Why companies using SCADA systems need to wake up to the increased threat of cyber-attacks

Something that has been warned about here since 2011. This is not limited to just Ukraine, but a very vulnerable America as well.

See the SCADA/SCADAs tags for more information.

 

Late last year, the media reported on the co-ordinated, multi-faceted attack on the Supervisory Control and Data Acquisition (SCADA) systems used by a Ukrainian power company. These plunged the homes of more than 80,000 people into darkness at Christmas, sparking international interest and condemnation.

Since the attacks, we’ve learned more about the incident and the alleged attackers. It appears that the incident was probably the work of hackers who used highly destructive malware to gain a foothold into multiple regional distribution power companies in Ukraine.  Beyond simply causing an outage, there is evidence that the group managed to significantly delay attempts to restore the network, prolonging the impact of the incident.

Supervisory Control and Data Acquisition (SCADA) is an industrial control system used to monitor and control industrial processes that exist in the physical world. Examples range from raising and lowering the Thames barrier to controlling energy-generating and distribution networks, including nuclear, traffic systems and rail networks all over the world.  It is not hard to recognise that the impacts of cyber-attacks on these systems can be huge – and that a successful attack would be an attractive goal for both individual hackers and state-sponsored organisations.

SCADA has been around for many years and when it was developed security wasn’t at the forefront of the developers mind; cyber-security simply wasn’t the issue it is today. Indeed it was first developed at a time when common networks as we know them today simply didn’t exist. Very few people were even aware of the existence of SCADA, let alone any vulnerability in its code. Security was through obscurity. Beyond that, access to the pieces of hardware that used SCADA was difficult if not impossible. Networks and access to them were not widespread, and the equipment that housed SCADA was often at the bottom of the sea in inhospitable environments. The attack surface, (ie the exposure to a potential attacker) and therefore the likelihood of an attack was historically very small.

It looks as though the attack on the Ukrainian power systems was a prime example of a phishing attack. An employee inadvertently ignored best practice and opened an email attachment he or she shouldn’t. About 90 percent of all exploits rely on a user; attackers use a combination of a phishing and or a social engineering attack. These typically require the recipient to click on a link, open an attachment, or innocently give up a sensitive piece of information. This incident began with some form of phishing attack. This was the root cause of this incident. Stop it and the attack fails. The most effective ways of stopping them and thus cyber-attacks, including ones on SCADA, is through an effective awareness programme.

Although investing in progressively more expensive and complex technological security systems will make a difference, nothing is more important than ensuring that all employees, regardless of their role or status, exhibit good online-behaviour and are able to identify risks before they are allowed to infect your systems, damage your organisation and potentially impact the lives of thousands of people. Educating your workforce should be a key part of your resilience strategy, particularly when the technology your organisation relies on is becoming more and more of a target.

Full article: Why companies using SCADA systems need to wake up to the increased threat of cyber-attacks (SC Magazine UK)

Comments are closed.