See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/273394302
Industrial systems: cyber-security's new battlefront [Information Technology
Operational Technology]
Article in Engineering & Technology · September 2014
DOI: 10.1049/et.2014.0810
CITATIONS
READS
12
708
1 author:
Richard Piggin
Rapsican Systems
78 PUBLICATIONS 250 CITATIONS
SEE PROFILE
All content following this page was uploaded by Richard Piggin on 11 December 2019.
The user has requested enhancement of the downloaded file.
12/11/2019
Industrial control systems and SCADA cyber-security | E&T Magazine
Welcome
Your IET account
IET sites
Search E&T
https://eandt.theiet.org/content/articles/2014/08/industrial-control-systems-and-scada-cyber-security/
Search
1/12
12/11/2019
Industrial control systems and SCADA cyber-security | E&T Magazine
Welcome
Your IET account
IET sites
Search E&T
https://eandt.theiet.org/content/articles/2014/08/industrial-control-systems-and-scada-cyber-security/
Search
2/12
12/11/2019
Industrial control systems and SCADA cyber-security | E&T Magazine
Industrial control systems and SCADA cyber-security
IET sites
Welcome
Your IET account
By Dr Richard Piggin
Search E&T
Search
Published Monday, August 11, 2014
Hackers are now directing their activities toward the technology commonly found in power stations, factories
and other infrastructural facilities. Engineers tasked with managing these systems must understand the rising
risk, and ensure that safeguards are implemented.
Awareness of the cyber-security risks inherent in industrial control systems (ICSs) and supervisory control and data acquisition (SCADA)
systems has been growing since Stuxnet, the first publicly-known malware to specifically target these classes of technology, first appeared in
June 2010.
The ‘reconnaissance’ malware launched by Energetic Bear group (aka ‘Dragonfly’), just over four years later, highlighted the continuing
business risk to engineers, technologists and (potentially) executive boards responsible for the management of a broad range of facilities using
ICSs.
Malware is being developed that targets ICSs; more alarming still is the fact that this malware has been delivered by ‘legitimate’ means – ie,
vendor updates via their website – so it is programmed to obtain information about ICSs. Without reconnaissance, it is difficult for a cyber-threat
to stage an attack: the importance of protecting plant information cannot be over-stated.
Stuxnet’s intention was to sabotage operational industrial plant – not disrupt abstract IT systems. No-one has claimed responsibility for
originating Stuxnet; there has been speculation that it was developed by nation states to attack Iran’s facilities – a 2011 New York Times report
suggested that it ‘wiped-out’ around 25 per cent of Iran’s nuclear centrifuges and helped delay the country’s ability to make nuclear arms – but
other countries’ facilities were also infected.
Stuxnet highlighted that ICS types were vulnerable to attack. Organisations would be wrong, however, to base their potential threats on Stuxnet
alone. Automation components are generic, so less-sophisticated attacks could use similar techniques to make attacks scalable. Stuxnet
variants have also been identified. The Havex.A RAT ‘reconnaissance piece’ – explained elsewhere in this article – might be an early indication
of new Stuxnet-inspired attacks.
https://eandt.theiet.org/content/articles/2014/08/industrial-control-systems-and-scada-cyber-security/
3/12
12/11/2019
Industrial control systems and SCADA cyber-security | E&T Magazine
New threats come in the wake of investigative research carried out earlier this year by consultancy firm Atkins, which discovered that data is
IET sites
being made available from various mainstream online media that – theoretically – could be used by hackers to inform attacks on a range of
ICSs and SCADA-based platforms. Atkins wanted to understand what ICS/SCADA information found in the public domain could be used to
target control systems and to assess the remedial actions organisations might take to improve security
Search in ICS domains.
The findings brought new emphasis to the fact that hackers and other cyber-threats are increasingly turning their attention to the ICSs and what
is being termed operational technology (OT) running much of the enabling computer technology that factories, assembly lines, industrial plants,
and utilities (ie, power, gas, water), now rely on.
Aside from information that might advertently or inadvertently be published into the public domain about ICSs and their vulnerabilities, probably
the most alarming discloser of ICS equipment is the Shodan website. This is a search engine for Internet-facing devices: Shodan interrogates
connected devices and catalogues the response from a device, known as a ‘banner’. The equipment banner information is then indexed;
device-specific searches can be filtered by port, hostname and/or country.
