The Increasing Threat to Industrial Control Systems/Supervisory Control and Data Acquisition Systems

23 03 2013

This blog has previously discussed Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition Systems (SCADA) here and again here in November 2012.  Recently, ICS-CERT has released several bulletins that have spelled out trends and numbers showing an increase in the threats to ICS.

How much is the threat increasing?

ICS-CERT noted that in Fiscal Year (FY) 2012 (10/1/2011-9/30/2012) they “responded to 198 cyber incidents reported by asset owners and industry partners” and “tracked 171 unique vulnerabilities affecting ICS products”(ICS-CERT Operational).  This is an approximately five-fold increase over the number of incidents reported in FY2010 (41) (ICS-CERT Incident).

Why is the threat increasing?

While some of this sharp increase may be attributable to ICS-CERT beginning operations in FY2009 (ICS-CERT Incident) and and associated delay in the industry being made aware of this resource, it is likely that there have been an increasing number of ICS cyber incidents for the following reasons:

1)  “Many researchers” have “begun viewing the control systems arena as an untapped area of focus for vulnerabilities and exploits” and are using “their research to call attention to it.” (ICS-CERT 2010)

2)  Availability of search engines such as SHODAN that are tailored to assist operators, researchers (and attackers) in identifying internet-accessible control systems (ICS-ALERT-12-046-01A)

3)  Increased interest by hacktivists and hackers in ICS (ICS-ALERT-12-046-01A)

4)  Release of ICS exploits for toolkits such as Metasploit (ICS-ALERT-12-046-01A)

5)  An increased interest by attackers, possibly associated with foreign governments, in obtaining information regarding ICS and ICS software, for example stealing information related to SCADA software (Rashid) or, in the case of Stuxnet, attacking ICS to damage or shut down the controlled hardware (Iran).

Why are ICS networks still so insecure?

Some responsibility for the state of ICS security should be attributed to the primacy of Availability in the minds of ICS operators when evaluating the Confidentiality-Integrity-Availability triad.  This  leads to long periods of time between declared outage windows in operations and thus an extended period of time before new hardware or network security can be put in place.  However, it should be noted that ICS insecurity can lead to or extend outages, such as the recent failure to restart operations on time seen at a power generating facility due to an infection of the control environment by a virus on a thumb drive (Virus).  In this instance, availability of the plant was impacted by a security event that extended the planned outage by approximately three weeks (Virus).

How can ICS operators increase security?

With this in mind, it is imperative that ICS operators begin or continue to treat increased security of ICS IT operations seriously, and factor increasing security into their procurement and redesign plans.  Failure to do so can lead to increased outages or damage to operating equipment (see Stuxnet).  The good news is that there are security practices that can be put in place in the (hopefully) tightly controlled ICS environment that may not work in the comparatively more free-wheeling office network, including application white-listing (ICS-TIP-12-146-01B).  As many ICS vendors recommend against applying routine operating system patches, white-listing may assist in preventing the execution of malicious code introduced into the environment (ICS-TIP-12-146-01B).

Other possible security controls that ICS operators should consider implementing include those suggested by ICS-CERT  (ICS-TIP-12-146-01B):

Network Segmentation – With the increasing frequency of taking formerly air-gapped control networks and connecting them to corporate networks and the internet, it is increasingly important that appropriate security measures be put in place to segment the control network as much as possible from more general-purpose networks (ICS-TIP-12-146-01B)

Role-Based Access Controls – Access based on job role will decrease the likelihood that an employee is given more access than needed by basing their access on their job function and managing this access by job role instead of user by user (ICS-TIP-12-146-01B)

Increased Logging and Auditing – Incident response, remediation, and recovery (including root cause analysis) in the control network requires that detailed logs be kept and available (ICS-TIP-12-146-01B)

Credential Management (including strict permission management) – Where possible, centralized management of credentials should be implemented to ensure that password policy and resets can be performed more easily.  This centralized management will also ensure that superuser/administrator accounts are tracked and can be more easily disabled if needed (ICS-TIP-12-146-01B)

Develop an Ability to Preserve Forensic Data – Much like logging, the ability to preserve forensic data is important to allow for root cause analysis and, if the event is malicious in nature, identification and prosecution of the intruder/malicious actor.  This includes the ability to capture volatile data such as network connectivity or dynamic memory in addition to the more traditional forensics of hard drives. (ICS-TIP-12-146-01B)


“ICS-ALERT-12-046-01A—(UPDATE) Increasing Threat To Industrial Control Systems.” The Industrial Control Systems Cyber Emergency Response Team. Industrial Control Systems Cyber Emergency Response Team., 25 October 2012.  Web.  28 January 2013. < >

“ICS-CERT – Operational Review Fiscal Year 2012.” ICS-CERT Monitor.  Industrial Control Systems Cyber Emergency Response Team., n.d.  Web.  28 January 2013. < >

“ICS-CERT Incident Response Summary Report.” The Industrial Control Systems Cyber Emergency Response Team. Industrial Control Systems Cyber Emergency Response Team., n.d.  Web.  28 January 2013. <  >

