The UK Defence Secretary has warned of a serious threat to the UK’s infrastructure. Mission critical sites need to be prepared. Louise Frampton reports
In recent years, there has been increasing awareness of the threat posed to critical infrastructure through security flaws in software for industrial control systems (ICS), Supervisory Control and Data Acquisition (Scada), and Data Centre Infrastructure Management (DCIM). All of these technologies provide vital functions in critical industry sectors, yet vulnerabilities are leaving an ‘open door’ to hackers.
The attacks on power grids in Ukraine, in late 2015, seriously destabilised the country, and demonstrates the importance of protecting against these types of attacks. The UK Defence Secretary, Gavin Williamson, recently warned that Russia could cause ‘thousands and thousands of deaths’ by crippling UK infrastructure. He claims that Moscow has been spying on energy supplies which, if cut, could cause ‘total chaos’. The warning came after the chief of the National Cyber Security Centre, Ciaran Martin, reported that Russia had already staged attacks against Britain’s media, telecommunications and energy sectors. The country’s national critical infrastructure must be prepared for future threats.
Researchers at the Georgia Institute of Technology recently demonstrated the capability of ransomware to take down the critical infrastructure of major cities, while presenting at the 2017 RSA Conference in San Francisco. Researchers created a proof-of-concept ransomware (LogicLocker) that, in a simulated environment, was able to gain control of a water treatment plant and threaten to shut off the entire water supply or poison a city’s water by increasing the amount of chlorine in it.
The routine use of unsupported, legacy operating systems, such as Windows XP, poses a particular risk in some critical sectors with ageing infrastructures. In healthcare, for example, there is the potential to hack into medical devices such as infusion pumps or tamper with doses of radiation.
Last year, security researcher company Positive Technologies found vulnerabilities in leading software designed for automation equipment in power, water, oil and gas, food, automobile, construction and other industries. If not patched, the vulnerabilities posed a potential risk of being exploited to disrupt operations at thousands of plants around the world. Positive Technologies also found vulnerabilities in leading DCIM software, highlighting the threat posed to data centre infrastructure from hackers. Ilya Karpov, head of the ICS research and audit unit at Positive Technologies, comments: “DCIM platforms have the ‘keys to the kingdom’ at a data centre, since they are connected to all installed systems. A vulnerability, such as this, threatens the functioning of critical systems on which data centres depend: video surveillance, fire suppression, backup generators and generator control units, switches, pumps, UPS systems and precision cooling.”
The threat posed to mission critical infrastrcuture is all too real and sites need to ensure they evaluate the security of their systems and take action to mitigate the risks. However, the need for continuous operation can present its own challenges.
Positive Technologies points out that, because of the need for uninterrupted uptime of critical systems (such as industrial protocols, operating systems, and database management systems), ICS software often goes years without updates, creating a dangerous situation with an evolving threat landscape.
Based on its data, more than 100 vulnerabilities in 2016 were detected in ICS components from leading manufacturers. Most of these vulnerabilities were of critical and high risk (60%), typically involving remote code execution, denial of service, and/or information disclosure. The majority of vulnerabilities are found in dispatch and monitoring systems (HMI/Scada). As of early 2017, more than 160,000 ICS components could be accessed over the internet. The largest numbers were found in the US (31%), Germany (8%), and China (5%).
Positive Technologies highlights the importance of encryption of passwords, as unencrypted storage of passwords can result in an attacker gaining control of an ICS/Scada system. The attacker can log in, like any other user, and start affecting operations, leading to economic losses, equipment failure, or even serious accidents. By gaining passwords to databases, an attacker is able to illegitimately modify information and create the preconditions for malfunction and/or physical harm.
Cyber security experts IOActive and Embedi also recently released a white paper outlining 147 cyber security vulnerabilities found in 34 mobile applications used in tandem with Scada systems.
The technical details of the research were released by Alexander Bolshev, security consultant for IOActive, and Ivan Yushkevich, information security auditor for Embedi, in the paper: Scada and Mobile Security in the Internet of Things Era.The researchers reveal that the number of incidents in Scada systems has increased over the past two years and the systems are becoming more interesting for attackers every year. Furthermore, the IoT is connecting more and more mobile devices to ICS networks, highlighting the need to pay attention to the security of Scada mobile applications, “before it is too late”.
Jason Larsen, principal security consultant at IOActive, comments: “This latest white paper reinforces the fact that mobile applications are increasingly riddled with vulnerabilities that could have dire consequences on Scada systems that operate industrial control systems. The key takeaway for developers is that security must be ‘baked in’ from the start. It saves time, money and ultimately helps protect the brand.”
The report reveals the top five security weaknesses are: code tampering (94% of apps), insecure authorisation (59% of apps), reverse engineering (53% of apps), insecure data storage (47% of apps) and insecure communication (38% of apps).