Hacking the humans
According to cyber threat intelligence firm iSightpartners, since at least 2001 Iranian hacker groups have been engaged in a ‘creative’ social
media campaign aimed at high-ranking USA and Israeli defence, diplomatic and other officials. Targets were lured to fake websites through an
elaborate social media network that features a bogus news site called NewsOnAir.org. The cyber-espionage operation – ‘Newcaster’ – used
social media to engage with targets, building trust with fake relationships with friends, family and colleagues in order to compromise email
accounts. Victims were then sent spear-phishing emails with links to spoof webmail login pages to steal account credentials.
No matter how thorough an organisation’s awareness of potential risks, and how diligently its safeguards are applied, personnel – including
third-party staffers and contractors – can still constitute a weak link; but weaknesses can be converted into defence. Effective security can
become cultural, like safety considerations. However, while we understand system safety, system cyber-security is more difficult and less
tangible. Yet organisations can do more to highlight the risks and the right behaviours. More sophisticated attacks may be initiated by ‘spear
phishing’ (eg, artfully-crafted emails directing victims to download malware). Risks of information leakage, inappropriate social media use and
circumventing security policies and procedures can be reduced with suitable education. One-third of manufacturing organisations were affected
by at least one targeted spear-phishing attack in 2013, according to security vendor Symantec. Education and straight forward reporting can
help.
https://eandt.theiet.org/content/articles/2014/08/industrial-control-systems-and-scada-cyber-security/
4/12
12/11/2019
Industrial control systems and SCADA cyber-security | E&T Magazine
System vulnerabilities, hacking tools and so-called ‘script kiddies’ (unskilled individuals using third-party scripts or programs developed
to attack
Welcome
IET sites
Your IET account
computer systems, networks and specifically ICSs), represent an escalating threat. The technical knowledge required to launch an attack
has
fallen due to the availability of ‘off-the-shelf’ hacking tools. Vulnerabilities are more understood due to increased reporting, the emergence of
‘ICS security research exploits’ and heightened
media coverage.
Search E&T
Search
There are features of ICSs that constitute security weaknesses. These include the inherent trust associated with system components when
communicating with other control system elements. The prime one is the ‘automation Lego’ of generic components designed to be easily
integrated, programmed and configured: it doesn’t need to be have vulnerabilities exploited – it just has to be reprogrammed.
The Energetic Bear attack
Download the full Energetic Bear attack infographic, featuring further information and a timeline of events
It is a legal requirement to risk-assess ICSs and design them to avoid safety failures. Whether these established risk-assessments extend to
ICS cyber security is less easy to ascertain. Even where control systems suffer a security breach, research has shown that safety functions
have not been compromised; but a nuisance shutdown may occur that impacts on operations, and might also have financial and contractual
implications.
Reasons for a shutdown may not be readily discernible. Instances of ICS/SCADA devices being in some way compromised might not be
immediately evident to operators or engineers, as the systems were probably not implemented with suitably-granular diagnostics or forensic
capability.
Gauging the level of risk to an ICS means understanding the application and physical process under control. Non-availability could be
significant, as indeed could the opposite: unexpected operation. Understanding the threat agent, their motivation and their capability, is another
key consideration: second-guessing their motivation might give clue to the sophistication of future activity and the defences required.
Most control systems engineers are now aware of the potential impact of safety incidents, which may include damage to equipment,
environmental damage, injury to persons and even fatalities. Potential consequences for the failure of ICS systems are known, and often widely
reported.
https://eandt.theiet.org/content/articles/2014/08/industrial-control-systems-and-scada-cyber-security/
5/12
12/11/2019
Industrial control systems and SCADA cyber-security | E&T Magazine
So it’s important to bear in mind that a range of factors – and not just malicious intent – can affect ICS security. This demonstrates the
Welcome
IET sites
Your IET account
challenges
facing the organisations that rely on them. Taking steps to address ICS cyber-security should improve control system resilience
to
other adverse incidents, reducing unplanned downtime and facilitating a more rapid return to business-as-usual following an incident.
Search E&T
Prelude to a sophisticated attack?
Search
Malware that was detected in July 2014 targets ICSs in the European Energy sector. The malware was distributed by phishing emails with PDF
attachments to selected employees, industry websites (known as a ‘watering hole’ attack) and via compromised software updates on three
legitimate ICS vendor websites. This variant of the Havex.A Remote Access Trojan (RAT) is targeted specifically at ICSs, although previous
versions have been used against the defence and aerospace sectors, with 88 variants discovered.
Internet security solutions provider F’Secure revealed that the RAT has been adapted for intelligence gathering of ICSs, enumerating networks
and specifically searching for Open Platform Communications (OPC) servers. The OPC Foundation renamed the protocol Object Linking and
Embedding (OLE) for Process Control (OPC). Such servers are used for real’time data communications between ICS/SCADA devices from
different vendors. A large number of (mostly) European Energy organisations have reportedly been affected.
