Industrial Control Systems (ICS), operate the global industrial infrastructures, such as pipelines, nuclear stations, oil, electricity and much more. ICS comprises Supervisory Control and Data Acquisition (SCADA), Programmable Logic Controller (PLC) systems and Distribution and Process Control, which are the backbones of ICS. In this article we would like to show you how the vulnerabilities appear in ICS.
Introduction
Cyber attacks on critical infrastructure has been rising since the beginning of 21st century. These attacks are becoming severe and harder to detect year after year, which often results in cyber security changing into a central concern amongst industry players and governments. Attacks on critical infrastructure, as most of the cyber attacks, aim to disrupt industrial activity for several reasons, but unlike ordinary cyber attacks consequences might be much more severe in case of industrial control systems.
Cyber criminals take advantage of following loopholes to research and initiate attacks: Lack of encryption and authentication, backdoors and “holes” in the network perimeter, devices with little or no security features (modems, legacy control devices, etc.), database security vulnerabilities (proprietary and / or 3rd party ), insecure coding techniques in product design and lack of control system-specific security protection / mitigation technologies. Attacks are mainly aimed against distributed management systems (DCS), programmable logic controllers (PLC), higher-up management and knowledge acquisition (SCADA) systems and human machine interfaces (HMI) through upper mentioned loopholes.
Characteristics and Differences
ICS have many details that are different from traditional IT systems, including priorities and risks. These differences embody: risk to human health and safety, environmental damage, and financial and economical issues. ICS have different performance and dependability requirements and also they sometimes use unconventional operating systems and applications. While thinking about security of ICS, following should be considered:
- Access to Components: Most of the ICS components are remote and reside far away from central control and access to these components requires physical effort.
- Lifetime of Components: Considering the pace of the evolution of IT systems they are built with a short lifetime of maximum 5 years, while for ICS lifetime is 5 times more due to its specification and dimensions.
- Performance: ICS require timely responses to its operations, in general they cant withstand delays.
- Threat management: Difference between ICS and ordinary IT systems in threat management is that priority for ICS is human life and health whereas for IT systems the main priority is data security.
- Availability: ICS processes are meant to be continuous therefore unexpected outages are strictly unacceptable. As far as ICS are used in massive infrastructures every outage should be planned beforehand, in order to prevent production loss. Therefore we cant easily reboot ICS like in IT systems.
- Architecture Security: Architecture security mainly focuses on edge clients however the security of central servers is important too, because they may interconnect all edge devices and clients.
Threats and Vulnerabilities – SCADA and PLC
Threats may come from different sources including cyber criminals, cyber terrorists, hostile governments, industry adversaries and more depending in which industry does a ICS operate and home much is it valuable to attackers. Let’s break down those sources in order to make there aims clearer:
- Cyber criminals: These attackers break into networks either to gain fame in community or for financial gain. Nowadays it is easier to initiate cyber attacks on ‘anything’, one can find numerous attack scripts and malicious tool kits in Deep Web and other hidden forums. These tools may be purchased or even found free of charge in the wild. For example in 2012 one was able to download and tweak source for Stuxnet successor DuQu free of charge from several underground forums.
- Terrorists: In 21st century terrorists operate in online world too and they are called cyber terrorist. They initiate attacks including acts of deliberate, large-scale disruption of computer networks, by the means of so called cyber weapons. Cyber terrorists aim to disrupt industrial infrastructure in order to cause economical loss, human death or endanger human lives.
- Hostile governments: Typical example of hostile governments is Stuxnet, the tool that brought Iran’s nuclear program back for 2 years. Despite the fact that we don’t know exactly who created this cyber weapon, we may use a deductive method to have some guesses.
- Industry adversaries: It’s not a secret that there is great competition in industry, but sometimes competition transforms into a ‘war’. Industry leaders often use insiders and industrial spies to acquire secret information form adversaries by means of clandestine and secret operations, during which sensitive security data maybe leaked, endangering human lives and health.
Now that we have a general idea about threats and their sources we should have a general understanding of common vulnerabilities in Industrial Control Systems. According to researches and reports of United States Computer Emergency Readiness Team we can identify following common vulnerabilities found in most of the ICS:
- Buffer overflow
- Cross Site Scripting
- Lack of proper access control policy
- Lack of password policy
- Poor or No patch management
- Lack of data protection policy
- No maintenance of OS and security patches
- Outdated software utilization
- Lack of testing facilities
- Dual NIC usage
- Lack of remote access security
- DoS and DDoS vulnerabilities
- Clear text utilization
- Lack of Intrusion Detection System (IDS) and Intrusion Prevention System (IPS)
- Poor log maintenance
- Lack of proper AV or Malware Protection software