Why Do Attackers Target Industrial Control Systems?
January 26, 2017
Industrial Control Systems (ICS) are found everywhere–from automated machines that manufacture goods to an office building’s cooling system.
Previously, it was standard that ICS were based on specific OS and specific communication protocols. However, in recent years, system development costs have been reduced and productivity has been improved by implementing network connection based on general purpose OS and standard communication protocols.
To compete in today’s market-driven economy, businesses and organizations opt for efficient control systems that can automatically manage processes. ICS can be found in manufacturing, processing facilities, and even power plants–which play a vital role in running a country. On the other hand, the increased efficiency that ICS introduce also presents new problems on security. In reality, threat actors have much to gain when they attack such companies. A successful attack on ICS has serious impact on any organization. Some of these effects include operational shutdowns, damaged equipment, financial loss, intellectual property theft, and substantial health and safety risks.
Motivations for attacking ICS
Threat actors have different motives when choosing an enterprise to target. When carrying out attacks, these threat actors are often motivated by financial gain, political cause, or even a military objective. Attacks may be state-sponsored or they could also come from competitors, insiders with a malicious goal, and even hacktivists.
One of the earliest examples of an ICS attack happened in 2005 when 13 DaimlerChrystler U.S. car manufacturing plants went offline for nearly an hour. The main cause was Zotob PnP worm infections that exploited a Windows Plug and Play service. The total downtime has resulted in a backlog in production costing the company thousands of dollars. While the attack was not linked to an individual or a cybercriminal group, cybercriminals may also be hired by competitors who have much to gain from the damage caused by an attack.
How are ICS attacked?
The first stage of an attack against ICS usually involves reconnaissance that allows the attacker to survey the environment. The next step would be to employ different tactics that will help attackers gain a foothold in the target network. The strategies and tactics at this point are highly similar to a targeted attack. To launch a malware, an attacker will make use of all the possible vulnerabilities and specific configurations of an ICS. Once these vulnerabilities have been identified and exploited, the effects of an attack can cause changes to certain operations and functions or adjustments to the existing controls and/or configurations.
The complexity of launching an attack on ICS depends on different factors, from the security of the system to the intended impact (e.g., a denial-of-service attack that disrupts the target ICS is easier to achieve than manipulating a service and concealing its immediate effects from the controllers). While there are already a lot of ways for attackers to damage an ICS, new tactics will continue to emerge as more and more devices are introduced to every ICS environment.
What vulnerabilities are exploited in ICS?
Since all ICS deal with both Information Technology (IT) and Operational Technology (OT), grouping vulnerabilities by categories assists in determining and implementing mitigation strategies. The National Institute for Standards and Technology’s (NIST) security guide for ICS divides these categories into issues related to policy and procedure, as well as vulnerabilities found in various platforms (e.g., hardware, operating systems, and ICS applications), and networks.
Policy and Procedure Vulnerabilities
- Inadequate security architecture and design
- Few or no security audits of the ICS environment
- Inadequate security policies for the ICS
- Lack of ICS specific configuration change management
- No formal ICS security training and awareness program
- Lack of administrative mechanisms for security enforcement
- No ICS specific continuity of operations or disaster recovery plans
- No specific or documented security procedures were developed from the security policies for the ICS environment
Platform Configuration Vulnerabilities
- Data unprotected on portable devices
- Default system configurations are used
- Critical configurations are not stored or backed up
- OS and application security patches are not maintained
- OS and application security patches are implemented without exhaustive testing
- Inadequate access control policies such as ICS users have too many or two few privileges
- OS and vendor software patches may not be developed until after security vulnerabilities are discovered
- Lack of adequate password policy, accidental password disclosures, no passwords used, default passwords used, or weak passwords used
Platform Hardware Vulnerabilities
- Inadequate testing of security changes
- Lack of redundancy for critical components
- Unsecure remote access of ICS components
- Lack of backup power from generators or Uninterruptible Power Supply (UPS)
- Dual network interface cards to connect networks
- Inadequate physical protection of critical systems
- Undocumented assets connected to the ICS network
- Unauthorized personnel have physical access to equipment
- Loss of environmental control could lead to overheating of a hardware
- Radio frequency and electromagnetic pulses (EMP) cause disruptions and damage to circuitry
Platform Software Vulnerabilities
- Denial-of-Service (DoS) attack against ICS software
- Intrusion detection/prevention software not installed
- Installed security capabilities are not enabled by default
- ICS software could be vulnerable to buffer overflow attacks
- Mishandling of undefined, poorly defined, or “illegal” network packets
- Unnecessary services are not disabled in the OS and could be exploited
- No proper log management, which makes it difficult to trace security events
- The OLE for Process Control (OPC) communications protocol is vulnerable to Remote Procedure Call (RPC) and Distributed Component Object Model (DCOM) vulnerabilities
- Use of unsecure industry-wide ICS protocols such as DNP3, Modbus, and Profibus
- Inadequate authentication and access control for configuration and programming software
- Many ICS communications protocols transmit messages in clear text across the transmission media
- ICS software and protocols’ technical documentation are easily available and can help adversaries plan successful attacks
- Logs and endpoint sensors are not monitored real-time and security breaches are not identified quickly
Malware Protection Vulnerabilities
- Anti-virus software not installed
- Anti-virus detection signatures not updated
- Anti-virus software installed in the ICS environment without exhaustive testing
Network Configuration Vulnerabilities
- Weak network security architecture
- Passwords are not encrypted in transit
- Network device configurations are not properly stored or backed up
- Passwords are not changed regularly on network devices
- Data flow controls e.g. Access Control Lists (ACL), are not used
- Poorly configured network security devices e.g. incorrectly configured rules for firewalls, routers, etc.