A notable feature of Havex is that one of the routes to infection is via compromised manufacturer software updates. The group behind the
Trojan exploited vulnerabilities in the website content management software for command and control servers, hiding the Trojan in legitimate
software installers available for download to customers in order to compromise ICSs/SCADA systems.
Crucially, one of the affected software updates is for secure remote access. Once the malware is installed, it communicates with one of the 146
command and control servers (the compromised Web servers) and downloads the ICS/SCADA ‘sniffer’ component. This demonstrates an
intention to exploit and control ICS/SCADA systems, which is presently uncommon.
Previous extensive evidence of the Havex RAT has been attributed to the Russian Federation by security provider Crowdstrike’s ‘Global Threat
Report 2013 Year in Review’, suggesting the group responsible may have operated with sponsorship or knowledge of the Russian state.
According to ICS-CERT, the Industrial Control System Computer Emergency Response Team based in the US, Havex uses an old version of
OPC, ‘OPC Classic’.
Research has shown that infected systems may crash causing OPC communications denial of service. The new OPC Unified Architecture does
not use the Microsoft COM/DOM technology and is unaffected. Affected organisations are recommended to check their network logs for
potential Havex activity and to secure their OPC servers.
https://eandt.theiet.org/content/articles/2014/08/industrial-control-systems-and-scada-cyber-security/
6/12
12/11/2019
Industrial control systems and SCADA cyber-security | E&T Magazine
Organisations have sought to optimise processes and reduce cost, using the opportunity afforded by the technology trend of convergence of
control systems or OT on common IT technologies such as Ethernet, standard computer operating systems and wireless. However, this
opportunity potentially carries increased risk as often formerly isolated control systems, including safety systems, are opened to the enterprise
for business users – and thus potentially exposed to the Internet. Organisations are finding convergence
demanding – and security of an ICS is
Search
often compromised.
ICSs have many characteristics that differ from traditional IT systems, including different risks and priorities. In many organisations, the
business impact of an ICS incident is not assessed or considered alongside information assurance or safety risks. Executive boards don’t
always recognise the issue and it is often not articulated to them by those in the know.
The fact that the IT security and engineering communities do not often mix, share limited information and have differing perspectives and use
different language, needs to be better understood. Few corporate boards have members with direct responsibility for cyber security, let alone an
appreciation of ICS security and its nuances.
Good practice strategies outlined
So what are infrastructure operators, governments and academia doing about this threat? There has been work on providing guidance on ICS
security which highlights the US National Institute of Standards and Technology (NIST) information about the potential malicious events that
could affect a control system.
Governments are providing good practice guidance and information. In the UK, the Cyber-Security Information Sharing Partnership (CISP) was
launched in March 2013. It is a joint, collaborative initiative between industry and government to share cyber threat and vulnerability information
in order to increase overall situational awareness of the cyber threat – and therefore reduce the impact upon UK business.
Industry groups are sharing information and producing sector standards and progress plans. Standards such as IEC 62443 are being
developed in this area, as are guides such as the forthcoming ‘Cyber Security in the Built Environment Code of Practice’ guidance from the
Institution of Engineering and Technology (IET).
Good ‘cyber hygiene’ can reduce risk. A few steps are recommended to provide a good level of security. The recently launched UK Cyber
Essentials Scheme from the UK Department for Business, Innovation and Skills and the Cabinet Office, concentrates on five controls against
Internet-originated attacks. While not primarily aimed at ICSs, the recommended controls focus on access control, boundary firewalls and
Internet gateways, malware protection, patch management, and secure configuration.
https://eandt.theiet.org/content/articles/2014/08/industrial-control-systems-and-scada-cyber-security/
7/12
12/11/2019
Industrial control systems and SCADA cyber-security | E&T Magazine
Industry is developing specialist courses to develop skills and bridge the gap between ICS engineering/OT and IT, such as the Global
Industrial
Welcome
IET sites
Your IET account
Controls Systems Professional Certification (GICSP) from the SANS Institute. Conferences – such as the forthcoming IET System Safety
and
Cyber Security 2014 Conference (scheduled for 14-16 October 2014) – are an important step toward awareness-raising and peer education.
Search E&T
Search
CPNI and EPSRC have just launched RITICS: Research Institute in Trustworthy Industrial Control Systems. This activity supports the UK’s
Cyber Security Strategy and the creation of research institutes. RITICS was created in January 2014 as a response to the growing need for
improved cyber security for ICSs.
