This article was first published in The Chemical Engineer
In January this year a team from Schneider Electric, which sells industrial control systems, presented an analysis of a cyber attack that exploited a previously unknown vulnerability in the firmware of its Triconex Tricon safety system.
The attackers targeted one of Schneider’s customer’s industrial plants and were able to compromise operator workstations and the devices in their safety systems and install a remote access trojan (RAT). This gave them easy access to the system at any time, which they could then use to make changes to safety settings and operating limits.
By gaining this remote control the attackers could compromise the system and cause systematic widespread failures, including the disabling of the plant safety systems. However, while they were conducting a reconnaissance of the systems they accidentally triggered the emergency shutdown procedures. The investigation into why the plant shut down then led to the discovery of the attack, now known as “Triton”.
In this case the attackers were looking to develop the skills and tools that would allow them to compromise these kinds of systems. Their motives might be to extract money from the plant owners, if they were an organised crime gang, or to cause disruption and unrest for political reasons if they were a nation state, as was the case for the Black Energy attacks in Ukraine.
The example of the Buncefield explosion at an oil storage terminal in December 2005 in the UK, which was caused by the failure of two safety systems, shows the potential impact these kinds of attacks could have. That explosion caused damage estimated at £1bn and displaced major organisations from their premises for many months.
Even though the Triton attack failed, we can be sure that the attackers will not have given up. They will have conducted a post-mortem into what went wrong for them this time, fixed the problem and they will have found another target to attack and use to develop their skills further. The reality is that there is now a growing list of attacks on industrial control systems (ICS)/SCADA systems, and that should worry anyone running operational technology systems within their organisation.
If that’s you, you should be asking three key questions:
It is important to recognise that while this attack compromised a specific type of controller from one manufacturer, the attacks on ICS/SCADA to date have been on a range of products from different suppliers. It would be wrong to assume that just because other products have yet to be compromised, they will not be in the future. Software and control system infrastructures are highly complex and the probability of a vulnerability existing is higher than many people think. Every one of the manufacturers of the products that have been compromised did not realise they had a problem until they found out the hard way.
A key problem with ICS/SCADA systems is that they were originally designed to be isolated from external systems and were not designed with cyber security in mind. Cyber security risks have then been created by senior management focussing on doing things faster, better, cheaper. As a result we now often have ICS/SCADA systems connected to the enterprise systems that manage performance and resource planning. These connections then allow remote access over the internet for third-party suppliers and support functions, creating further vulnerabilities. That also means that attackers have the potential to discover your systems using tools such as SHODAN and Autosploit.
Once the attackers find out about the systems they can look for ways to infiltrate and compromise them, and many of them have very advanced capability in these areas. UK government assessments have found that organised crime gangs are only four or five years behind the ability of the advanced nation state cyber operations.
Attackers acting on behalf of nation states have their own obvious agendas and many are not afraid to conduct overt operations that can be easily traced back to them. They know that disrupting critical national infrastructure is an easy way to cause widespread unrest and dissatisfaction among the population. Equally, they can cause major economic damage by attacking high impact targets.
As businesses connected control systems to IT networks, PCs with dual network cards to effect separation were commonplace, but were a weak solution. Thankfully, much more robust solutions are available for implementing connections to the top levels of control systems. However even now, level 0 and 1 devices (ie the plant level sensors, transmitters and actuators) do not have the capability to operate securely. While there is an ISA working group looking at the issue at the moment, it is clear that more needs to be done to improve the security of these systems.
What can you do?
Given these growing threats, the question that plant operators need to be asking is how they can identify just what kind of risks they face, and then work out the most cost-effective way to manage those risks? There isn’t a one-size-fits-all answer because the technologies, processes and various chemicals and compounds in use vary so widely from one plant to another. However, the first step is to accept that there is a heightened degree of risk. Organisations also need to recognise that there are increasing legislative changes coming into effect around the world that require them to actively manage the cyber risks to their ICS/SCADA assets.
One example of this is the UK’s updating of the scope of the Control of Major Accident Hazards (COMAH) regulations to include these requirements for dutyholders to include management of cyber security risks for the first time. These changes are aligned with the new guidance contained in the updated IEC615111 and the forthcoming Network and Information Systems Directive.
The next step is to focus on risk identification and management, taking into account the specialist nature of the ICS/SCADA infrastructure. There is a range of guidance available to support this work, including work PA has done, published by the UK National Cyber Security Centre, on the security of ICS, which outlines good practice in an eight-point guide:
The first of these actions is crucial. Unless your organisation has an effective and intelligent governance function to manage and understand risks and threats, the other activity will not happen. It is the governance team which provides support, justification and budget for the other seven steps in the process.
That governance should be underpinned by a recognition that compliance does not necessarily equal security. There is a real danger of creating a false sense of security from simply conducting a tick-box exercise without an intelligent and context-based assessment of the threats, risks and impacts that apply to each organisation and to each location owned and operated by it.
That work needs to be supported by using a proven approach to conducting ICS/SCADA health checks. This should provide an intelligent analysis of the threats based on the context and be carried out by a mixture of ICS and risk experts. Those risk experts should also have their own background of working in ICS/SCADA over many years so that they understand the issues, know the right questions to ask and can follow up with additional focussed questions to help them identify the aspects that are unique to each operation.
The unique qualities of an organisation will not just be about the technology. They extend to the people and processes relating to ICS/SCADA. Risks and vulnerabilities can be found as much in these factors as in the technology, and the appropriate security controls will need to be focussed on a combination of all three.
It is also vital to review the high-level security architecture and identify any changes that need to be made in the way the overall network is designed and built. Our experience working in a range of sectors has shown us that some simple changes can provide a significant reduction in risk. These include:
The rest of the article can be read on The Chemical Engineer
David Alexander is a digital trust and cyber resilience expert at PA Consulting Group
1. IEC61511: Functional safety - Safety instrumented systems for the process industry sector