Network Hardware Vulnerabilities
- Lack of redundancy for critical networks
- Inadequate physical protection of network equipment
- Loss of environmental control could lead to hardware overheating
- Noncritical personnel have access to equipment and network connections
- Unsecured USB and PS/2 ports that can be used to connect unauthorized thumb drives, keyloggers, etc.
Network Perimeter Vulnerabilities
- No network security perimeter defined
- Firewalls are nonexistent or are incorrectly configured
- ICS control networks used for non-control traffic e.g. web browsing and email
- Control network services are not within the ICS control network e.g. DNS, DHCP are used by the control networks but are often installed in the corporate network
- Critical monitoring and control paths are not identified
- Authentication of users, data, or devices is substandard or nonexistent
- Many ICS communications protocols have no integrity checks built-in making it easy for adversaries to manipulate communications undetected
- Standard, well-documented protocols are used in plain text e.g. sniffed Telnet, FTP traffic can be analyzed and decoded using protocol analyzers
Wireless Connection Vulnerabilities
- Inadequate authentication between clients and access points
- Inadequate data protection between clients and access points
Network Monitoring and Logging Vulnerabilities
- No security monitoring of the ICS network
- Inadequate firewall and router logs make it difficult to trace security events
Possible weaknesses in ICS network
Every ICS environment may contain weaknesses depending on their configuration and their purpose. The size of an ICS environment can also be a factor–the bigger the environment, the greater the chance for an error to occur. An ICS environment that replaced its legacy system with modern systems and introduced tools like Industrial Internet of Things (IIoT) devices may also have more weaknesses for threat actors to exploit.
Industrial IoT and How It Affects ICS
As ICS continue to modernize, an increasing number of Internet of Things (IoT) devices are introduced to improve productivity and enhance system control. With the use of related IoT devices; process controls, data monitoring, and communication with other systems are made simpler. However, there are risks involved when smart devices are used for such tasks.
IIoT incorporates machine learning and big data analysis. It also harnesses sensor data, machine-to-machine (M2M) communication, and automation technologies that have previously existed in the industrial setting. IIoT can perform tasks such as data aggregation, predictive analysis, prescriptive analysis, data value addition, and even the creation of new business models.
Similar to how the introduction of smart phones was followed by the rise of vulnerabilities and malware related to the platform, integrating Human Internet of Things (HIoT) and IIoT devices may create similar problems. In fact, managing IoT devices in the ICS environment can create major challenges in security, as each device will have to be properly defended and secured. Not applying adequate security leaves the entire ICS ecosystem highly vulnerable to attacks.
With the use of IIoT there are also a few unique challenges to overcome:
- Technology fragmentation complicates network processes. As devices of different and/or independent operating systems are used, the varying patching schedules may be difficult to address. An example of this is when an ICS uses a mix of legacy systems and new software. Not only will the two not communicate properly, the vulnerabilities found in unpatched legacy systems may also be used by threat actors to break into an ICS network.
- Machine to Machine (M2M) and IoT application development is difficult. Unlike manufacturing HIoT, which are mass produced, the development of M2M and IoT applications for ICS requires special skill sets on hardware and software development, IT, and communications.
- Legacy systems and legacy communication protocols are still widely used in industrial environments. An example of legacy systems is Windows 3.1, which still runs the program DECOR (used in Airplane takeoff and landing). Then there are also legacy communications protocols that include PROFIBUS, which is still widely used today. These systems have to be integrated via standards-based protocol gateways to send and receive data and commands easier.
Although hacking IoT devices may be challenging, threat actors behind targeted attacks are both knowledgeable and persistent–which could lead to successful breaches in a target’s network. In addition to this, device loss is also a major cause of data breach. One misplaced device may give cybercriminals the necessary access to penetrate the target’s network.
Potential Impact on ICS Components following Cyber Attacks
The impact of cyber attacks on industries using ICS depends on the target’s nature of operation or the motivation of cybercriminals pursuing the attack. Every effect listed below may be felt by a target’s internal, as well as external, clientele.
- Changes in a system, an operation system, or in application configurations. When systems are tampered with, it may produce unwanted or unpredictable results. This may be done to mask malware behavior or any malicious activity. This may also affect the output of a threat actor’s target.
- Change in Programmable Logic Controllers (PLC), Remote Terminal Units (RTU), and other controllers. Similar to a change in systems, a change in controller modules and other devices can lead to damaged equipment or facilities. This can also cause process malfunction and disabled controls over a process.
- Misinformation reported to operations. This scenario may lead to the implementation of unwanted or unnecessary actions due to wrong information. Such an event can result in a change in the programmable logics. This can also help hide malicious activity, which includes the incident itself or the injected code.
- Tampered safety controls. Preventing the proper operation of fail safes, and other safeguards puts the lives of employees, and possibly even external clients, at risk.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.