For many years, there have been warnings about the cyber vulnerability of multiple infrastructures world-wide. Yet, those warnings are still not being adequately addressed. In 2004, the Idaho National Laboratory (INL) provided a glimpse of what we’re seeing today with CrashOverride, etc. As a demonstration for the 2004 ICS Cyber Security Conference, the white hat hackers at INL exploited a recently disclosed vulnerability. The demonstration used the vulnerability to open and close breakers as well as change breaker operator status from hundreds of miles away. At the same conference, a US utility disclosed how they had their SCADA system shut down for 2 weeks by a cyber attack that installed root kits in their SCADA system. The attack was traced to Eastern Europe and from there the trail got cold. A presentation was given at the 2014 ICS Cyber Security Conference about how the Russians cyber attacked the US grid using Havex and Black Energy. Yet, to this day, neither the NERC CIPs nor NEI-0809 require that malware be removed. Additionally, both NERC CIP and NEI-0809 exclude many systems (as not being “critical”) that could have BlackEnergy, or other, malware installed. At the 2014 Conference, we also had a presentation by a Russian researcher on hacking the HART protocol – the protocol for 4-20 milliamp analog sensors used in multiple industries world-wide. The TrendMicro ICS honeypot program emulated a small water utility in rural Missouri demonstrated how cyber attackers world-wide are ready to pounce on inadequately secured control systems regardless of the size or importance of the facility. In this case, cyber attackers from all over the world targeted this “utility” including the ICSs within an hour of it appearing on the Internet.
As mentioned in previous blogs, a number of auto assembly plants were shut down because of fear of the malware. The radiation monitoring system (not the sensors) was compromised at Chernobyl and the system had to be operated in manual. A US nuclear plant's business network was hacked by foreign attackers. A chocolate factory in Australia halted production because of the malware. As process sensors are still not authenticated or secure, consider the implications of hacking the actual sensors and the attendant damage.
With ICSs, we are in a very uneven battle. ICSs were not made to be cyber secure and often cannot be upgraded to provide what many in the cyber security community would consider to be a minimal level of protection. On the other hand, the hackers are dedicated to finding and exploiting vulnerabilities and have been given access to the latest zero-day exploits. As I believe it is a losing battle to secure ICSs, we need to be able to detect cyber attacks that affect operational system performance and we need to have a resilience/recovery plan. This has been demonstrated in the Ukraine with the ability to operate the systems in manual operation for an extended period of time. We also need to reconsider whether critical control and/or safety systems should be connected to the Internet.