As tensions ratchet up between the US, Russia, North Korea, Iran, and China the Cyberwarfare landscape is changing. Our critical infrastructure that we rely on every day is brittle and critically out of date. Industrial Control and SCADA systems touch on almost every aspect of your daily life from clean water, energy, to transportation. The pieces are falling into place for a very scary outcome.
If news headlines, global trends, and tech reports tell us anything about cyber security in Industrial Control and SCADA systems in the past few years, it’s that we are currently in cyber cold war, and a full on cyber war could follow in short order. Read on to see how I’ve come to this conclusion and how the controls currently protecting us are not durable beyond the short term.
A recipe for cyber war
Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) Systems are software systems that run most of the infrastructure worldwide. They control power plants and grids, water treatment plants, oil pipelines, manufacturing, HVAC, Air Traffic Control, and almost anything else that is critical infrastructure globally. These systems were originally devised and rolled out in the ‘70s, which is also the 16-bit , tape driven, PDP-11 era. The systems have changed as necessary, layering on new algorithms, inputs, and designs to keep up with evolving demands. A key assumption for these systems is that they were designed to be air gapped, separated from a public internet that hadn’t even been invented yet. This is a key security design assumption that has been undermined in recent years.
What was once the greatest protection for these systems has become their greatest weakness. When these systems are air gapped, they are not regularly updated. Partially because it is difficult to do to, and partially because there is a feeling that, without a connection to the internet, the systems are safe from attack and therefore don’t require the same level of security configuration and patch diligence that other systems receive.
The first generation of SCADA systems were monolithic, stand-alone systems. They included everything they needed to operate. In this era, everything was proprietary, from the architecture to the protocols. The second generation of SCADA systems were distributed. Distributed SCADA systems connected multiple stations through a Local Area Network. Information was shared in real time but the protocols and connections were still proprietary. This was an early version of what would come next: networked systems. The third generation of SCADA systems networked multiple systems together using standardized protocols.
We’re not disconnected anymore
We are now entering the fourth generation of SCADA architecture. This modern generation of SCADA systems should send a chill up your spine. “Web SCADA” uses internet browsers as the interface for SCADA systems. These fully internet-connected systems bring about a new era in which the SCADA systems must defend against any attacker from any location. This is something these systems have never had to do before and is quite simply not something they are equipped to do.
It’s not just SCADA systems either, it’s all ICS and other controller systems. The drive to connect large scale, industrial systems is growing. There’s huge value in it: remote monitoring, updates, and other functionality are huge value adds. Unfortunately, just as we’ve seen in the realm FinTech, migrating these old, brittle systems to internet connected networks is fraught with problems - but now with more disastrous potential. These systems were never designed to stand up to non-standard usage, let alone persistent attack. And don’t forget that SCADA controls physical infrastructure and can impact physical safety.
Even when systems remain fully air-gapped, other attack vectors can be successful. We saw this play out in the aftermath of the Stuxnet worm. This cyber weapon was designed to attack Iran’s nuclear system. It targeted the Programmable Logic Controllers (PLCs). The advanced attack used multiple 0-Day flaws in Windows and Siemens systems once deployed. The worm was introduced to the air-gapped network via a USB flash drive. That means presumably somebody wrote a beautifully advanced worm, copied it to a flash drive, dropped that flash drive in a parking lot, and waited for some person to pick it up and plug it into one of the most critical pieces of infrastructure in Iran. You don’t need to be connected to the internet if you have employees willing to transfer the files via USB for you.
Nearly every critical piece of critical infrastructure is decades old, riddled with security issues, developed with a reliance on an air-gap. These systems are now either connected to the internet, or are internally networked and used by a group of untrustworthy individuals. Most of the vulnerabilities these systems are susceptible to weren’t even invented when these systems were first built!
A race to remediation?
You might think that when faced with the knowledge that these systems are being targeted and attacked, and that people’s lives are at risk, there would be a massive push to harden these systems as quickly as possible. Unfortunately, we’re not seeing this to be the case.
