From the time engineers started building industrial control systems (ICS), bad actors have looked for and found ways into them. While the motivations for ICS attacks are timeless—espionage, sabotage, ransom, and even revenge—ICS cyber security threats have evolved to adapt to new technologies and security practices.
The history of attacks is an interesting topic, especially as you wrestle with how to secure new technologies and stay ahead of threats. A document like the U.S. Department of Energy’s 2018 history of ICS attacks gives security, IT, and operational technology (OT) teams plenty of examples to study, with a timeline stretching from 1903 through the 21st century. For this post, we’ve picked a handful of pertinent incidents to show how industries have learned to deal with ICS cyber attacks over the decades and what we still need to keep in mind when securing ICS devices, data, and systems.
Lesson 1: If You Build It, They Will Hack It
Guglielmo Marconi’s early 20th-century work on wireless telegraphy and long-range radio transmissions freed communication from the constraints of wired networks to reach ships at sea. Yet, before he earned the Nobel Prize for his work—and before his tech was used to rescue Titanic survivors—Marconi was the target of an embarrassing, high-profile hack.
It happened at a 1903 London public demo meant to prove that long-distance radio transmissions of Morse code were both possible and secure. Prior to the demo, Marconi bragged to the press that his Morse code transmissions were private because “no other instrument that is not similarly tuned can tap my messages.” Marconi was likely betting on the novelty of his technology and the scarcity of radio receivers to protect the demo’s Cornwall to London transmission.
He didn’t count on the hacker skills of Nevil Maskelyne, a resentful magician who thought Marconi’s patents encroached on wireless Morse-code tech he’d developed for his stage shows. New Scientist reported that Maskelyne’s animus drove him to work as a spy for the Eastern Telegraph Company, which stood to lose contracts if Morse code took off.
Maskelyne got his revenge by hijacking Marconi’s signal at the start of the 1903 demo. With a nearby transmitter and a Morse key, Maskelyne upstaged Marconi’s long-awaited broadcast with his own Morse transmission. It was a limerick mocking Marconi, and it proved to everyone in the room—press included—that radio transmissions were neither private nor secure. Maskelyne also built his own radio tower to intercept Marconi’s shore-to-ship transmissions and published a write-up of Morse Code’s security vulnerabilities.
ICS security lessons learned: Never assume a technology is too new to be hacked.
Lesson 2: Your ICS is Only as Secure as Your Most Vulnerable Third-party Provider
In 2014, attackers repurposed Havex malware, a remote access trojan (RAT) that initially targeted the energy industry, to go after ICS manufacturers and their customers. The known targets included ICS software manufacturers and at least one industrial camera vendor.
In addition to sending RAT code through spam and exploit kits, the retooled Havex malware went a step further. It infected the software downloads that ICS/SCADA manufacturers made available to their customers “in an attempt to infect the computers where the software is installed.”
The security researchers who discovered the campaign noted that the content of the malicious code suggested that beyond data theft and espionage, the attackers may have been planning remote ICS hardware takeovers. Although it was novel at the time, remote takeovers where attackers tamper with critical infrastructure systems are a rising concern.
ICS security lessons learned: Your ICS is only as secure as your least-secure vendor, so you need to have ongoing discussions about how security affects your relationship. Also, monitor device traffic continuously to quickly detect and respond to data exfiltration.
Lesson 3: Identify and Monitor Every Device in Your Environment
One of the most extensive and damaging ICS attacks on record was the December 2015 shutdown of the electrical grid in and around Kyiv, Ukraine that left more than 225,000 people without power. In a detailed analysis of the incident, Booz Allen Hamilton identified 17 steps the attackers took to infiltrate ICS systems, disrupt industrial processes, and destroy data.
Among those steps were:
- Perimeter device scanning and identification as part of infrastructure reconnaissance
- RAT malware delivery through phishing emails targeting Microsoft Office users at electricity distributors
- RAT installation and execution to establish communication between attackers and target networks
- Credential harvesting, internal network snooping, and new network target identification
- ICS network control access
Booz Allen Hamilton, Ukraine Report: When the Lights Went Out
- Malicious firmware creation
- Electrical outage scheduling
- Outage execution, including breaker tripping and cutoff of field device connections
- Call center DoS attack and power cutoff to telephone communication and data servers
- Destruction of critical system data
The Booz Allen Hamilton report, like many cybersecurity analyses, concluded that the grid attack was state-sponsored, most likely by Russia.
Today, state-sponsored cyberattacks are on the rise; attackers hit more than 20 U.S. targets in Q1 2020 alone, so the lessons of the Ukraine attack merit careful study.
ICS security lessons learned: Develop a clear, complete picture of your environment, including assets, networks, devices, and expected patterns of communication so you can understand your risk profile. Continuous monitoring for activity and threat detection are critical to spotting malicious internal activity early. Also, maintain and update segmentation and firewalls to limit intruder damage.
Lesson 4: Real-time Patches, Updates, and Alerts are Table Stakes for ICS Cybersecurity
When a wave of SamSam ransomware attacks swept across the U.S. in 2018, the media focused on the cities whose data and services were disrupted. But these attacks also targeted critical infrastructure, including the Port of San Diego, in a foreshadowing of the ongoing attacks on shipping and port organizations in 2021.
SamSam, like the Ukraine attack, appears to have been state-sponsored with the goal of disrupting critical operations. CISA described the mode of attack as a combination of remote desktop protocol exploitation to enter and persist in target networks, via stolen credentials or brute-force attacks, followed by privilege escalation and malware execution. The attackers used relatively simple means, such as attachments in phishing emails, to “infect victims with minimal detection.”
ICS security lessons learned: Deploy OS and application patches and updates for all devices in the environment as close to real-time as it is practical. Especially for RDP systems and virtual machines. Endpoint identification, assessment, and monitoring are also critical (automation can help). Also, as with the grid-attack example above, real-time environment activity monitoring and alerts must be a priority.
Choose an ICS Security Solution That’s Built to Pass the Tests of Time
Every year, ICS cybersecurity threats grow increasingly sophisticated. Be prepared for whatever new attack methods evolve with a comprehensive device security solution that:
- Identifies every device in your environment, including vendor and remote devices, and monitors those devices for vulnerabilities and risks
- Alerts your team to threats
- Automates and streamlines integrated device management