The UK Centre for the Protection of National Infrastructure (CPNI) is the government authority that provides security advice to the national
infrastructure. Specific SCADA advice is offered by the CPNI in a series of process control and SCADA security good practice guidelines.
Since the CPNI Good Practice Guides were published, there has been an increase in industrial cyber security guidance available. There are
now a number of generic guides and resources for securing ICSs. They include: National Institute Standards and Technology (NIST) Special
Publication 800-82, ‘Guide to Industrial Control Systems Security’ (www.csrc.nist.gov/publications/PubsSPs.html); IEC/TS 62443-1-1:2009, a
technical specification which defines the terminology, concepts and models for Industrial Automation and Control Systems security –
establishes basis for remaining standards in the IEC 62443 series (www.iec.ch); and the CPNI’s ‘Process control and SCADA security’ good
practice guidelines series (www.cpni.gov.uk/advice/cyber/scada).
Safety checklist
The operators of industrial control systems are responsible for their security. A basic checklist specifically for ICS operators might recommend
that they should:
Undertake open-source searches to identify plant information, and take steps to mitigate accordingly
Restrict physical access to the ICS network and devices
Protect individual ICS components from exploitation, for example applying security patches after testing; disabling unused ports and
services; restricting ICS user privileges; tracking and monitoring audit trails and using security controls such as antivirus software and file
integrity checking software where feasible to prevent, deter, detect and mitigate malware)
Maintain functionality during adverse conditions: design ICSs so that critical components have redundancy. Component failures should
not cause cascading events, such as unnecessary traffic on the ICS or other networks
Plan for system restoration after an incident. Incidents are inevitable and an incident response plan is a basic requirement
Review ICS security and training. As time progresses systems change, vulnerabilities are discovered, information is published and there
is staff turnover.
https://eandt.theiet.org/content/articles/2014/08/industrial-control-systems-and-scada-cyber-security/
8/12
12/11/2019
Industrial control systems and SCADA cyber-security | E&T Magazine
Another ongoing requirement is to educate and share information on the evolving threat – this is why, its advocates say, UK organisations
IET sites
IETmake
account
should participate
in CISP. Vendors of control systems need to develop technologies to secure products; users should assess theseYour
and
their requirements known. ICS users need to implement appropriate security measures, including security functionality in existing equipment
and harden systems. Ensuring appropriate governance and responsibility is another key elementSearch
to implementing a programme that underpins
business resilience.
Dr Richard Piggin CEng MIET is a security consultant at Atkins (www.atkinsglobal.com\ics-demo) and a UK expert to the IEC 62443 working group for the industrial
automation and control systems security standard
Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.
Back to top
https://eandt.theiet.org/content/articles/2014/08/industrial-control-systems-and-scada-cyber-security/
9/12
12/11/2019
Industrial control systems and SCADA cyber-security | E&T Magazine
Royal Charter and Bye-laws
Our offices
Welcome
Your IET account
IET sites
Contact
T: +44 (0)1438 313311
E: postmaster@theiet.org
Our offices
About the IET
Our history
Vision and Strategy
Governance
AGMs
I t lli
&R
h
https://eandt.theiet.org/content/articles/2014/08/industrial-control-systems-and-scada-cyber-security/
10/12
12/11/2019
Industrial control systems and SCADA cyber-security | E&T Magazine
Intelligence & Research
IET sites
Publishing with IET Journals
Publishing with IET Books
Inspec
Subscribe to our content
Bookshop
Wiring Regulations
Standards
IET.tv - video content and production
IET Library and Archives
Events
Events
Search all events
Get Involved
Volunteering for the IET
Young Professionals
Partnerships
Collaboration
Support future generations
Discussion forum
Impact & Society
Sectors
Government policy and submissions
https://eandt.theiet.org/content/articles/2014/08/industrial-control-systems-and-scada-cyber-security/
11/12
12/11/2019
Industrial control systems and SCADA cyber-security | E&T Magazine
Thought leadership
IET sites
Our impact in Scotland
Our impact in Northern Ireland
Factfiles
Awards and scholarships
Media Hub
Campaigns
Press releases
Media support for members
IET social media
Help
Cookies
Privacy Statement
Accessibility
Modern Slavery Act Statement
Legal notices
© 2019 The Institution of Engineering and Technology. The Institution of Engineering and Technology is registered as a Charity in England & Wales (no 211014) and Scotland (no SC038698)
Pin it
https://eandt.theiet.org/content/articles/2014/08/industrial-control-systems-and-scada-cyber-security/
View publication stats
12/12