“ICS-CERT – 2010 Year In Review.”  The Industrial Control Systems Cyber Emergency Response Team. Industrial Control Systems Cyber Emergency Response Team., January 2011.  Web.  28 January 2013. < >

“ICS-TIP-12-146-01B— (UPDATE) Targeted Cyber Intrusion Detection And Mitigation Strategies.” The Industrial Control Systems Cyber Emergency Response Team. Industrial Control Systems Cyber Emergency Response Team., 22 January 2013.  Web.  28 January 2013. < &gt;

“Iran Confirms Stuxnet Worm Halted Centrifuges.”  CBS News., 29 November 2010. Web. 2 February 2013. < >

“Virus Infection At An Electric Utility.” ICS-CERT Monitor.  Industrial Control Systems Cyber Emergency Response Team., n.d.  Web.  28 January 2013. < >

Rashid, Fahmida Y.  “Telvent Hit by Sophisticated Cyber-Attack, SCADA Admin Tool Compromised.” Security Week.  Wired Business Media., 26 September 2012. Web. 2 February 2013. < >


The dynamics of information security in industrial control systems

5 10 2011

by Zeal P. Somani

Anyone who followed news last summer would agree that one of the biggest cyber-attacks in recent times to shock the information security community was the malware [i]“Stuxnet” that affected Siemens controls systems running on Microsoft Windows. It was first of its kind to target an industrial control system and compromise a PLC (Programmable Logic Controller)- a programmable device controlling different critical processes – pressure valves, water levels, temperature controls in an industrial environment. It exploited 4 zero-day Windows vulnerabilities. Hence a paradigm shift in information security in critical infrastructures can be concluded.

Risk Drivers

Briefly introducing- Industrial control systems (ICS) or SCADA(Supervisory Control And Data Acquisition) Systems are core to major critical infrastructures of within a country like Energy systems- nuclear/coal/renewable power plants, power grids, Oil/Gas- pipelines, rigs, extraction facilities,  Manufacturing and Production, Metals and mining. These systems have undergone a massive change in their design and the way they communicate in this past decade. To support real time needs of business and with the rise of eCommerce they are largely integrated with Enterprise IT systems e.g. the amount of oil extracted in is fed in real time to the marketing department in an Oil/Gas majors in exploration, production and marketing of crude oil. With the rise of modern IT and pervasive business needs, these systems are not spared from infected portable devices- USB, disk, hard drives etc. They are no longer sacrosanct so the concept of “security through obscurity” no longer applies.

C.I.A  vs  A.I.C-

One of the biggest challenges with ICS is that the CIA(Confidentiality, Integrity, Availability) triad gets inversed. Because the goals of these systems are to keep the critical process available for its uptime. Unfortunately very few IT and IT security folks understand this difference and hence end up failing to secure these systems. For e.g. a Penetration Test on an ICS is a not a good strategy of detective control. It can adversely hamper a critical system making it enter an infinite loop. A good strategy is to have a non –invasive identification and assessment of threats and the resulting risk posture.

Common Vulnerabilities and Attacks

Vulnerability Attack
Legacy Systems unable to integrate physical –logical secured architecture on applications. Systems vulnerable to Viruses, Worms, Malwares, Spywares from portable devices
Industrial Protocols lacking encryption and authentication Eavesdropping, Session Hijacking
Lack of proper segmentation and Defense in Depth Compromised perimeter firewall can leave the entire network compromises
Insecure Database and improperly configured Active Directory SQL injection attacks


Risk Mitigation Framework:

Here I have listed some of the common practices of a sample mitigation framework. This is not exhaustive and it depends on different cases within the industry.

Segmentation and Defense in Depth

One of the first steps is to [ii]segment the network adequately and have a multi layered secured architecture i.e. the SCADA systems polling data from plant is in secure zone 1; it pushes its data to a historian in secure zone 2- a DMZ and the enterprise users in secure zone 3 collect data from DMZ instead of directly connecting to control systems. There could also be a test or a buffer zone between the DMZ and zone 3 to test any software update, patch, new configurations before sending them to live data. In each zone we employ a “defense” mechanism isolated from other zone. This defense could be a technology- e.g. firewall, IPS/IDS(Intrusion Prevention/Detection Systems) or a process

Application White Listing:

Up till now, we focused on black listing the rogue application and programs like viruses and worms. But another approach is to white list i.e. systems runs the programs and applications “whitelisted” for that particular system. This works best for legacy systems and systems which are isolated and remote

Periodic Audits:

Regular audits checks – automated on a tool or manual can prevent many threats from exploiting. These audits are based on industry standards like NERC(North American Electric Reliability Corporation) CIP(Critical Infrastructure Protection) for US grid operators.

[i] “Stuxnet: Fact vs Theory” by Elinor Mils

[ii] “Building a Better Bunker:Securing Energy Control Systems Against Terrorists and Cyberwarriors” –A SANS white paper written by Jonathan Pollet