3 ways SCADA system attacks are becoming more sophisticated

June 17, 2015
When faced with a growing cyber threat, how will your SCADA system fare?

Cyber threats against the electric grid are escalating dramatically. 

According to a new report by Dell Security, cyber attacks on supervisory control and data acquisition (SCADA) systems doubled last year and they’ve increased 600% since 2012. As alarming as those statistics are, another key finding is even more troubling--physically disruptive attacks are becoming increasingly common. In fact, 25% of all cyber incidents last year were a specific type of attack that can flood SCADA systems and shut down mechanical devices and potentially disrupt physical operations. These attacks are expected to worsen over the next few years, and the U.S. is the third most targeted country in the world. The Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) found that critical infrastructure attacks are up, the energy industry is the most heavily targeted sector of all (32% of attacks) and "denial-of-service" attacks have become a favorite of attackers.

Hacktivists, hackers with ties to foreign governments and organized crime, are playing a major role in the growing cyber threat and these are the three ways their attacks are becoming more sophisticated.

1. Stealthier attacks

Utilities' IT teams are probably most familiar with "phishing" emails and automated probes from "bots" to try and infect their operations. However, these attacks are evolving to become much more sophisticated, targeted and stealthy. In particular, there are two types of attacks utilities must be aware of: "cross-site scripting" and "drive-bys." Both of these attacks use legitimate websites to sneak into a company's network. How does this happen? Because a vulnerability in the legitimate website (it could be a well-known industry vendor, a news site, discussion forum, etc.) allows the hacker to either run malicious code or plant malware that infects anyone who visits the site. All a drive-by attack requires is for an employee to visit the infected website. With a cross-site scripting attack, the employee is infected when clicking on a legitimate link sent via email.

Hackers are also more likely to target a utility employee at home, in an effort to steal credentials that may be typed into a home PC or infect removable media like a USB flash drive which the employee brings back to work.

2. Destructive malware

Malware is also evolving and now has far more destructive capabilities than we've previously seen. While many will be familiar with the name "Stuxnet," the complex worm that hijacked centrifuges at Iran's nuclear program, there are many other viruses, worms and trojans that can disable all or part of a plant's physical operations. Two of the most serious: "wipers," which erase everything on a computer or device, thereby rendering that device totally unusable and "encryption malware" which instead of deleting data, locks it behind an almost unbreakable wall of encryption. Encryption malware is more commonly known as "ransomware."

3. Denial of service

In addition to malware that can disrupt a plant's operations, there are also a number of web attacks that can do the same thing. Two of the most widely seen are "buffer overflows," this is when an attacker floods a chokepoint in the network, causing it to malfunction, and "distributed denial-of-service," when massive amounts of data are thrown at the network to overwhelm and cripple it. Chances are, your utility is susceptible to both of these attacks - the DHS report found they were the most common vulnerabilities in industrial facilities last year.

As these attacks become more sophisticated, it’s important for utility managers to focus just as much on post-breach damage control measures as they do on active defense. It's simply not possible to prevent every advanced attack, so "containment" is equally important. 

Preventive steps include auditing the network for any outdated or unpatched systems, from individual workstations to servers, web applications, antivirus, etc. For example, does your network contain any Windows XP machines or Windows Server 2003? The utility should also be using a modern firewall setup, aggressive malware detection tools, email whitelisting and active monitoring both for attempts against the network and suspicious activity behind the firewall (such as data exfiltration). Ban all removable/portable media from entering the workplace--that means USB flash drives, smartphones, tablets, anything that goes home and comes back.

Post-breach containment is vital. Make sure any critical industrial system that can be air-gapped is, and then look at other areas of the network to see how they can best be segmented. Segmentation is key. That way, when one computer is infected, it won't be able to spread laterally across the entire operation. Implement an 'access control" policy--i.e., no single employee should have too much access to company data, systems and key operations. Review your utility's logging practices--it's important that any cyber incidents are fully documented so that incident response teams can determine the type of attack and extent of damage.