At ARC’s recent Fifteenth India Forum, silver sponsor Belden provided an over-view on the importance of industrial cybersecurity and a practical and structured approach for avoiding/mitigating cyberattacks, both intentional and unintentional. According to Belden’s commercial engineering director for industrial cybersecurity Justin Nga, intentional cyberattacks caused by hackers or disgruntled employees account for only 20 percent of known cyber incidents. Unintentional cyberattacks caused by a software or device flaw, human error, or malware infection account for the remaining 80 percent.
According to Nga, changes in consumer behavior, labor substitution, and increased productivity are expected to drive investments in automation that will accelerate adoption of Internet Protocol (IP) technology. While IP can certainly help companies connect their plants and factories to the enterprises, IP-enabled automation equipment is likely to increase their exposure to cyberattacks due to increased interconnectivity. Organizations must reevaluate their systems and security approaches to secure against industrial control system (ICS)-related threats, breaches, and other incidents. Some key takeaways from his presentation include:
- Identify and evaluate cybersecurity risks
- Use recognized standards and frameworks to harden systems and manage potential threats
- Monitor for change and implement continuous monitoring
Industrial Security Is Different
According to Mr. Nga, today’s data-driven economy, uninterrupted access to data, including ICS control information and data, is important for businesses to operate smoothly. For safeguarding the ICS environment, organizations require a different set of approaches than for enterprise information technology (IT) system. For the IT network, maintaining the confidentiality of the amount of sensitive operational data being stored or handled remains the top priority, followed by data integrity and data availability. In the ICS environment, while safeguarding data is certainly important, the priority here is to protect process availability, integrity, and confidentiality. Thus, cybersecurity techniques such as patch management, anti-malware protection, security configuration management, secure networks, ICS vendor software updates and a layered defense in-depth ICS infrastructure to ensure the availability, integrity, and confidentiality of system data.
Reports on industrial cybersecurity-related incidents show that the following three factors contributed to the recent surge in cyberattacks:
- Increased use of information technology in industrial sites
- Increased availability of ICS-related vulnerability information in public domain
- Availability of cheap or free penetration testing and scripting tools
Case Studies on Industrial Cybersecurity Attacks
Mr. Nga explained the importance of cybersecurity for businesses with the help of the following four case studies:
Stuxnet Worm, a malicious malware that first surfaced in 2010, infiltrated numerous Siemens PCS7 systems and the ancillary windows networks and computer systems, Siemens Step7 and WinCC software, and S7 programmable logic controllers around the world. The worm is reported to have infected over 200,000 computers. However, the main payload of the malware was to attack Natanz – Iran’s primary uranium enrichment facility.
The Stuxnet malware, 20 times denser than the average malware code, was professionally written and bug-free. The malware carried four zero-day exploits. Once the malware hit the target, it waited for 13 days before executing, recording normal operating parameters to replay on the HMI during the attack. Researchers took almost 30 days to just understand the initial payload, as they were not familiar with ICS protocols. A USB memory stick was used as the primary threat vector to spread the malware.
Stuxnet operated in two stages after infiltration:
First attack: The malware increased the centrifuge equipment rotational frequency, causing the unit to reach resonance and fail catastrophically.
Second attack: It then lowered the rotational frequency, causing centrifuge rotor imbalances, which in turn led to total centrifuge failure. The malware then showed plant operators and administrators fake replayed SCADA values and misled them to look for possible system failures. It even intercepted the system’s safety shutdown command, thereby leading to the total plant outage.
Though it was not the first time industrial systems were attacked, Stuxnet was the first malware equipped with a PLC rootkit to spy on and subvert industrial systems. The Stuxnet attack demonstrated that it is possible to cross the divide between the physical and the cyberworld.
Shamoon, an aggressive data-wiping malware, was first publicized in August 2012. The malware overwrote the information on the hard drives of Saudi Aramco workstations. The malware also erased some vital data from the original system.
However, the number of bugs found in the Shamoon coding indicated that the hackers were not professionals, but skilled amateurs. Although low-intensity cyberattacks are more frequent, the Shamoon attack was widespread and wiped out close to 30,000 workstations.
Identified several years ago, BlackEnergy is a sophisticated Trojan designed to conduct distributed denial-of-service, cyberespionage, and data destruction attacks. In December 2016, the malware appeared to have targeted the power grid in the western part of the Ukraine. The malware allowed hackers to remotely gain unauthorized access to the utility’s computer networks and critical power transmission and distribution (T&D) systems. This helped them take control of the T&D systems, thereby leading to a cascading power failure that caused huge power outages in close to 700,000 homes for almost three to four hours. The original threat vector was through “spear phishing,’ using an e-mail that contained the malware.
While malware attacks targeting critical industrial infrastructure are not a new phenomenon, viruses like BlackEnergy were equipped with destructive functionalities capable of penetrating critical ICS operations and causing difficult-to-prevent catastrophic system failures.
DragonFly, a destructive malware designed mainly to target the business computers in the pharmaceutical sector, was first publicized in February 2013. It was the first major documented cyberattack on the discrete manufacturing sector exploiting the vulnerabilities of Windows XP-based computers.
The malware infected systems vital to the operations of the targeted businesses via software supplied by three ICS vendors (eWON, MB Connect Line, and Mesa Imaging). The potential impact of the malware attack included theft of production batch sequences, proprietary recipes, and device and network information. Threat vectors used were email spear phishing, Trojan software, and a “watering hole.”
These case studies clearly indicate the importance of cybersecurity in industries as they can be highly disruptive for the targeted organizations, potentially damaging their critical industrial systems. As stated by Mr. Nga, without additional security measures, there is little that can be done to restrict the impact of such targeted attacks.
Industrial Cybersecurity Standards
Mr. Nga expressed the opinion that cybersecurity as a program is more of a strategic and economic proposition than a technical solution. He urged organizations to follow these eight major cybersecurity domains formulated by International Information System Security Certification Consortium, (ISC2) Common Body of Knowledge, 2017 to safeguard against potential cyberattacks, and build a holistic cybersecurity lifecycle program. Industry-specific cybersecurity standards like NERC/CIP, IEC62443 and NIST SP800 can also help guide an organization on this journey.