularly, and have the potential to cause tremendous ecological and societal damage, and bring everyday life to a halt.
The undeniable reality is that the systems that control critical infrastructure, SCADA systems, are vulnerable and must be protected.
What is SCADA?
SCADA (Supervisory Control And Data Acquisition) systems are industrial control systems used primarily to monitor and control critical infrastructure. Typically, a SCADA system is connected to Programmable Logic Controllers (PLCs), which in turn control pumps, motors, fans and other automated industrial equipment. PLCs monitor and operate equipment, and then send this data to the SCADA system, which is in overall control.
SCADA systems are used in both public utilities, as well as private operations in such areas as:
- Gas and Oil Processing
- Water Treatment, Storage and Transportation
- The Electrical Power Grid
- Nuclear Power Facilities
- Conventional Power Plants
- Food, Beverage and Agricultural Product Processors
The pervasive nature and gravity of these applications make them prime targets for cyber attackers, and penetrating their SCADA systems is the attack vector of choice.
The Security Issues of SCADA
SCADA systems are vulnerable for a number of reasons:
Outdated Technologies: Many of today's SCADA systems were deployed years ago, at a time when cybersecurity wasn't a concern. Hence, the SCADA network and devices on it, PLCs, workstations, data storage systems, etc., tend to be older, out of date, less hardened, and more susceptible to an attack than a network used by a financial firm for example.
Open Visibility: Again, because SCADA Systems were deployed generations ago, the physical security of PLCs and other components of the system weren't a priority. The result of this is that many systems have access points which are physically in the open, and hence, are vulnerable to insider attack. Businesses that make use of SCADA are now trying to put advanced physical controls in place to increase security, but these newer technologies have to be added onto the existing security systems, which can be incompatible, creating gaps and weaknesses in an already fragile system.
Network Integration: SCADA Systems were designed to operate autonomously and future integration with other technologies was never considered. The rise of the Internet has changed all of that, and industry, and the world in general, have become more interconnected. Once autonomous, SCADA systems can now be accessed online. The attack surface for these vulnerable systems is now much broader and inviting to bad actors.
The magnitude of the threat is huge.
A recent survey revealed:
- 6/10 who use a SCADA system have experienced a security breach
- Risks posed by third parties are a huge fear. 6/10 businesses give high level access to their vendors and/or suppliers
- 75% of businesses polled are very concerned with the cyber threats posed by malware
- 70% of businesses polled are even more concerned about Insider Attacks and the leakage of confidential information and data
- Many fear the potential impacts of a SCADA security breach
*Survey source here
Addressing SCADA Security Issues
SCADA and critical infrastructure security are treated similarly to how any at-risk network should be treated: assessing the system, developing a risk management plan, implementing it, and then testing and maintaining it religiously. More specifically:
- Ascertain all of the connections to the SCADA system, similar to a performing Risk Assessment for an IT network.
- Disconnect all questionable connections at once. Disable service ports when they are not being used.
- Ensure active connections are hardened to the greatest extent possible.
- Suspend further implementation of any proprietary protocols to guarantee everything works together.
- Conduct Penetration Testing to reveal and mitigate hidden back doors into the system. Hackers are looking for these all the time, as they are an easy and covert way to get entry.
- Deploy firewalls and network intrusion devices, etc., to provide real time notification of any potential security threats. Make use of a 24 X 7 X 365 Incident Monitoring tool.
- Conduct risk assessments and audits at regular intervals on all internal and remote devices connected to the SCADA system.
- Define and assign roles and responsibilities to whomever is actually in charge of security for the SCADA system. It should be clear who is accountable for system maintenance and upgrading, who is tasked with monitoring the system, responding to an attack, and finally, once the threat has been mitigated, who is responsible for bringing the system back up.
- Create, deploy, and strictly enforce a data backup policy, as a well as an Incident Response/Disaster Recovery (IR/DR) Plan. Make sure these are practiced routinely. Data should be backed up on a daily basis (perhaps even every few hours), and the IR/DR Plan should be rehearsed on a quarterly basis.
Where GDF Can Play a Part
Global Digital Forensics can help your organization at all stages of securing your SCADA system. We can risk assess your systems and network for both outsider and insider threat vectors, providing Red Teams for penetration testing, and provide consulting on the development of cyber security plans. We can also help you maintain any state and federal regulatory compliance that may be required.