Karl Jones of OAMPS Hazardous Industries looks at some of the Cyber security risks arising from the interconnectivity of networked ICS/SCADA management systems.
Industrial Control Systems incorporating Supervisory Control and Data Acquisition (ICS/SCADA) as a management system were originally designed to be isolated from external systems and were therefore not created with cyber security in mind. However, pressure to get things done faster, better and cheaper has led to ICS/SCADA systems being increasingly connected to the enterprise systems that manage performance and resource planning, which allow remote access over the internet for third-party suppliers and support functions, but also creating further vulnerabilities.
A recent example of this vulnerability was an attack at an industrial plant using Schneider Electric Triconex firmware, where operator workstations and the devices in their safety systems were compromised, whilst a Remote Access Trojan (RAT) was installed.
The attackers made changes to safety settings and operating limits and causing systematic failures, including the disabling of the plant safety systems. However, whilst moving through the systems, they triggered the emergency shutdown procedures. The subsequent investigation into the shutdown led to the discovery of the breach.
Even though this particular attack failed, given the sophistication of the attack, it’s almost certain that the attackers will not have given up. They will have assessed what went wrong, fixed the problem and found another target; developing their skills still further. The reality is that there is an ever-growing list of attacks on industrial control systems (ICS)/SCADA systems, and that should concern anyone running operational technology systems within their organisation.
In this case, the motives are not known – it could have been to extort money from the plant owners, or to cause disruption and unrest for socio-political reasons if the attack was state-sponsored.
The consequences of disabling safety systems can be catastrophic; the Buncefield explosion at an oil storage terminal in December 2005 was caused by the failure of two safety systems (and there’s no evidence that the failure of TWO safety systems was anything other than an extraordinary coincidence). The resulting explosion caused damage estimated at over £890m*, and disrupted organisations in the surrounding premises for many months.
The attacks on ICS/SCADA systems thus far have been on a variety of products from a number of suppliers and it would be naive to assume that just because other products have yet to be officially compromised, they will not be in the future. Although software and control system infrastructures are highly complex, the probability of vulnerability is higher than many people think.
Many attackers also have very advanced capability; UK government has found that organised crime gangs are only four or five years behind the ability of the advanced nation state cyber operations!
What can you do?
Given these growing threats, plant operators need to identify just what kind of risks they face, and then work out the most cost-effective way to manage those risks. There isn’t an easy answer because the technologies, processes and various chemicals and compounds in use vary so widely from one plant to another.
Organisations also need to recognise that there are increasing legislative changes coming into effect around the world that require them to actively manage the cyber risks to their ICS/SCADA assets.
One example is the updating of the Control of Major Accident Hazards (COMAH) regulations to now include the requirements for duty holders to include management of cyber security risks. These changes follow the new guidance contained in the updated IEC615111 and the Network and Information Systems Directive.
There is a range of guidance available to support businesses (published by the UK National Cyber Security Centre), which outlines good practice in an eight-point guide:
- establish ongoing governance
- manage the business risk
- manage industrial control systems lifecycle
- improve awareness and skills
- select and implement security improvements
- manage vulnerabilities
- manage third-party risks
- establish response capabilities
Compliance does not necessarily equal security; there is a real danger of creating a false sense of security from simply conducting a tick-box exercise without an informed assessment of the threats, risks and impacts that apply to each organisation and to each location owned and operated by it.
That assessment needs to use a proven approach to conducting ICS/SCADA health checks, which will provide an informed analysis of the threats, and should be carried out by experts that have a background of working on ICS/SCADA systems so that they understand the issues, and know the right questions to ask to identify the risks that are unique to each operation.
The exposures here will not just be about the technology; they extend to the people and processes relating to ICS/SCADA. Risks and vulnerabilities can be found as much (if not more) in these factors as in the technology, and the appropriate security controls will need to be focussed on a combination of all the factors.
It is also vital to review the high-level security architecture and identify any changes that need to be made in the way the overall network is designed and built. Some simple changes can provide a significant reduction in risk. These include:
- use specialist protective monitoring tools and techniques to understand process data flows and monitor suspicious activity
- select and use industrial firewalls to defend against changes to settings
- engage specialists in security reviews of ICS/SCADA systems
- run additional awareness and training sessions for the operators and process engineers
- ensure that senior management are aware of the risks and the capability of attackers so that they have an accurate understanding and can re-evaluate their risk appetite and the resources required to manage risk effectively
A final factor is the increasing availability of Internet of Things (IoT) devices; their use in plants brings a range of security risks that have not yet been properly evaluated. Many of these devices do not have any real security capability, and they are often very easy to compromise, so you should evaluate the threats as well as the advantages that their integration can bring and source advice from experts who know how to build ICS/SCADA/IoT infrastructures that manage risks in a way that’s aligned to your risk appetite, your business operations and can demonstrate value for money.
Ultimately, the risks are not going to go away. The need to defend control systems from attackers will be ongoing and needs to be, and remain, at the top of the business agenda.
The opinions and views expressed in the above articles are those of the author only and are for guidance purposes only. The authors disclaim any liability for reliance upon those opinions and would encourage readers to rely upon more than one source before making a decision based on the information
*The final report of the Major Incident Investigation Board,
11th December 2005