Industrial control systems (ICS), including supervisory control and data acquisition (SCADA) systems, are increasingly at risk of cyber-attack, recent security reports have revealed. Both the capabilities to attack such systems and the number of attacks recorded are on the rise. And the rise of the Industrial Internet of Things (IIoT) will only make things worse.

The recent report Up and to the Right from threat intelligence company Recorded Future, shows the number of reported security vulnerabilities for ICS systems has grown steadily since 2011 (post STUXNET) and shows no sign of slowing. At the same time, as reported by researchers and industry watchers, the number of “exploits” available for those vulnerabilities has also grown, the report said.

ICS-exploits

The number of reported exploits has risen sharply since 2011, and 2015 is continuing that trend. (Source: Recorded Future)
The number of reported exploits has risen sharply since 2011, and 2015 is continuing that trend. (Source: Recorded Future)

In its annual Threat Report for 2015, Dell Security reported that the number of reported attacks on SCADA systems worldwide had doubled last year, from 163,228 in 2013 to 675,186 in 2014. Nearly a quarter of these exploited buffer overflow vulnerabilities. The actual number may be much higher, however, as many SCADA attacks go unreported, the report adds, noting that companies are only required to report data breaches that involve personal or payment information.

Despite the risks, however, industry seems to be slow in responding. “The industry has made improvements,” said Recorded Future CEO Christopher Ahlberg in an interview with EE Times, “but it has not been improving. Some vendors are working on it but some still have a lot of work to do. And with this whole wave of IoT things are going to get worse as the attack surface of systems expands.”

Ahlberg acknowledged that with a large installed base of systems the task of beefing up their security is difficult, but he doesn’t see that as the main problem. “The industry really hasn’t had its “Microsoft security moment,” referring to the time Microsoft systems encountered the Code Red worm, prompting the company to initiate a regular program of issuing security patches to its OS.

One thing that Ahlberg indicates may be contributing to the industry’s inertia is a lack of truly damaging attacks. “It’s not been like on the banking side or healthcare,” Ahlberg said, “we haven’t really seen serious attacks on these systems.” His concern, however, is that the attacks that are happening are simply a preliminary probing of these systems to identify exploits, steal credentials, quietly insert malware, and the like. “There is a lot of preparation being done,” he said, “and there will be a day.”

Similar sentiments have come from James R. Clapper, US Director of National Intelligence. Speaking to the US Congress earlier this month, Clapper said “Foreign actors are reconnoitering and developing access to US critical infrastructure systems, which might be quickly exploited for disruption if an adversary’s intent became hostile.” He pointed out an example of Russian cyber actors developing the means to remotely access the ICS used to manage critical infrastructure, by compromising the product supply chain of several ICS vendors. The cyber actors were able to insert malware designed to facilitate exploitation directly into the vendors’ downloadable files so that customers acquired the malware along with legitimate software updates directly from the vendors’ websites. While he doesn’t see any immediate threat of a “catastrophic attack” – it would be seen as an act of war – he foresees “… an ongoing series of low-to-moderate level cyber-attacks from a variety of sources over time, which will impose cumulative costs on US economic competitiveness and national security.”

Easy does it
As yet, cyber criminals are targeting the easy systems, such as regular computers, first, Ahlberg said. But exploiting ICS systems is getting easier to do and “they’ll get braver and realize they can make real money at attacking ICS.” He is particularly concerned about ransome-ware attacks in which the cyber-attacker takes control of an ICS system and extorts payment in order to release it. The potential certainly exists, as reported in the article Cyber-Mugging in the Journal of Information Warfare (Vol. 13, No. 2, April 2014). In a simulated attack in which the attacker had no ICS experience, worked only with open-source tools under a limited time frame, and simply leveraging published ICS vulnerabilities, the attacker was able to gain full control over the ICS abilities, including management of users.

The message to take from these security reports is that it’s time for the whole ICS industry to step up to the challenge of security. Things to do, according to Ahlberg, include:

Put reporting mechanisms in place to detect faults and attack attempts

Become more friendly to security researchers who are trying to identify vulnerabilities so that they can be closed

Figure out and implement patching systems that will continue to improve security on systems in the field indefinitely. “If a system is once installed and you don’t touch it again,” said Ahlberg, “it becomes incredibly vulnerable over time.”

Ahlberg acknowledges that these efforts will add to the cost of new systems as well as representing a major expense in field-upgrading installed systems. As a result, he is calling for industry-wide collaboration along with the help of governments to deal with legacy systems. “No one actor can fix 25 years of buildup. This is going to take real work.”

“The good news is that other industries have done this,” Ahlberg added, “and built up programs to handle ongoing security improvement. This will give the ICS industry a head start.”

—Rich Quinnell covers industrial control for EE Times.

About SkyFidelity

SkyFidelitys’ core strength is bringing in satellite internet to customers and distributing the feed for live streaming video, VOIP , email, texting and other internet based communications where there is no existing fiber or cable internet available in the area. SkyFidelity combines satellite internet “footprints” with industrial strength WiFi Access Points that can withstand the environment to create a “WiFi Internet Cloud”. SkyFidelity also focuses on industries where we offer live streaming camera surveillance as well as WiFi hot spots providing a “communications corridor” in remote locations.

Contact SkyFidelity

Timothy P. Peabody
Chief Executive Officer
Phone: 949-420-0678
timothy.peabody@skyfidelityinc.com

Robert Buck
Director of Sales
Phone: 949-436-0462
robert.buck@skyfidelityinc.com

Shawn Schaper
Phone: 727-385-0164
shawn.schaper@skyfidelityinc.com