It’s never comfortable to talk about data breaches, but companies rarely have a choice. Whether a company reports a system breach because it’s required to, or whether the media picks up on the story and runs with it, successful IT attacks have become a constant topic of conversation among industry pros hoping to learn from others’ mistakes. Yet as the Dell Security Annual Threat Report recently revealed, there’s a common type of attack that has so far eluded popular discussion, despite the fact that its frequency doubled in 2014. What makes this so alarming is that, if it continues to fly under the radar, it could have devastating consequences for entire cities, states and even countries.
The Origins of SCADA Attacks
Supervisory control and data acquisition (SCADA) systems play a major efficiency role in industrial operations for oil and gas pipelines, power plants, water treatment facilities, wind farms and airports around the globe. Not only do they make it possible to operate machinery automatically or remotely, but they gather and return information on how well those machines are operating, making maintenance and management much easier.
Clearly, SCADA systems play a vital role in society, and the compromise to companies and locations that house these systems can be disastrous. Most SCADA access does not take place on the Internet, which makes it a bit more challenging for “Joe Hacker” to dig around and launch an attack on the SCADA control systems themselves.
Still, hundreds of thousands of times each month, the infrastructure that houses SCADA systems is attacked. How do hackers achieve this?
Consider the fact that SCADA systems are large-scale systems that require communications over great distances. Your mind probably immediately conjures a list of the types of information hackers can use to compromise them. That list may include:
- schematics of the entire infrastructure;
- information on control points for access to the wired or wireless network;
- data on multiple points of physical or wireless access control; and
- service log information about where service was performed.
Add to that delivery schedules, hardware equipment purchases, requisition information, deployment information, upgrade cycles…as you can see, the list of exploit angles becomes extensive. SCADA systems may not be on the Internet, but their networks use much of the same equipment that is used on the Internet (servers, wired networks, closed wireless networks, etc.), giving hackers exactly the information they need to launch attacks.
Because of these vulnerabilities and others, SCADA systems have been targets for years, possibly as far back as 1982, when an explosion on the Trans-Siberian gas pipeline was rumored to be the result of altered equipment sold to the Soviets (although this was never officially confirmed as an attack). Over the years, companies including Exxon, Shell, BP and others have been victims of SCADA-based remote access Trojans (RATs) and other attacks aimed at taking control of their operations or disrupting them.
Modern SCADA Attacks
Still, threats to SCADA infrastructure largely evaded the public eye until July 2010, when the Stuxnet worm was discovered. Stuxnet was created to compromise a specific target -- the Natanz nuclear facility in Iran -- by exploiting flaws in Siemens’ WinCC software. The worm’s purpose was to take control of the plant’s automation system and reprogram its equipment to gradually self-destruct. However, the worm began to spread when a software update introduced a programming error, infecting the computer of a Natanz plant engineer who then took the infected device home and connected it to the Internet.
Stuxnet was ultimately stopped, but hackers caught wind of the attack and began to look for other ways to exploit SCADA infrastructure vulnerabilities.
More recently, the US Department of Homeland Security identified a remote execution flaw in a Siemens industrial control system as the likely vulnerability that led to attacks in November 2014. Just a few months prior, a different campaign attacked a group of Western European organizations by infecting SCADA systems with the HAVEX remote access tool. Hackers gained access through typical phishing techniques and exploit kits, but also through “watering hole” campaigns that compromised the sites of three popular app providers for the industrial space. Rather than seizing control of the compromised companies’ equipment, the attackers seem to have simply used their access for information gathering.
In January 2015, threat researcher Kyle Wilhoit reported finding 32 banking Trojan malware samples posing as WinCC software. Many of these attacks were served via spear-phishing campaigns that directed employees to websites posing as the Siemens site, where they were instructed to download SCADA software updates.
Wilhoit’s findings were particularly noteworthy because SCADA infrastructure attacks typically do not leverage banking Trojans or standard crimeware. In fact, financially motivated SCADA attacks are exceedingly rare, simply because it’s much easier to gain financial information using point-of-sale attacks. Instead, the motives are usually political, and the attacks are usually traced back to nation-states, activists, or organized crime groups. It’s unclear whether the industry will begin to see a trend toward financially motivated SCADA infrastructure attacks. However, what is clear is that these attacks, as a whole, are on the rise.
