System Attacks - Turning SCADA into NADA

As the Internet of things quickly expands throughout the energy sector, with millions of machines and sensors communicating throughout company networks and over the Internet, the security needed to protect these devices lags perilously behind the ability to disrupt and damage them.

New intelligence reports that a rising number of malicious cyber attacks have targeted energy and pipeline infrastructure around the world, accounting for 40% of all intrusions; and the pocket-sized USB drive - carrying free-riding malware - is the delivery system of choice, according to a monthly report issued by the Industrial Control Systems Cyber Emergency Response Team, ICS-CERT, a security team within the Department of Homeland Security.

The grim statistics keep mounting. In 2012 alone, the swamped ICS-CERT security team responded to 198 cyber attacks targeting ICS/SCADA systems in production facilities across the country. Finally, and perhaps most seriously of all, the study found that thousands of control systems in the U.S. are linked directly to the Internet; left completely vulnerable, they can be easily found with Internet search tools, targeted and then commandeered.

The Shamoon infestation

The report also looked at two of the most high-profile cyber disruptions of 2012. Both would have been much worse if the hacker-bots had managed to jump from the corporate to the production networks. The first occurred last August when the "Shamoon" malware infiltrated and ransacked Saudi Aramco.

While 55,000 employees stayed home to observe a religious holiday, Platts reported that as many as 30 copies of the Shamoon virus were inserted into Aramco's computer system on the same day. The virus wiped the data on the company's corporate PCs - documents, spreadsheets, e-mails and files vanished. To stop the virus from spreading, the company immediately shut down the internal corporate network, disabling all e-mail and Internet access, but not before drilling and production data had been lost. Eventually, 30,000 workstation hard drives were replaced.

Despite the finger pointing at post-stuxnet Iran, primarily from the U.S., for the Saudis, one uncomfortable problem is how the virus got into the system (probably with a USB drive), which required someone who had physical access to the computers - raising dicey issues about loyalty.

Two weeks after the Aramco incident, Qatar-based RasGas was also attacked. Operational systems weren't affected and production continued. Like Saudi Aramaco, hydrocarbon production was spared because the company had separated production with an "air gap." So in both cases, the heroes are the planners and information architects who separated employee e-mail and Web servers from energy production.

Preventing a restart

USB drives have completely redefined cyber-ground-zero. The report highlighted two incidents in the U.S. where malware successfully invaded control systems, one an electric utility and the other a power generator.

Both were infected by USB drives after the companies had completely walled-off the production networks.

In the power facility, the malware was discovered after an employee asked company IT staff to inspect a USB drive he'd been using to back up control systems. Production wasn't compromised, but, later, it turned out there were no backups for two infected workstations, both vital and, if lost or damaged, could have severely curtailed power output.

In the other instance, a weaponized virus was found in a turbine control system which took down ten computers in the electric utility's control network. Again, a USB drive was the transmission agent. Investigators found the malware had crossed the air gap when a third-party contractor, unaware it was lurking on his USB drive, used it to upload software updates during an upgrade. The infection prevented the utility from restarting the plant for three weeks.

Internet-facing vulnerability

Sometimes companies make it easier for attackers by connecting critical infrastructure devices directly to the Internet. These devices can serve as entry points, where, in some instances, either weak, default, or nonexistent logon requirements can leave systems vulnerable to attack.

Using the Internet-facing device search engine SHODAN, two researchers compiled a list of 7,200 critical infrastructure control devices directly facing the Internet. Since SHODAN is

freely available, anyone could locate these devices and attempt to logon. Once accessed and used as an entry point, these devices become a major vulnerability to a facility's critical infrastructure.

While ICS-CERT is working to notify the owners of the exposed US devices, there are already tools that help attackers target programmable logic controllers, according to the Wall Street Journal. In February, several new tools were released that could attack programmable logic controllers from General Electric, Rockwell Automation, Schneider Electric S.A. and Koyo Electronic Industries Co., Ltd. Fortunately, many have taken steps to remedy the problems.

How can this problem be contained?

Images: Power lines, Tony Boon; Refinery, various, Shutterstock; Control room, Steag, Germany; Map, ICS-CERT; USB, Evan-Amos