Not to sound defeatist, but these systems are incredibly complex, with dozens of components connected, dealing with multiple protocols, Operating Systems, and authentication/authorization models. To protect these systems we need a success rate of 100%, in order to attack them there only needs to be only one vulnerability chain. Considering the onslaught of recent 0-Day vulnerabilities against systems previously thought to be nearly unbreakable, protecting our SCADA software infrastructure may be too tall an order.
Protection plan: Say please
So, if companies aren’t able to fix their ICS and SCADA systems quickly enough, and the deployments of these systems rely on being connected to the internet, and operational security practices can’t protect us, then how are we to defend against the incoming cyber-battles?
One answer might be: Just ask? Last week the United States and 26 other nations came together to issue a Joint Statement on Advancing Responsible State Behavior in Cyberspace, which defines a set of “Cyber Norms” in which each state and non-state actor promises not to attack each other’s infrastructure during peacetime. This also includes no interfering with politics and conducting intellectual property theft.
This is generally how we’ve been playing up to this point. The US doesn’t openly attack our allies and they don’t attack us. We don’t attack our allies’ civilian infrastructure and they don’t attack ours. The risk of civilian lives is too high to attack power grids and nuclear power plants. Up until this point most groups equipped to pull off such an attack focus their attentions on very specific systems to send a very specific message.
I think the Joint Statement is a great thing to do, but can you imagine your cyber security posture hanging in the balance of cyber criminals playing nice? Of course, China, Iran, Russia, North Korea, and other traditionally problematic countries are not on that list.
Threat landscape
The most famous attack groups, like APT10, Lazarus Group, Reaper, and Fancy Bear, are generally known to be state sponsored and located in China, Iran, Russia, and North Korea. But how do these hacking groups get funding? According to the UN and the US treasury, many of these groups fund themselves and a broader military program targeting banks and crypto currency exchanges. If you have access to any computer you’d like, why bother making money legitimately? Take what you need from misconfigured and insecure financial exchanges.
We identify these hacking groups by IP block or through the malware and tools they use. What would happen if—in order to mask their trail further—they attacked one of the 26 countries named in the Joint Statement from one of the other countries in the Joint Statement. It is unlikely many of these countries could identify the source and destination of such an attack with enough accuracy to properly attribute the attack to a specific group. International cyber relations would then fall back on these earlier talks and agreements, which may not hold under pressure.
Our cyber cold war
This leads me to what I consider our current cyber cold war. The US and its allies are currently engaged in quiet cyberwarfare with many international adversaries. Some of these adversaries are state sponsored and focused on a specific goal or outcome. Other groups are more like a cyber-terrorist cell who aren’t beholden to any other agreement or goals. These groups may purposefully or accidentally set off a cyber war, or they may attack critical infrastructure targeting civilians.
Decades ago it may have been easy to dismiss this kind of threat due to lack of access to hacking and exploitation training, or powerful enough computer hardware. Now cyber-terrorist groups can self-fund by attacking soft financial targets and then target critical civilian infrastructure without detection. We have seen an uptick in cyber-attacks against ICS using targeted malware recently. Attacks against a New York dam, a European energy company, and a Ukrainian power plant have been made public in the last few years. If a broader scale attack occurred across the US or other developed nations, it could tip the scales to an all-out global cyber war that would be difficult to recover from.
Solutions
This is a very difficult problem to solve. When we talk about the cyber security risk we often measure it on the scales of impact and likelihood. In this case the impact could not be higher. I would rate this risk as critical, and it should capture intense attention and focus.
The answer, and the way to peace and stability, requires a multi-faceted approach from global governments, ICS and SCADA providers, and individual infrastructure and utility companies.
This article pulls from many recent news stories, some of which I’ve been able to capture here, all of which I think are worth reading to understand the threat landscape.
- The Urgent Search for a Cyber Silver Bullet Against Iran - The New York Times
- Iran denies successful cyber attack on oil sector | The Times of Israel
- World powers are pushing to build their own brand of cyber norms - CyberScoop
- Russian APT Ecosystem Map
- US Treasury sanctions three North Korean hacking groups | ZDNet
- Attacks Targeting Industrial Control Systems (ICS) Up 110 Percent