“The flaws we found were shocking, and are evidence that mobile applications are being developed and used without any thought to security,” says Bolshev. “It’s important to note that attackers don’t need to have physical access to the smartphone to leverage the vulnerabilities, and they don’t need to directly target ICS control applications either. If the smartphone users download a malicious application of any type on the device, that application can then attack the vulnerable application used for ICS software and hardware. What this results in is attackers using mobile apps to attack other apps.”
“Developers need to keep in mind that applications like these are basically gateways to mission critical ICS systems,” adds Yushkevich. “It’s important that application developers embrace secure coding best practices to protect their applications and systems from dangerous and costly attacks.”
IOActive and Embedi informed the impacted vendors of the findings through responsible disclosure, and are coordinating with a number of them to ensure fixes are in place.
The myth of ‘air gapping’
Recent research has demonstrated that ‘air-gapping’ systems (ie creating a physical gap between the control network and the business network) is not the answer to protecting critical infrastructure from potential cyber-attacks.
A security research team at CyberX recently shattered the ‘myth of the air-gapped ICS network’, by demonstrating a potential hack (‘Exfiltrating Reconnaissance Data from Air-Gapped ICS/Scada Networks’, Black Hat Europe 2017). VP of research, David Atch, and security researcher, George Lashenko, showed how by injecting specially crafted ladder logic code into Programmable Logic Controllers (PLCs), a hack can generate encoded radio signals that can then be received by ordinary AM radios in order to exfiltrate sensitive data from air-gapped networks. This technique could be used to exfiltrate corporate trade secrets such as proprietary formulas, military secrets such as nuclear blueprints, and reconnaissance data for use in future destructive attacks such as details about ICS network topologies and device configurations.
Airbus: sharing cyber security expertise
The cyber threat posed to ICS is prompting large manufacturers to take action, across their networked enterprises and beyond the boundaries of their own organisations. Airbus is a major manufacturing organisation and, as such, ICS and IoT are an integral part of its business.
“In today’s environment, everything is interconnected, not just in an IoT sense but in terms of manufacturing, supply chain and utilities. Therefore, we want to make sure the environment that we operate in is also safe,” comments Ian Gosling, managing director of Airbus Cyber Security UK.
With this in mind, Airbus is leveraging its expert knowledge, used internally to protect the business from cyber threats, to provide an external service to other mission critical business sectors – protecting governments, military, organisations and critical national infrastructure.
The Airbus Cyber Security Research team has spent some time investigating potential threats and developing defensive technologies in a series of joint initiatives with Cardiff, Swansea and Newport universities (the University of South Wales). Airbus is currently making significant inroads in the utilities sectors, and is currently working with a number of water authorities. However, it has also set its sights on major power generation projects.
“Unlike IoT, the ICS or Scada space has grown up from an isolated environment. However, these systems are now becoming increasingly connected,” says Gosling. “We have a situation where the clarity of the estate being protected is somewhat confused. It is important to understand what your estate is and therefore understand exactly what your vulnerabilities are. We are conducting a lot of work aimed at accelerating this understanding of the estate. What is connected? What isn’t connected? What has innate vulnerabilities?”
Gosling points out that ICS and Scada are often installed for the long term and, as a result, often have old operating systems – which, by their very nature, have vulnerabilities.
“One of the difficulties with some business sectors is deciding whether they can stop the process to ensure the value of the protection being installed. This is a business risk people have to face up to. There is a downtime challenge,” Gosling continues.
Organisations need protection but a well thought out disaster recovery plan is also important. “The idea that you are 100% protected is nonsense – you are only mitigating risk. Part of this mitigation should be to understand fully how quickly you can recover, if you are impacted,” says Gosling. “Across a wide range of industry sectors, boardrooms are underestimating the threat and impact of the potential challenges they face. Some of them have taken a ‘not me’ attitude’.”
This trend would appear to be supported by a recent government survey of the UK’s biggest 350 companies, which found more than two thirds of boards had not received training to deal with a cyber incident (68%) despite more than half saying cyber threats were a top risk to their business (54%). Clearly, many UK organisations are underprepared. So, what needs to be done to ensure greater consideration is given to ICS cyber security risks?
Ben Worthy, senior ICS security consultant, Airbus Cyber Security, believes that the answer is a combination of legislation, cultural change and employee awareness. In his view, the EU’s Network and Information Systems (NIS) Directive is also a positive step, by forcing critical infrastructure providers to put a determined cyber security strategy in place, or risk financial penalties.:“The threat of being hit with a fine of up to £17m, or 4% of global turnover, will undoubtedly focus people’s minds and help to make this a board-level issue,” comments Worthy. He believes that legislation alone is not enough, however; what is needed is a security-driven mindset.
“To really effect change on the ground, we will require a vastly improved level of cyber security awareness. Employees need to be trained so that they understand what the safe behaviours are in terms of cyber security, and how to avoid taking unnecessary risks,” he concludes.