Kathy Gibson reports from Kaspersky Labs’ Cybersecurity conference in Baku – As the Internet of Things becomes more pervasive, organisations find that their industrial systems are now exposed on their corporate IT networks and therefore a lot more vulnerable than they were in the past.
Amin Hasbini, senior security researcher at Kaspersky Lab, points out that looking after industrial systems has become more important than ever before, but the industry has not tended to pay much attention to this area.
Kaspersky Lab researchers point out that the risks for industrial systems are huge – and go beyond the scope of what companies have come to expect from cyber-threats.
Hasbini points out that companies are now looking to connect all of their industrial systems, for various reasons ranging from increased management and control to better efficiency. “But there is a catch: these are important systems.”
Stuxnet was the first industrial attack that the world saw. “This was the opening of a new era. Stuxnet reconfigured a valve at the Iranian nuclear facility, causing extensive damage.”
The challenges of securing these systems are legion, Hasbini adds. “There are so many challenges, especially on the organisational side, where teams are independent of each other, with their own policies and procedures.
“It’s a dark area for many companies. It is very difficult to understand, and to see what is happening.”
There is an underlying assumption that the critical machines running the economy are secured, but Hasbini points out that this is not necessarily the case.
Some flaws include hard-coded credentials that are still common in industrial systems, where a simple password gives anyone access to critical machines.
“This is only one of the weaknesses, there are many more,” Hasbini says.
Another assumption is that these devices are safe because they operate in isolated environments, and are difficult to reach or connect to.
“Sadly, this is also wrong,” he says. “A quick look online lets us identify a lot of devices that are connected and visible. This is happening, and it’s happening everywhere.”
Just because we don’t hear about many industrial attacks doesn’t mean they aren’t happening, Hasbini adds.
A recent example is the attacks on the Ukraine power grid, causing a power shut-down across eight regions and eight different electricity companies, affecting 220 000 people. The attack included a relatively simple DDoS attack to call centres and web servers, with malware used to wipe the systems they got access to.
“But we were lucky,” Hasbini says. “The attack did not affect the industrial systems in a way they were destroyed. So they stopped them, but they did not destroy them. And power was restored within six hours.”
Korean transport systems were attacked recently, over a period of 15 days, with self-deleting malware targeting harbours, transport systems and subways. The attack was related to the Lazarus APT.
In the US, a dam was the victim of an attack. A hacker was able to get access to the system that controls the flood gate. Fortunately, says Hasbini, purely by luck the system was undergoing maintenance and disconnected.
“So we were saved again by luck. But how lucky do we have to be?”
A hydroelectric engine was hacked an encrypted because the computer that allows satellite communication to the machine was hacked. The hacker demanded a ransom to restore the device.
The Kemuri Water Company, servicing 2,5-million clients in Switzerland, was running systems dating from the 1980s. “This system was fully controllable online by anyone,” Hasbini points out. “Hackers got into the system and changed the properties of the chemicals added to the water. Fortunately these changes were minor and 2,5-million people were not poisoned.”
In August 2015 a critical GLIBC flaw was discovered in some Siemens industrial products Some of the weaknesses have been patched, but some others are still vulnerable while a fix is developed.
“All of these attacks have happened in the last month,” Hasbini says. “These things are happening, and they are extremely critical. They require huge amounts of attention.”
Worryingly, these are just the tip of the iceberg: 32% of IT managers responsible for safeguarding industrial systems say their control system assets or networks have been infiltrated at some point. Meanwhile, 34% believe their systems have been breached more than twice just in the last 12 months.
PwC tells us that the average number of detected breaches in the power and utilities sector increased six-fold in 2014. And the US’s ICS-CERT says that 55% of the attacks that it sees involve advanced persistent threats (APTs) or sophisticated actors.
Today, the biggest threat to connected industrial systems is malware attacks at 35%, followed by software error (23%), operator mistakes (11%), SCADA failure (19%) and other threats (12%).
The malware threats come mostly from corporate networks (35%), remote access (26%), USB ports (3%), mobile devices (4%), WiFi (5%), HMI interface (8%), Internet connections (9%), and outside contractors (9%).
The nature of the attacks is overwhelmingly APTs at 60%, including Duqu, Flame, Gauss, Energetic Bear, Epic, Turla and Stuxnet.
“So devices are vulnerable,” Hasbini says. “And exploit codes are public. Devices are not tested, audited or updated; and they are often easily reachable.”
Compounding the problem is the fact that APTs have been specifically engineered for industrial attacks. BlackEnergy is one that has attacked systems across Asia.
Duqu 2.0 has been used to attack industrial, enterprise and military targets.
Cybercriminals have been known to steal certificates from Foxconn in order to verify malware so that corporate and industrial systems allow it to run on the system.
Energetic Bear/Crouching Yeti has been used to attack up to 2 800 victims across all industries in countries across Europe.
To target user companies, this malware infected legitimate software updates.
“The situation is very bad,” says Hasbini. “We need to do something.”