Industrial Control Systems (ICS) play a very important role today in the industry by providing distributed control, process automation, and monitoring. They are designed for use in isolated areas and connected to other systems through specialized communication protocols and mechanisms. This enables manufacturers to have safe and flexible production processes. However, the design is not compatible with today’s business requirements that require state of the art technology like Internet-of-Things (IoT), data analytics, and smart payments.
To keep up with these requirements, Industrial Control Systems have been linked to business networks that allow users to have access to real-time data generated by power plants. Many internet-enabled devices and software applications have been integrated with ICS, providing numerous benefits. But at the same time, this has increased system vulnerabilities and opened up cybersecurity challenges for ICS.
It is important to know common cyber threats to ICS in order to implement security controls. Let’s have a look at some of them.
1. Insider Threats
Insider threats are everywhere, and ICSs are no different. This happens mostly when there is a disgruntled employee. They can steal a password by “shoulder surfing” other technicians, log in to the equipment that controls the physical process, and trigger a plant shutdown.
ICS technicians have knowledge of how to operate the components but they are less technical in terms of concepts related to safety systems designed for industrial processes. Such cases mostly result in partial or sometimes complete plant shutdown, depending upon the insider’s knowledge and industrial process.
If the disgruntled employee is in IT department, they can get remote access by getting another technician’s credentials and log in to a remote ICS workstation. They can use social engineering techniques to log into the networks but have little knowledge of physical processes or control systems.
Ransomware is one of the biggest threats in the cyber industry today. Any engineer who does not have knowledge about safe cyber practices can accidentally download ransomware into a workstation that is connected to an ICS. This malware can exploit known vulnerabilities in the industrial network that are unpatched, encrypt the workstation, and spread to all the systems in the network. This can shut down the control system. Since the ICS is impaired, it is not shut down in an orderly manner. Instead, the emergency shutdown can damage important equipment located at the plant. This can affect production for months, even if ransomware is cleared and the system is restarted.
Cyber attackers who design the ransomware are often sophisticated criminals. They can create malware that spreads quickly through a network and evade common security measures such as an anti-virus. But with little knowledge of ICS and industrial processes, the damage is mostly in terms of physical shutdown of the plant that can last for many days until the industrial process can be started. This results in downtime and lost production of few days.
However, in worst case, an unplanned shutdown may cause irreparable damage to important equipment. In that case, the damaged equipment needs to be replaced with new equipment either through purchasing or manufacturing. This downtime can last for up to 12 months.
3. Hijacked Two-Factor
Sophisticated cyber criminals can even compromise operations at an industrial site with high security. They can write custom malware that evades antivirus systems, target support technical staff at site that uses social media and also send targeted phishing emails. Unknowingly, the staff can activate the malware and grant administrative privileges for malware by believing it to be a legitimate technology.
In most cases, cybercriminals do not activate the malware while technicians are onsite. They wait for them to leave the industrial premises and log into the industrial site remotely to solve an issue. When using two-factor authentication, they activate their VPN and logs, activating the malware. The malware gives an error message indicating that the remote desktop is not working and asks them to restart the session. When the user restarts, the attackers get access to the remote desktop window and have access to industrial site for as long as the user has enabled their VPN and laptop. This way, the Intrusion Detection Systems at the industrial site are unable to detect intervention and can only detect that the technician was logged twice.
This type of threat requires high level of sophistication from the criminal’s end. Currently, there is no remote access toolkit easily available for download that can defeat two-factor authentication.
4. Compromised Vendor Website
Most of ICS vendors can be trusted, but the same cannot be said about their websites. An ICS vendor with a poorly-secured website can be compromised by hackers. They can download copies of vendor software and study it to learn any sensitive information such as the name or location of an industrial site. They can use the compromised website to unpack security updates of the ICS software and insert a script, then repack it, sign the update with private key on the server and post the hacked update along with new hash for the update. Many sites can install the compromised update. The script activates at each victim site and upon finding the targeted enterprise’s name, it installs another script that can trigger a shutdown at the site.
This type of attack requires moderate sophistication with limited engineering knowledge.
5. Hardware Supply Chain
Cyber attackers can compromise an enterprise’s IT network and steal information about vendors supplying industrial equipment to the enterprise along with information about vendors that ship the equipment to the industrial site. They then develop relationship with delivery drivers and tamper the hardware with wirelessly accessible embedded systems while it is being shipped. Later, they can access the system to impair the physical process and cripple production.
Cyber threats are everywhere, and for every industry, a security program can be designed and evaluated if we have a clear understanding of the threats it faces. For industrial control systems, it is important to assess the risks and types of threats to devise a solution for securing industrial sites.