Industrial control systems remain troublingly vulnerable to both internal error and outside intruders, reports Danielle Walker

Researcher Tyler Klinger was curious if the companies that operate the nation’s industrial control systems had jumped the proverbial shark when it came to cyber attack susceptibility. While he was well aware that critical infrastructure providers, like power companies and oil-and-gas refineries, had become increasingly juicy targets in recent years, he was interested in learning the ease by which they could be compromised.

Klinger, a researcher at Idaho-based Critical Intelligence, which provides information services to industrial control system (ICS) customers, knew that most companies outside of his area of expertise were being regularly breached through targeted emails, commonly referred to as spear phishing, in which employees open a legitimate-looking attachment or follow an enticing link, only to invite malware into their organization. But would the same type of trivial, easy-to-launch attack – one that doesn’t require deep pockets and nation-state backing – be just as effective at allowing criminals to, say, access a utility plant? The answer was a resounding yes. 

After receiving approval from two companies that operate control systems, Klinger scoured various websites, like LinkedIn and Jigsaw, to locate contact information and other details about various high-level employees working there. He then delivered experimental phishing emails to 72 workers, who had no knowledge of the experiment. Eighteen clicked on the links contained in the messages. Now, if this were a real-world scenario, Klinger would now have a foothold to initiate more technical, and potentially devastating, attacks by leveraging, for example, a vulnerability residing on the very hardware and software that runs these plants. It’s not a far-fetched scenario.

In the last decade or so, industrial control systems that were never designed with IT security in mind have become interconnected with corporate computers and networks that expose them to a range of new threats. Last April, the U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) warned of an ongoing spear phishing campaign where attackers increasingly targeted companies in the natural gas pipeline sector.

Spear phishing often exposes the human vulnerability within companies, says Scott Gréaux (left), VP of product management and services at Chantilly, Va.-based PhishMe, a software firm that focuses on phishing threats. Gréaux, who helped Klinger with his experiment, says he advises that management stress to employees that anyone could be on an attacker’s radar. 

“Engage users in a discussion about phishing attacks, so they are aware that they are real and that [attackers] will target anyone in an organization,” Gréaux says. “They may not necessarily target a control operator. They will target someone where they can get a foothold.”

So what can attackers accomplish once they are inside? The threat of outsiders with sophisticated malware targeting critical infrastructure has grown markedly in recent years. Last August, data-wiping virus Shamoon rendered 30,000 computers at the Saudi Arabia-based oil company Saudi Aramco unusable. A few months later, officials at Chevron confirmed that the U.S. oil company was hit by Stuxnet in 2010, a worm – believed to be the creation of the United States and Israel – that was originally designed to target only Siemens SCADA systems being operated within nuclear enrichment facilities in Iran. 

In October, ICS-CERT alerted the ICS sector of increased attack interest shown by malicious groups, like hacktivists. The threat report warned that these groups were using specialized search engines to identify internet-facing ICS devices as potential targets for attacks. The finding came after a security research company released hacking techniques for targeting programmable logic controllers (PLCs), computer-based hardware used to automate industrial monitoring and control processes. The exploit tools were meant for PLCs made by General Electric, Rockwell Automation, Schneider Electric and Koyo Electronics. 

Then just last month, Austin-based security firm NSS Labs released a study that tracked a 600 percent jump in ICS system vulnerabilities revealed between 2010 and 2012, with 124 security flaws being disclosed. 

Also this year, ICS-CERT released a technical paper in January that included guidance – and common mistakes to avoid – when responding to advanced attacks. For instance, instead of immediately trying to rid systems of the malware, IT management or designated responders should capture live system data, like network connections and open processes, before disconnecting compromised machines from networks, the paper says. Companies additionally were advised to avoid running anti-virus software immediately after an attack, since the scan could change critical file updates or thwart analysis of malware for future detection.

David McIntosh (left), vice president of federal government affairs at Siemens, a Germany-based electrical engineering and manufacturing company that services critical infrastructure sectors, says federal policies are necessary to facilitate the kind of public-private information sharing needed when advanced attacks occur.  

According to Nate Kube (below), CTO of Wurldtech, a Canada-based industrial security products company, the nation’s water supply is particularly at risk to attacks of this kind. 

“[In] industries like water, there’s not a lot of budget for security, so unless the government steps in and provides incentives and regulations, the water supply will be vulnerable,” says Kube. “The level of security is close to zero, which means if you can procure knowledge on its systems, you can [cause] a lot of damage. There’s not a lot of stop gaps. The only protection now is that there’s not a lot of incentive in hacking these systems.”

Hours before his State of the Union address, President Obama issued a cyber security executive order designed to spur the implementation of better security standards among ICS companies. Though the order won’t be mandated like legislation and will merely provide best practices for the government and private companies, it will direct federal agencies to share information about critical infrastructure threats with corporations in the ICS sector. The move also encourages lawmakers to pass legislation with critical infrastructure protection in mind. 

Last month, lawmakers reintroduced the controversial Cyber Intelligence and Sharing Protection Act (CISPA), though many privacy groups oppose a provision that may permit personally identifiable information collected by companies to be among what is shared. News of CISPA returning came not long after seven Democratic senators introduced the Cybersecurity and American Cyber Competitiveness Act of 2013 in January, essentially a refresh of a bill that was shot down last year. The language in the measure has not yet been firmed up, but it is expected to create mechanisms for threat information sharing, workforce development, risk assessment and identity theft prevention. 

Security vendors and end-users have differing opinions, however, on whether regulations are the answer. PhishMe’s Gréaux says that more policy could distract companies from detecting the real threats. “From a practical perspective, I think there’s good policy that can be written to help guide [companies] in the right direction, but it also can distract security practitioners from focusing on threats,” he says. “It takes focus away from protecting assets and systems, and puts it more on compliance. Sometimes it makes the organizations less secure than they were before.”