Critical infrastructure operators can’t be blamed for a perpetual case of whiplash. They are mired between hackers targeting internet-facing and air-gapped systems with equal precision, and vendors and management unwilling to properly tackle security for fear of downtime and incompatibility.
“The space of ICS/SCADA has not changed much, so you can find devices running old OSes and even if you want to protect them, you don’t have tools that can support it,” said Moshe Ben-Simon, TrapX cofounder. “ICS and SCADA operations and protocols are very sensitive and any change or blocking process may lead to damage. Today you can find standard PCs managing critical sites such as water and electricity, and no one is willing to take the risk of future damage.”
TrapX this week published a table-setting report on ICS and SCADA security, making its case through five real-world examples of organizations dealing with attacks or lack of support.
“Vendors are not willing to invest in securing their technologies because they don’t have the knowledge and are not willing to invest money,” Ben-Simon said. “Operators are afraid to deal with these devices due to a lack of knowledge and concern that security technologies can harm the site without any attack.”
Critical infrastructure operations, whether they be manufacturing plants or utilities, are facing attackers from both the nation-state and criminal realms. Criminals are interested in extortion, holding manufacturing plants hostage, or stealing intellectual property for financial or competitive gains. Nation-state attackers, meanwhile, have other goals in mind, according to the TrapX report.
“Nation states will deeply learn the site and improve their network persistence for the ‘command day’ to harm the system,” Ben-Simon said. “The main goal is to understand the ICS role inside the manufacturing and critical infrastructure site, and take control using backdoor access to avoid exposure. Once they get control on the ICS system or device, they have all the options in hand from changing operations to shutting down the entire system.”
Stuxnet is the most high-profile of industrial attacks, but also the Ukraine has twice been hit by attackers targeting their power grid, and large telecommunications operators and other critical industries were affected by the recent WannaCry and ExPetr attacks. Determining exact numbers on when actual physical harm to operational equipment results from a cyberattack is difficult because regulations don’t require manufacturers or operators to publicly disclose attacks.
“In the last 5 years, we saw cases where physical damage occurred but you cannot cut the actual percent from it,” Ben-Simon said. “I will be very sensitive to say that 10 percent to 12 percent of the attacks result in physical damage to equipment; we see it more and more with the manufacturing industry.”
Even air-gapped machines, servers and equipment that’s supposed to be isolated from the public network, aren’t invulnerable. TrapX’s report cites several strategic failures where these systems were popped through social engineering or a rogue USB stick. Isolation and segmentation, however, remain key defensive tactics for ICS and SCADA operators, as does a minimization of third-party vendor access for remote support, which can also be abused to gain access to critical systems.