This week, InduSoft employees got together to watch Zero Days, a documentary film from Alex Gibney that explores the origins and implications of the Stuxnet virus, which specifically targeted control systems and PLCs, and has played a huge role in alerting the industry to the need for additional cybersecurity measures in control systems.
Much information regarding the Stuxnet virus will be old news for anyone who has followed SCADA security in the six years since its discovery, but the film does point out how such a virus may have been introduced to what should have been one of the most secure facilities in the world. Even an airgapped system is not fully secure, as the film points out. Experts and whistleblowers suggest that it’s likely that the system was infiltrated by first sneaking in agents, and later by infecting companies who might bring maintenance equipment into the facility.
Perhaps the most disturbing implication of Zero Days is the idea that the magnitude of the attack, motivated by political goals, may have set a dangerous precedent for targeting infrastructure as a means of control in a new era of cyberwarfare. No country or group claims responsibility for Stuxnet, but computer experts point to indications that the virus was joint operation between the United States and Israel, with the purpose of disabling Iranian nuclear material manufacturing capabilities.
By opening up the possibility of using critical infrastructure attacks as a weapon against a nation-state, it’s sobering to know how vulnerable the systems of every country are, particularly as cloud-based computing and IoT architectures become more prevalent. A targeted attack to infrastructure could dismantle communications, satellite (GPS) or internet access, water/wastewater facilities, electrical grids, and any other control system that is connected to the internet (or not!). Zero Days serves as a stark warning of our vulnerabilities in an interconnected world, and references several attacks that have been committed against United States businesses as proof of concept that any nation-state with an advanced cyber department is capable of initiating the same kinds of attacks. Unlike nuclear non-proliferation treaties, we have no formal agreements on what is considered an act of cyberwarfare, nor do we have inspectors or the means to ensure that cyberattacks are not being used.
Warning Signs Today
Some of the scenarios indicated as a possibility in Zero Days are already becoming apparent today. Sources have suggested that recent attacks into the United States Democratic National Committee servers may have been orchestrated by Russian teams in an attempt to disrupt the US elections. Even more recently, the tools used by the United States National Security Agency to exploit systems were discovered by a group known as the Shadow Brokers, and auctioned online. The tools are said to contain multiple Zero Day exploits, and the veracity of the claims have been backed by documentation provided by Edward Snowden. With these exploits presumably available, we may see them employed in the future.
If there is a bright spot in this recent news, it may be that the hack that secured these files was due more to sloppy cyber hygiene than skilled hacking. Snowden suggests that NSA operatives may have left the files on a server meant to be controlled by someone else, and forgotten to remove them afterward.
InduSoft has been dedicated to cybersecurity education and training for some time, and we would like to offer users of InduSoft Web Studio our guidelines and best practices for protecting the critical data that passes through their systems every day.
Very basic Rules to Remember:
Prevention – Prevention should always be a top focus, even if it is impossible to prevent any and every attack. Often prevention is left until it’s too late, or only implemented after a breach. It is critical to institute policies that include cybersecurity best practices, including antivirus software, updated software, vulnerability scans, and on premise measures like blocking USB ports and isolating the network that handled critical process data.
Secure Communications – Ensuring that your firewall only allows necessary transfer of data can help shield your system. By isolating the most important information to the most secure channels, it’s possible to offer yourself the best protection possible.
Simplicity – By restricting your system to as few components as possible you open fewer potential backdoors. Whenever possible, keep additional software to a minimum and use only trusted software that makes security features a priority.
Always Download and Install Patches – It goes without saying that even vulnerabilities that the vendors are aware of can still be a threat if your software isn’t up to date. It’s always recommended that you keep your system on the most recent versions of the software, and always download and install patches, no matter how minor.
Intrusion Protection – Intrusion protection and other real-time monitoring can help you identify a breach as it happens, instead of long after the fact, when it’s too late to control.
Incident Response Protocol – Make certain that you have protocols in place in case of a breach. Know which system functions are absolutely critical and prioritize the most vital aspects of your system when it comes to response.
Limit the Spread of Infected Systems – Before and after a breach, limit connections to those that are absolutely required for business needs. By restricting access to any other parts of the network it may be possible to slow the spread of an infection and quarantine affected components.
More information from InduSoft Regarding Cybersecurity:
- Understanding Industrial Cybersecurity Threat Vectors
- Trends in Automation: Studying up on CyberSecurity
- Download the SCADA Security Ebooks from InduSoft and the Information Systems/Cybersecurity Center of Excellence at Eastern New Mexico University – Ruidoso
- The NIST Cybersecurity Framework from an Automation and Control Systems Perspective
- More Thoughts on Cybersecurity for Intelligent Systems
- Protecting IoT Ecosystems from Malicious Apps and Attacks
- Water Security Concerns for the Water/Wastewater Industry
- Industrial Automation Security: Cyber-Attack Against Ukrainian Critical Infrastructure (And How to Prevent Similar Breaches)
- Tech Talk Thursday: Protecting Infrastructure from Zero Day Exploits and Cyberwarfare
- Thursday Podcast: SCADA/HMI Security with Richard Clark
- Five ways to improve SCADA Security for Critical Infrastructure
- Protecting Internet-Facing HMI Systems
- Are You Thinking About Industrial Control System Security Yet?