Biggest Threats and Vulnerabilities in ICS/SCADA Systems

Satyam Singh
By Satyam Singh

December 17, 2019

Imagine this: a water treatment facility is about to create some big security problems.

The water treatment facility is working with a 3rd party vendor. That vendor is managing the facilities remotely. To do so, the facility needs to expose some of their processes to the internet. But as soon as the facility connects, they expose their operations to potentially malicious actors just waiting to exploit them.

What would happen if the facility’s processes are compromised?

What would happen if cybercriminals took command of the facility?

How much harm could they cause before they were even detected?

The answers to these questions are troubling. But, thankfully, they are also avoidable.

Here’s how.

The Trouble with Your Industrial Control System (ICS)

If you are in one of these industries, you most likely utilize an ICS, and you are open to attack:

  • Energy
  • Water
  • Oil & Gas
  • Electricity
  • Traffic Control Systems.

Even if you are not in one of these industries—If you manage an industrial facility, then you need an ICS, no matter how many vulnerabilities it opens up for you.

Your ICS offers the only effective method to control your complex processes related to manufacturing, production, and distribution. Your ICS is a complex system that stitches together all of the individual components that must work together to achieve your facility’s objectives. These components can include multiple individual control systems, including your:

  • Supervisory Control and Data Acquisition (SCADA)
  • Distributed Control System (DCS)
  • Programmable Logical Computer (PLC)
  • Remote Terminal Units (RTU)
  • Intelligent Electronic Devices (IED)

Each of these components are critical pieces of your Operating Technology (OT)— and they all make your ICS a prime target for cyberattacks.

ICS vulnerabilities

This is not a theory. The deep security flaws inherent to every ICS was made famous by the Stuxnet attack on an Iranian uranium enrichment facility in 2010, as well as the BlackEnergy malware that was deployed against the Ukrainian power grid in 2015.

Ultimately, most ICSs lack basic security practices and are inherently vulnerable to several significant vulnerabilities. These include:

1. Exposure over the internet

An ICS is nothing new. But ICS vulnerabilities are. Before the growth of the internet, ICS operations were confined to the plant the ICS served. But many ICS deployments are now digitizing and connecting to the internet. They must do so to expand their operations, integrate with other platforms, and make it easier to access. Unfortunately, many companies are using insecure connections to upgrade and modernize their ICS and allowing backdoor access for malicious parties to enter the ICS environment.

This digitization can create big problems, even when the industrial facility deploys reliable security monitoring. Often the industrial facility simply provides external access to the vendors that maintain their system. But if those external vendors don’t comply with their own strict security policies, then they can threaten the industrial facility’s ICS. Sometimes, it is even simpler— if the vendor uses a misconfigured VPN, they might compromise their client’s ICS by failing to restrict access properly.

2. Weak segregation

This is one of the most common factors that can compromise an ICS. When the facility allows inadequate segregation between their IT and their OT environments, then they may unintentionally allow a machine connected to their IT network to reach a device on their ICS network. This then allows a malware attack on the IT system to spread to the OT set up easily.

3. Default configuration

Let’s be clear— some patches have already been created for known vulnerabilities within the ICS environment, and their vendor’s systems. But many facilities have not implemented these patches, and continue to use their default configurations. Why? Because many industrial facilities cannot afford the downtime required to patch their ICS. They can’t suffer decreased production and lost revenue involved. So they tell themselves their ICS is securely isolated, or that they have no policy addressed by patches, and they keep their default configurations.

4. Weakness in ICS protocols

Remember: your ICS was likely not built to be connected to the internet, so it was not designed with security in mind. And if you are still using the same protocols you used in your initial ICS setup, then you are operating an inherently insecure system. As a concrete example— the MODBUS protocol uses cleartext communication, which may allow the attacker to eavesdrop on traffic. The MODBUS protocol does not have proper authorization, which may lead to unauthorized actions like updating the ladder logic program or shutting down the PLC.

5. Weakness in ICS applications

Similarly— ICS and HMI applications can also be vulnerable to web-based attacks or numerous client-based attacks, like SQL Injection, Command Injection, or Parameter manipulation. These applications tend to lack encryption protocols, which leads to cybercriminals performing simple—but effective—credential sniffing. They can then easily create a cross-site scripting attack, that can rapidly lead to them completing Session Hijacking on your ICS.

6. Lack of security awareness

This is a very, very common issue. Even if your ICS is relatively secure, it will still be open to user error, or attacks that target your employees directly. Employees often become a victim of social engineering, phishing, and spear-phishing attacks, simply because they lack security awareness. If your employees do not maintain excellent security habits at all times, then they can become compromised with one wrong click. From there, your attacker can spread from your compromised employees’ machines and penetrate deep into your network via lateral movement.

ICS threats

Nearly every ICS is also a prime target for a range of cyberattacks:

1. Malware threats

Your employees in your office and ICS environment likely use portable, removable forms of media, like USBs, CDs, DVDs, and SD cards. All of these can be used to transfer malware that by embedding it in inconspicuous JPG or.PDF files, for example. Once one of these media storage devices is compromised, it can then be used to bypass physical security and infect your ICS environment. 

This happens all the time. Employees often carry their office USB flash drive home and connect it to their laptops. These personal devices are rarely secured, and often contain malware. The first known attack of the Stuxnet malware entered the Siemens ICS when one of their engineers brought in their pen drive and used it at Siemens.

2. Insider attack

Insider attacks are a significant threat within every organization, and yours is no exception. Your internal employees are likely to compromise your ICS through both intentional and unintentional malpractice. While unintentional compromises are common, you likely have at least a few disgruntled employees or insiders paid to attack or steal assets and are ready, willing, and able to compromise your systems.

And if you are like many organizations, then you are vulnerable to these attacks because you neglect to follow the principle of least privilege. By doing so, you are allowing one of your employees to perform sensitive actions they are not authorized to perform, but which they are also not blocked from performing. In one of the most common cases— you will open yourself to tremendous vulnerabilities if you fail to revoke access to employees leaving your company.

3. Denial of service

Your ICS likely uses both wired and wireless connections. If you suffer attacks on these connections, you may experience an interruption of the real-time communication between your ICS components. This might not sound like much, but for your ICS, seconds-long delays can create a severe negative impact on your operations. And this is only one of the many types of DoS attacks that can be used against your components. Others include PLCs. They are fragile in nature, and a single massive port scan can crash your PLCs and easily disrupt the rest of your operations.

4. Third-party threats

The more you outsource system support for your ICS setups, the more you will open yourself to compromises from your 3rd party support staff’s infected machines. Because you don’t have direct control over their your 3rd party service providers’ infrastructure, you are increasing your risk of exploit with every new outsourcing deployment.

5. Technical or physical malfunction

Sometimes, ICS compromises are not high-tech. Sometimes, they are generated by component-level failures, like breaks in your power lines, hard disk failure, system crashes, and broken cables. This ground-level issues can create runtime failures in your software that can disrupt your operations until you reset or repair your software or systems.

Conclusion

For a long time, your ICS was safe. But today, your ICS is most likely exposed to the same cyber threats as your IT stack. As your ICS expands, it creates new attack vectors that make you suffer more and more attacks each day. And if you let your ICS get breached, you may experience physical damage.

There is only one solution— to secure your ICS, you must develop the capability to identify rapidly, control, and mitigate security threats, quickly control and mitigate your security threats and vulnerabilities.


About

Satyam Singh