Hackers Targeting Critical Infrastructure

June 29, 2011

Until recently, hostile attacks by viruses and Trojans on automation systems was not an issue for infrastructure such as water works, power grids or transportation systems, because the data networks in these infrastructure installations were isolated. However, Ethernet, wireless LAN and Web-based machine services such as remote monitoring, remote administration, remote diagnostics and remote maintenance have changed the landscape.
IT security — a non-issue many years ago — is nowadays a major concern and should be part of the business strategy of every critical infrastructure facility. With the increasing networking of all kinds of SCADA systems over the Internet and/or public networks, any device with an IP address is globally accessible.
This means deploying classic security measures, such as virus scanners and firewalls, as the recent Stuxnet scare taught IT security professionals in this sector.

Stuxnet: The First Wave
Stuxnet is a Microsoft Windows computer worm discovered in July 2010 that targets industrial software and equipment. While it is not the first time that hackers have targeted industrial systems, it is the first discovered malware that spies on and subverts industrial systems, and the first to include a programmable logic controller (PLC) rootkit. It was designed to target only Siemens Supervisory Control And Data Acquisition (SCADA) systems that are configured to control and monitor specific industrial processes. Stuxnet infects PLCs by subverting the Step-7 software application that is used to reprogram these devices.
By the end of April 2011, Siemens had registered 24 infections of industrial computer systems around the globe. No damage occurred anywhere and the Trojan could be removed in every case without interrupting operations or production. Just a few days after the malware became public, Siemens was able to offer a solution which could detect and neutralize the trojan. This involved changing the settings in the Simatic WinCC visualization system to protect it from further attacks. “Now that Microsoft has closed its security loopholes with the patches (MS10-046, MS10-061, MS08-067), no further infections have been reported to us,” Siemens spokesperson Wieland Simon says.
Although Stuxnet did not apparently cause any damage for the majority of the world of automation, it did reveal potential vulnerabilities.
First, in theory, hackers could manipulate automation and control systems by directly entering the facilities themselves and “infecting” the Simatic system; therefore, as long as the systems are running under normal conditions in a secure environment, it should be safe from these types of attack. That means deploying sound access control plans for each facility.
“So far, no attacks via Profibus (an Ethernet standard for automation systems) are known,” Simon says. This may be simply because of the limited number of participants in this field.” He adds that Siemens has already deployed countermeasures for its Ethernet-based systems.
In all, critical infrastructure facilities need a well-structured security concept and strict organizational rules, coupled with continuous surveillance of all communications systems, clearly defined access, and the ongoing education and training of individual employees.
Strict Requirements for Automation Components
In addition to changed rules of behavior, the automation components also have to meet more stringent IT security requirements. One of the first protective measures for individual automation components is to restrict the scope of network and internet communication to a specified “safe” level.
Automation components can be grouped logically or by communications technology and segregated from the rest of the network by firewalls and other security components. The automation components should be equipped with defined communication mechanisms so that the device executes its program as usual even in extreme situations, such as denial-of-service attacks or attacks targeted on individual communication services — also referred to as “network ruggedness.”
This applies to both the lower communication layers 2 to 4, with their Ethernet and IP protocols, as well as to the higher level application protocols (layers 5 to 7). For many years, Siemens has also been regularly testing the network ruggedness of its components with stress scenarios and protocol attacks, which are continually updated to match the latest threats. Thanks to the experience gained in the process, the network stability of these devices has been comprehensively strengthened.
Security features such as network ruggedness are available automatically, but protective mechanisms such as access control and firewalls must be individually configured. This entails a certain initial expense, but it prevents subsequent malfunctions and time-consuming trouble-shooting in the event of a security incident.
Siemens’ automation components have been equipped with access protection mechanisms to prevent unauthorized persons making changes to the PLC program or its configuration via engineering software. New functions and error corrections can be updated quickly by firmware updates, and digital signatures detect manipulations of firmware and sabotage.
One or more firewalls which restrict access to the organization or infrastructure’s network to one fixed, defined protocol are a good compromise between security and openness. Access from the Internet or the company intranet is only enabled on dedicated computer systems.
The networks are segregated by a terminal server which has a virus scanner installed. The virus scanner is updated automatically every day, and recognizes all known new viruses and worms. When data is transferred to the system, the local virus scanner checks all the data before it passes into the network.
Only a user with a valid certificate and who is trusted by the company is given access to the industrial network. Even when a user has been clearly identified, access to the systems is individualized to prevent access to other parts of the system or the company intranet. ?

Dirk Gebert is a Security Systems Manager for Simatic Products at Siemens.