Cybersecurity threats are increasing in frequency, scale, sophistication and severity. However, despite several recent cyber-attacks by nation-states against private-sector targets, Industrial Control Systems Cyber Emergency Response Team estimates the likelihood of a catastrophic attack is presently remote. ICS-CERT instead envisions an ongoing series of low- to moderate-level cyber-attacks that will impose cumulative costs on U.S. economic competitiveness and national security, according to Neal Hirschfield, deputy director of ICS-CERT, which is part of the U.S. Dept. of Homeland Security.
"Sophisticated adversaries are becoming more advanced in their reconnaissance, network penetration, detection evasion, persistent access and data exfiltration capabilities," explains Hirschfield. "Unsophisticated adversaries have easy access to victim identification and script and scripted exploits of control systems. Inherent vulnerabilities in control system environments are coupled with interconnectivity to business networks. There's also been a shift from isolated systems to open protocols, including access to remote sites through the use of modems, wireless, and private and public networks. And, of course, the industrial Internet of things (IIoT) means even more control systems connecting to the Internet."
Consequently, these events and trends have contributed to the overall risk evolution and the present state of cybersecurity in the process control industries. Hirschfield reported that, while there were 39 cyber-incidents involving industrial control system (ICS) in 2010, there have been 290 incidents in 2016. "In 2010, there were few ICS intrusions and most were identified infections that were usually inadvertent. Plus, there was little evidence of focused R&D programs by sophisticated threat actors to develop ICS exploitation capabilities," adds Hirschfield. "In 2016, there were 41 confirmed and reported ICS intrusions in fiscal year (FY) 2014, and 23 confirmed ICS intrusions in FY 2015. There have also been multiple, sophisticated, ICS-focused campaigns since 2001, including BlackEnergy and Havex. As a result, there's been vast commercial research into ICS discovery, vulnerabilities and exploits."
One of the most egregious recent cyber-attacks caused power outages to Ukraine's electrical grid on Dec. 23, 2015. Analysis revealed that the attackers used spear phishing—tricking victims into opening spurious emails and downloading malware—to steal credentials and connect to the local electric utility's virtual private network (VPN), and remote desktop software to manipulate human machine interface (HMI) controls.
"Power was restored in four to six hours by switching to manual control, and the affected electric companies we're still in manual mode as of February 2016," says Hirschfield. "This attack demonstrated extensive preparation and coordination, but limited technical sophistication. Meanwhile, U.S. infrastructure is vulnerable to similar attacks across multiple sectors, and these systems might not be able to switch to manual as easily. We also learned the importance of multi-factor authentication in the Ukraine incident. Some organizations have legitimate operational needs for remote access and/or monitoring, but if remote access is granted without adequate isolation and boundary protection, they'll be susceptible to compromise by campaigns like these."
In general, Hirschfield advises users to:
- Never connect to the Internet without a firewall;
- Not allow business/IT level direct access to control systems;
- Require different logins and passwords for business and control departments;
- Require multi-factor authentication codes;
- Only allow data to go out from control systems through network demilitarized zones (DMZ) and not back in; and
- Perform a thorough security assessment.
ICS-CERT offers a variety of resources, risk-assessment tools, training and other services that organizations in the process and other industries can use to improve their cybersecurity. One of the most popular is its cybersecurity evaluation tool, which helps individual users evaluate their current cybersecurity capability. All are available on the ICS-CERT website.
For more, read Control's December 2016 cover story, "Building a united front for cybersecurity."