For ICS/SCADA operators, it is vital to keep abreast of developments in the wider world of cyber-crime and security.
Major tech players like Microsoft and Dell are constantly analyzing threats and producing reports to inform network managers and improve security practice. However, not every ICS/SCADA manager acts upon or is aware of such warnings.
This is a huge problem for any network manager. The fact is that the Darknet and the increasing popularity of malware exploits poses real risks to any ICS/SCADA network and it is essential to mitigate these risks.
The expansion of underground hacking markets and the threat to ICS networks
According to the Counter Threat Unit at Dell SecureWorks, the Darknet has become a thriving marketplace for hackers, trading information and software to aid them in their criminal activity.
Dell SecureWorks has carried out investigative work in the forums of the Darknet, looking at the prices and availability of key hacker commodities such as credit card numbers or “fullz” (the details about an individual that would allow a hacker to commit identity fraud). What they found was concerning.
Apparently, the market for counterfeit documents is thriving – facilitating an identity fraud boom. But markets have become more sophisticated as well. Between 2013 and 2014, SecureWorks investigators found that hackers have started to run far more tutorials about how to use the information that is for sale.
The range of products for sale on the Darknet is dizzying. If you have the money and criminal intent, you can purchase everything from fake driver’s licenses, passports, premium credit cards and social security cards to even a completely new identity.
You can also learn about how to mount attacks on remote systems like SCADA and ICS networks. Tutorials available include directions about how to mount DDOS attacks (distributed denial of service) and how to use exploit kits. For between $20 and $50, a hacker can purchase Trojans that allow remote access to networks. As Dell SecureWorks notes, these prices have plummeted in recent years from between $50 and $250 in 2013.
The cost of hiring a hacker to mount DDOS attacks on your behalf has also fallen. If you want to take a website offline you can expect to pay between $60-90 per day, down from between $90 and $100 the year before. The price of general hacking – involving the stealing of key data – has also fallen.
If a hacker wants to attack an ICS/SCADA system then the tools to do so are becoming cheaper every week and tutorials are available to lead them through the complexities. This should be of concern to all network operators, particularly when they are responsible for critical infrastructure.
How cyber-criminals are using exploits to target SCADA systems
As Microsoft’s Security Intelligence Report has recently described, one of the most important vulnerabilities faced by ICS/SCADA networks is the threat posed by “exploits.”
Exploits are pieces of software that take advantage of the code on operating systems and other parts of a network, finding weak points and gaining access to control systems. They are a popular tool used by cyber-criminals in accessing ICS systems – with potential to be used even more frequently in the future.
Sometimes, the speed at which criminals learn about and use exploits can be dizzying. Microsoft documents the case of CVE-2014-6332. This was a vulnerability to Windows Object Linking and Embedding that was discovered by an IBM security researcher and published in Microsoft’s Security Bulletin on 11 November 2014.
By the next day, a Chinese coder had released a “proof of concept” exploit to target the weakness which could allow hackers to gain access to any web user’s Internet Explorer software. Within days, groups of cyber-criminals were using the exploit to attack entire economic sectors such as aerospace as well as US government servers.
Microsoft point out that this case demonstrates the need to update all security systems regularly. The firm had released a patch dealing with the exploit before any attacks had been launched yet clearly it took time for users across the world to implement the security update.
Another exploit (codenamed CVE-2010-2568) targets the Windows Shell and may be of more relevance to ICS/SCADA operators. In this case, the malware involved originated from the Stuxnet worm which infected ICS systems surrounding the Iranian nuclear program in 2010. It has since escaped into the wider internet ecosystem, posing huge risks for ICS networks and, even though it was released in 2010, the exploit remains dangerous and active due to the long industrial life-cycle.
Microsoft also point to CVE-2014-4114 as a potential threat to SCADA systems. Like the exploit described above, 2014-4114 targeted the Object Linking and Embedding function of Windows Explorer through which hackers can gain access to executable files on target systems.
This exploit can be activated by something as simple as opening a rogue PowerPoint presentation downloaded from a website that has itself been infected by the exploit code or opened as an e-mail attachment. According to security analysts Trend Micro and iSight, 2014-4114 has been used against SCADA systems’ supervisory control and data acquisition functions. This seems to have been for espionage purposes.
Clearly, the growing frequency of exploit type attacks poses a security challenge for all ICS/SCADA operators and there is a pressing need to tighten up security protocols for any employee who is connected in any way to the SCADA network.
What can I do to protect my network against cyber-attacks?
While the threats are mounting, there is no need to panic regarding the risks posed by exploits and other hacking tools to ICS/SCADA networks. As Dell SecureWorks recommends, there are some simple measures that all network operators can take to ensure that they are protected. These include steps like:
Ensuring that firewalls are maintained around key applications; making sure that Intrusion Detection Systems are installed; having the right Malware detection software installed and keeping it updated; continuous log monitoring; keeping up to date with knowledge about the latest threats; using safely encrypted e-mail.
Microsoft zeros in on the need for network operators to ensure that any Microsoft software used on their servers is regularly updated. Dell also remind us that human error can be the most critical vulnerability of all. They caution SCADA operators to ensure that workers do not open any suspect attachments and verify with the senders of e-mails whether links contained in their messages are legitimate. Strong password policies are essential while Microsoft recommend using “smart cards” to strengthen security even further.
At Sentryo, we agree with both, but we would go further. It is also important to ensure that every single device connected to a SCADA/ICS network is mapped and monitored. Situational Awareness is the only way to ensure that networks are truly secure from exploits and malware infections.
The key is implementing well-planned strategies which take into account every single vulnerability and put in place workable protocols and policies for employees to follow. With a little thought and security expertise, the challenge posed by the Darknet and Malware exploits can be dealt with.