For many years, there have been warnings about the cyber vulnerability of multiple infrastructures world-wide. Yet, those warnings are still not being adequately addressed. In 2004, the Idaho National Laboratory (INL) provided a glimpse of what we’re seeing today with CrashOverride, etc. As a demonstration for the 2004 ICS Cyber Security Conference, the white hat hackers at INL exploited a recently disclosed vulnerability. The demonstration used the vulnerability to open and close breakers as well as change breaker operator status from hundreds of miles away. At the same conference, a US utility disclosed how they had their SCADA system shut down for 2 weeks by a cyber attack that installed root kits in their SCADA system. The attack was traced to Eastern Europe and from there the trail got cold. A presentation was given at the 2014 ICS Cyber Security Conference about how the Russians cyber attacked the US grid using Havex and Black Energy. Yet, to this day, neither the NERC CIPs nor NEI-0809 require that malware be removed. Additionally, both NERC CIP and NEI-0809 exclude many systems (as not being “critical”) that could have BlackEnergy, or other, malware installed.
At the 2014 Conference, we also had a presentation by a Russian researcher on hacking the HART protocol – the protocol for 4-20 milliamp analog sensors used in multiple industries world-wide. The TrendMicro ICS honeypot program emulated a small water utility in rural Missouri demonstrated how cyber attackers world-wide are ready to pounce on inadequately secured control systems regardless of the size or importance of the facility. In this case, cyber attackers from all over the world targeted this “utility” including the ICSs within an hour of it appearing on the Internet.
If the news reports are to be believed, the radiation monitoring system (not the sensors) was compromised at Chernobyl and had to be operated in manual. As process sensors are still not authenticated or secure, consider the implications of hacking the actuals sensors and the attendant damage.
With ICSs, we are in a very uneven battle. ICSs were not made to be cyber secure and often cannot be upgraded to provide what many in the cyber security community would consider to be a minimal level of protection. On the other hand, the hackers are dedicated to finding and exploiting vulnerabilities and have been given access to the latest zero-day exploits. As I believe it is a losing battle to secure ICSs, we need to be able to detect cyber attacks that affect operational system performance and we need to have a resilience/recovery plan. This has been demonstrated in the Ukraine with the ability to operate the systems in manual operation for an extended period of time. We also need to reconsider whether critical control or safety systems should be connected to the Internet.
The article was written by Joseph Weiss, PE, CISM, CRISC, ISA Fellow, IEEE Senior Member, MD ISA99. Joseph Weiss is an industry expert on control systems and electronic security of control systems, with more than 40 years of experience in the energy industry. Mr. Weiss spent more than 14 years at the Electric Power Research Institute (EPRI) where he led a variety of programs including the Nuclear Plant Instrumentation and Diagnostics Program, the Fossil Plant Instrumentation & Controls Program, the Y2K Embedded Systems Program and, the cyber security for digital control systems.