Losing control: Critical infrastructure
Losing control: Critical infrastructure

Industrial control systems remain troublingly vulnerable to both internal error and outside intruders, reports Danielle Walker

Researcher Tyler Klinger was curious if the companies that operate the nation's industrial control systems had jumped the proverbial shark when it came to cyber attack susceptibility. While he was well aware that critical infrastructure providers, like power companies and oil-and-gas refineries, had become increasingly juicy targets in recent years, he was interested in learning the ease by which they could be compromised.

Klinger, a researcher at Idaho-based Critical Intelligence, which provides information services to industrial control system (ICS) customers, knew that most companies outside of his area of expertise were being regularly breached through targeted emails, commonly referred to as spear phishing, in which employees open a legitimate-looking attachment or follow an enticing link, only to invite malware into their organization. But would the same type of trivial, easy-to-launch attack – one that doesn't require deep pockets and nation-state backing – be just as effective at allowing criminals to, say, access a utility plant? The answer was a resounding yes. 

After receiving approval from two companies that operate control systems, Klinger scoured various websites, like LinkedIn and Jigsaw, to locate contact information and other details about various high-level employees working there. He then delivered experimental phishing emails to 72 workers, who had no knowledge of the experiment. Eighteen clicked on the links contained in the messages. Now, if this were a real-world scenario, Klinger would now have a foothold to initiate more technical, and potentially devastating, attacks by leveraging, for example, a vulnerability residing on the very hardware and software that runs these plants. It's not a far-fetched scenario.

In the last decade or so, industrial control systems that were never designed with IT security in mind have become interconnected with corporate computers and networks that expose them to a range of new threats. Last April, the U.S. Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) warned of an ongoing spear phishing campaign where attackers increasingly targeted companies in the natural gas pipeline sector.

Spear phishing often exposes the human vulnerability within companies, says Scott Gréaux (left), VP of product management and services at Chantilly, Va.-based PhishMe, a software firm that focuses on phishing threats. Gréaux, who helped Klinger with his experiment, says he advises that management stress to employees that anyone could be on an attacker's radar. 

“Engage users in a discussion about phishing attacks, so they are aware that they are real and that [attackers] will target anyone in an organization,” Gréaux says. “They may not necessarily target a control operator. They will target someone where they can get a foothold.”