SCADA Attacks Doubled in 2014
Last year, Dell picked up on a disturbing upward trend in SCADA infrastructure attacks, which primarily targeted buffer overflow vulnerabilities. Worldwide, Dell SonicWALL identified 37.5 million SCADA infrastructure attacks in 2014, compared with 18.7 million in 2013. These attacks hit an early peak in April and May 2014, with 9.7 million and 6 million attacks respectively, and another high point in the last quarter with October (6.2 million), November (2.5 million) and December (7.4 million) each experiencing a high level of activity.
One-quarter of attacks throughout 2014 came about as a result of improper restriction of operations within the bounds of a memory buffer. Other often-exploited vulnerabilities included improper input validation (9 percent); information exposure (9 percent); resource management errors (8 percent); improper neutralization of input during web page generation (7 percent); and vulnerabilities related to permissions, privileges, and access controls (7 percent).
The majority of these attacks targeted Finland (more than 202,000), the United Kingdom (about 70,000) and the United States (more than 51,000), probably because SCADA systems are both common in these regions and likely to be connected to the Internet. However, most of the breaches that succeeded never made it into the news.
SCADA: A Silent Threat
When Home Depot, Target, Michaels and many other companies experienced point-of-sale (POS) breaches in 2014, they were required to notify customers whose credit card or personal data might have been compromised. This open communication process has been required by most state laws since 2002, and might soon become subject to a 30-day deadline as well, according to Barack Obama’s 2015 State of the Union address.
However, SCADA infrastructure breaches don’t typically involve the loss of personal or payment information, so they aren’t covered by security breach notification laws. Therefore, SCADA attacks often go unreported, leaving other companies who may be targets for similar attacks wholly unaware of the looming threat.
This is particularly troubling because SCADA infrastructure attacks often affect more than the companies or government agencies being breached. For example, a water treatment facility in Queensland, Australia was breached by a former contractor who used a laptop computer and radio transmitter to tap into the facility’s SCADA system and take control of 150 sewage pumping stations. The attacker released a million liters of untreated sewage into local waterways over a three-month period before an engineer discovered that the issues weren’t due to teething problems, as initially thought, but to the disgruntled contractor’s breach.
Around 80 percent of U.S. power facilities use SCADA systems, and the implications of an outage, as we’ve seen in the past with non-SCADA-related disruptions, can be enormous. For almost any region of any industrialized country in the world, SCADA systems represent a great deal of power and an enticing vector for politically motivated criminals.
Avoiding SCADA Breaches
The Dell Security Annual Threat Report and Dell security executives identify a few ways industrial companies can protect against SCADA infrastructure attacks:
- Make sure all software and systems are up to date, even systems that are not used every day. Should an employee one day connect that system to the Internet, it could become a threat vector for SCADA infrastructure attacks.
- Make sure your network only allows connections with approved IPs.
- Follow operational best practices for limiting exposure, such as restricting USB ports if they aren’t necessary and ensuring Bluetooth is disabled.
- Design a simple network with as few contact points as possible.
- Implement at least one firewall and router that separate your company’s network from external networks. Many companies are also beginning to use demilitarized zone buffers to segregate business applications from SCADA networks.
- Use VPNs for remote access. Although this won’t protect from physical attacks, it’s an important defensive strategy for any enterprise, including industrial companies.
- As with any other form of cyber attack, reporting and sharing information about SCADA infrastructure attacks is critical to ensure the industrial community as a whole is aware of emerging threats.
As interconnectivity increases between SCADA networks and corporate networks, these security measures become even more important. But as always, when a breach does occur, communication is one of the most important steps a company can take to help protect others.
If SCADA infrastructure attacks shed light on our interconnectivity as a society, they should also remind us of our responsibilities to each other as a business community. In the battle against IT attacks, we’re all on the same side. And that’s why it’s important that we keep talking about data breaches, and keep sharing ideas and best practices, so we’re better prepared to stop the next one in its tracks. Companies have been silent about SCADA breaches for too long, and attacks are now growing by leaps and bounds. It’s time for a serious, open dialogue, backed by pro-active, defense-in-depth measures.
About the Author:
Patrick Sweeney is executive director, Dell Security. He has more than 20 years' experience in high tech product management and product marketing. Prior to his role at Dell, he was SonicWALL's Vice-President, Product Management & Corporate Marketing, where he oversaw the business’ Network Security, Content Security, Business Continuity and Policy & Management product lines. A security leader, Sweeney came to Dell as part of its SonicWALL acquisition in May, 2012.
