Insecure industrial control systems leave countries vulnerable to aggressors

Warfare down the millennia has always been about brute force, whether that be the hand-to-hand fighting of old or today’s much more sophisticated and devastating weapons of war. Once military targets have been hit, the aggressor’s attention usually turns to disrupting infrastructure and industry, in an attempt to plunge a country into chaos and demoralise the civilian population.

However, with the growth of computing and its spread into all areas of modern life, other more subtle ways of conducting warfare and causing widespread panic are available. Brute force is no longer necessary. Cyber warfare can have an equally devastating impact.

In the modern world, we are now critically dependent upon industrial control and SCADA (Supervisory Control and Data Acquisition) systems in many areas of life. They are widely used, for example, in electricity production, oil and gas extraction, communications, the provision of water and waste services, and transport services.

Disruption of any of these can very quickly lead to chaos and have a devastating effect on both the military and civilian populations. All an aggressor has to do is find a way to breach our industrial control systems, and, given the current state of awareness of security around such systems, this is not very difficult to do.

Take, for example, the recent hacking attack against the Ukraine, which succeeded in knocking out power supplies for up to 1.4 million residents. It was done through the social engineering attack known as spear phishing. An infected Word document was used to introduce BlackEnergy malware into critical systems.

It was also social engineering which introduced that classic piece of industrial control malware, Stuxnet. It is now widely believed that Stuxnet was originally developed by an American/Israeli alliance, specifically to attack the control systems within Iran's nuclear industry. It eventually destroyed around 20 per cent of Iran's centrifuges. The belief is that it was introduced into their system via an infected USB stick.

The Dam Busters raids in World War 2 cost 53 lives and 8 aircraft. When the dams were breached, it caused huge enemy casualties and a massive blow to the Nazi war effort.

Now, it’s a little different. After attacks on its infrastructure, Iran hit back at the US, by infiltrating the control systems of the Bowman Avenue dam, just 20 miles from New York City. The hackers gained access via a cellular modem. Although, they did not actually take control or cause any disruption, they were able to see what cyber defences were in place and how the computer systems worked, without any risk to their own lives.

Research by Kaspersky Lab gives us some idea why such incidents happen. It highlights the fact that there is still a great lack of awareness about how vulnerable industrial control systems are and what needs be done to protect them. Kaspersky’s research highlighted five particular misconceptions:

‘Five Myths of Industrial Control Systems Security.’

1. Myth - Industrial control systems are not connected to the outside world.

Fact - Most industrial control systems have eleven connections to the Internet.

2. Myth - We are safe because we have a firewall.

Fact - Most firewalls allow "any" service on inbound rules.

3. Myth - Hackers don't understand SCADA.

Fact - More and more hackers are specifically investigating this area.

4. Myth - We are not a target.

Fact - Stuxnet showed us that just because you weren't the intended target of industrial hacking, doesn't mean you won't become a victim.

5. Myth - Our safety system will protect us.

Fact - The chances are that your safety and control is using the same operating system with the same vulnerabilities.

Conclusion

Cyber security is now much more prominent in everyone’s consciousness than it was just a few years ago. Unfortunately, this doesn’t seem to have filtered down yet to areas such as industrial control and SCADA systems. As these systems have the potential to be the new front line in warfare, it is critical that we focus more attention on protecting them, and consequently protecting our essential infrastructure and services from those who might want to do us harm.

Barry Mattacott, marketing director, Wick Hill Group

Image Credit: Sergey Nivens/Shutterstock