The primary threats against Industrial Control Systems (ICS), the computing infrastructure at the heart of utilities and manufacturing plants, come from secret agent style espionage like you see in the movies, right? Wrong.
Remember the “Stuxnet” attack that sent the centrifuges in Iran’s Uranium enrichment plant into a self-destructive spin? In that attack, a USB stick was used to cross the security “air gap” of that unconnected computer, and drop malicious software on the (Windows-based) Siemens control units.
Now, attackers targeting critical infrastructure don’t even need to drop a USB stick in the parking lot. They can simply rely on employees opening a phishing email, or visiting a compromised website. That’s all it takes for a motivated outsider to wreak havoc, steal data or lock down critical ICS processes with ransomware.
Fear-mongering? I would have thought so too. But then I read Booz Allen Hamilton’s newest Industrial Cybersecurity Threat Briefing [PDF].
It’s the most thorough and comprehensive report on the state of ICS cybersecurity I’ve seen, and it made me realize how real these threats are, and how ill-prepared we are to deal with them.
The report draws on publicly available sources and Department of Homeland Security data, centering on incidents involving organizations that use and maintain ICS infrastructure.
2015 was a record year by a number of attacks, and the trend continued and into 2016.
Infographic Source: Booz Allen Hamilton Industrial Cybersecurity Threat Briefing
The number of US-based reported incidents rose by 20 percent in 2015, to 295. 97 incidents occurred in critical manufacturing areas. 77 impacted energy companies and public utility operators. At the same time, the number of successful penetrations of control networks from enterprise networks rose by 33 percent.
Alarmingly, the majority of attacks involved web exploits that “spilled over” from an employee’s computer into the ICS or SCADA (Supervisory Control and Data Acquisition) network.
Three examples from the report’s known incident timeline:
- In December 2015, alleged Iranian actors gained access to networks operated by an American natural gas and geothermal electricity company. Their target: engineering drawings, including details on equipment used to control gas turbines, boilers, and other critical machinery.
- In February 2016, the systems of a cargo ship were infected with ransomware while underway. According to the shipping company’s disclosure, the ransomware was delivered via a malicious email attachment.
- In April 2016, the corporate network of the Board of Water & Light (BWL), a Michigan-based public electric and water utility, was infiltrated by ransomware via a phishing attack. In this case, administrators shut down the system and narrowly avoided an impact on the operational systems.
Nation-state attackers still constitute the #1 threat to critical infrastructure. But the Booz Allen Hamilton Threat Briefing stresses how new tactics - cyber criminals selling SCADA Access as a Service, or automation-based ransomware attacks - now threaten ICS systems in the manufacturing sector as well.
This correlates with the results of the recently published BDO’s 2016 Manufacturing Risk Factor Report. For the first time, cyber risk ranks among the manufacturing industry’s top 10 risk factors. 92 percent of manufacturers cited cybersecurity concerns, up 44 percent from 2013.
Better late than never, I guess. Let’s hope manufacturers will listen to Shahryar Shaghagh, Head of International BDO Cybersecurity. It’s hard to describe the vulnerability more clearly than he did:
“All it takes is one weak link in the security chain for hackers to access and corrupt a product feature, an entire supply chain or a critical piece of infrastructure.”
Infographic Source: BDO 2016 Manufacturing Risk Factor Report [PDF]
That “one weak link”? In most organizations whose infrastructure was compromised by unauthorized access, ransomware, phishing, or cyber criminals selling access to SCADA, it turned out to be our old friend, the web browser.
Regular web browsers: ubiquitous and unsafe
Across all plants, facilities and environments, employees use the browser as the primary method for access internal and external information. And as you know (if you’ve been reading this blog), regular browsers are inherently unsafe.
They were never designed for secure access or content control. The weakness is architectural - to render a page, read an email, or access an app, the browser fetches code from a remote server and executes it locally.
Through the same mechanism, keyloggers, spyware, ransomware and other malicious content can piggyback on legitimate content and infect a target. First at the endpoint, and from there the corporate or ICS / SCADA infrastructure.
Industry research and threat reports track the increasing volume of these web-borne attacks, proving that the current cocktail of firewall configurations, network filtering, and anti-virus / anti-malware products is unable to stop them.
Secure browser protects endpoints, infrastructure
This is where utilities and other ICS operators can learn from leading financial institutions, federal agencies, law enforcement and other security-sensitive organizations. They’ve moved to secure users' access to the web, often with Silo, the secure virtual browser developed by my company, Authentic8.
Unlike the browser on your desktop, Silo doesn’t process any web code on the computer. Instead, Silo renders web pages securely in the cloud, outside the organization’s network. A display of the web content is encrypted and delivered to the end point, purely as visual information - pixels.
To users, Silo feels like a browser. But the attack surface area for browser-borne exploits is eliminated. All code executes in the cloud, and the virtual instance is destroyed at the end of the session.
One additional Silo advantage for ICS operators: Its integrated credential management capabilities can help them overcome another challenge pointed out in Booz Allen Hamilton’s threat brief. According to one survey, 25 percent of incidents in 2015 were caused by employees and poor credential management practices.
Enterprise-grade credential management built-in
In addition to its inherent security, Silo frees the user of credential management duty. Its admin-managed IDP capability allows IT to provision and revoke access to approved network resources, web services and cloud apps, without revealing the credentials to individuals or teams of users.
Stated simply, if users connected to ICS / SCADA infrastructure don’t know their ID or their password, they can’t be phished.
Silo may be just the solution ICS operators have been looking for to counter the web-borne threats laid out in the reports by Booz Allen Hamilton and BDO.
It’s not a bad idea for your company either. Take a look:
P.S.: For more recent developments, see my follow-up post Malware Targeting Energy Utilities Avoids AV Products .
About the author: Scott Petry is Co-Founder and CEO of Authentic8. Prior to Authentic8, Scott was the founder of Postini.