After the appearance of Stuxnet, experts in corporate security (who spend the majority of their time investigating vulnerabilities) saw a new line of investigation opening up in industrial control systems (ICS) due to the variety of devices and protocols in these types of environment which have still not been properly examined.
This fact, promoted by the general interest of the community, sparked off the development of a score of tools to enable the task of locating vulnerabilities in this sector. Exploits were also developed to take advantage of the vulnerabilities found in the devices.
One of the most well-known tools which is applied in industrial control systems is Shodan. This is a search engine which allows a user to search for devices linked to different services and can be used to locate devices belonging to industrial environments which are accessible via the internet. Great skill or knowledge of security or industrial matters is not required given that the tool is very intuitive.
- Screenshot of a search in Shodan -
Another very similar tool which carries out the same functions is zoomeye, this tool is like a Shodan but is of Chinese origin.
Impact of an incident
The importance of securing industrial control systems is closely linked to the image that a company wishes to project in the market. Denial of service attacks and malware (worms, virus, etc.) have become ever more common threats which have a huge impact on ICSs. The successful exploitation of a vulnerability may have various consequences:
- Impacts on physical security and the environment: These impacts cover the range of direct consequences from errors caused in the industrial control systems. Depending on the industry affected, this type of impact can be extremely serious due to the potential loss of lives or personal injury. Other effects include the loss of data and potential damage to the environment.
- Economic impacts: After personal and environmental impacts, economic impacts are the most significant within the range of possible incidents faced by an industrial control system. Economic losses can directly impact on the proper functioning of the company, due to damages to devices or infrastructure that need to be changed, or indirectly due to a stoppage in the production and service distribution chain.
- Social and media impacts: Although these are the least critical, this does not mean that the social impacts are not important. The repercussions of loss of trust in an organisation directly affect its social image which translates into a loss of clients and ensuing financial losses, growth potential and competitiveness.
Aftermath of an incident
Listed below are some of the consequences arising from incidents with industrial control systems. Several of the consequences indicated below may occur at the same time in a single incident.
- Reduction or loss in production in one or various locations at the same time.
- Damage to equipment.
- Personal injury.
- Release, diversion or theft of hazardous materials (for example toxic waste).
- Environmental damage.
- Infringement of regulations.
- Product contamination.
- Legal, criminal or civil liabilities.
- Loss of confidential information or intellectual property.
- Loss of image or reputation.
Some of the common incidents for ICSs are listed below:
- Interruption of operations due to delays or blockages in the information flow through corporate or control networks, denial of active services in the control networks or causing bottlenecks in transferring information.
- Unauthorised changes to instructions for programs in PLCs, RTUs, DCS or SCADA controllers, changes to alarm settings, problems with unauthorised commands in control equipment that damages the actual equipment, premature stoppages in processes or even disabling the control equipment.
- Sending of false information to operators in charge of controlling the system, either to disguise unauthorised changes or initiate inappropriate actions.
- Modification of software or configuration of the system to cause unforeseeable results.
- Introduction of malware into the system (for example viruses, worms, Trojans).
- Modification of instructions for the creation of a product to cause damage to persons or equipment belonging to the organisation.
All of these types of incidents and impacts are real, as can be seen from the following examples of real-life incidents.
- Timeline of relevant security incidents -
Chemical leak at the Union Carbide Corporation in Virginia (1985)
The chemical spill at Union Carbide was one of the first incidents detected and confirmed in history. This incident in West Virginia was caused by an error in the application that was not programmed to recognise aldicarb oxime, one of the chemical products used in the manufacturing of pesticides, all caused by a human error when interpreting the results of the program.
As a result of this incident 134 people had to be admitted to hospital. Union Carbide faced two lawsuits totalling 88 million dollars for damages and was fined 32,100 dollars for endangering the lives of its workers. Union Carbine ended up spending five million dollars on improving its security systems. However, in 1990 there were two more leaks.
Access to the Maroochy waste-water treatment plant in Australia (2000)
The incident at Maroochy well-known due to its curious origin.
In April 2000 a former employee of the water company in the county of Maroochy was arrested, having worked for two years as supervisor of the control system and overseeing 150 pumping stations. They were accused of illegally accessing the county’s drainage control system, in retaliation for their dismissal from the company.
The equipment used for the sabotage was a laptop installed with the control software and a radio modem. The system was accessed undetected by connecting the computer to the pumping station. The result of these intrusions were litres and litres of waste-water being spilled into rivers and parks, as well as damage to the reputation of the company in charge of managing the drainage system.
SQL Slammer worm infects the Davis-Besse nuclear centre in Ohio (2003)
The SQL Slammer worm affected various sectors within the industrial control systems causing significant problems for the affected companies.
On 25 January 2003, the SQL Slammer worm appeared on the internet. This virus attacked a vulnerability in a Microsoft product, and therefore, the SCADA systems that used this resource were put at risk.
SQL Slammer was detected in the Davis-Besse nuclear centre, in Ohio (United States). The worm was introduced into the process control network via the laptop of a subcontractor, causing problems in the security monitoring systems due to service denial originating from buffer overflow and system blockage for several hours.
SQL Slammer was also detected in a US rail company, CSX Transportation, stopping rail traffic for several hours during that same year.
Detection of Stuxnet in nuclear centres (2010)
Stuxnet was one of the first so-called cyberweapons designed for a specific aim and sector within industrial control systems.
Discovered in 2010 by a security company in Bielorrusia, Stuxnet was a revolution in the world of malware in industrial environments. This malware exploited several 0-day vulnerabilities to reach its objective (Siemens S7-315 controllers in charge of centrifuge rotors). As a result of the exploitation of these vulnerabilities, Stuxnet managed to stop the nuclear centre of Natanz in Iran.
Appearance of Dragonfly in North America and Europe (2014)
Dragonfly is important as it is a cyber-espionage group, cropping up in the wake of Stuxnet, focused on industrial control systems in areas of North America and Europe.
Dragonfly exploited two fundamental components of malware allowing it to obtain remote access to infected equipment to control it, based on spam campaigns, watering hole attacks and Trojans.
Lessons learnt and best practices
Threats to the control systems have always existed, although, in reality, with the technology that we possess their exploitation is becoming easier. Learning from other incidents such as the Maroochy treatment plant, where access control profiles for the drainage system and a change of passwords would have avoided the incident.
On the other hand, with the appearance of Stuxnet and Dragonfly, it is clear that the air gap (environment isolated from external connections) cannot be considered a security measure in industrial environments and the best option to choose would be for proper segmentation of the network.
- Tabla resumen de incidentes reales -
The growing development of tools and research and technological advances are allowing large amounts of information to be shared which can be used to carry out attacks or intrusions into industrial control systems. It is therefore, necessary to analyse the impact and the consequences that these attacks would have, not only on the industrial control system, but also the critical infrastructure.
It has already been demonstrated, and is clear from the examples illustrated, that an intrusion is possible. Could these attacks affect the infrastructure in my country? Is investment going to be made into industrial cyber-security? Is anything going to be done about this? These are just some of the questions that require a rapid response from the community.