Jeremy Brown gave an awesome presentation at DEFCON 18 about Exploiting SCADA systems. That was almost 7 years ago. Several other industry professionals including my self have given presentations on defending, security, and exploiting these systems. They are all posted online and you can access them for free. All of these talks highlight a common factor – the critical lack of cyber security in SCADA and ICS systems.
Let’s break this down for you. An important aspect of cyber security for critical infrastructure protection generally starts with a basic understanding and awareness of real-world threats and vulnerabilities that exist within the industrial automation and control system architectures that is used in literally every piece of critical infrastructure. The unfortunate truth is that most of these systems all operate in real time, monitoring the flow of resources for critical operations. According to Verizon’s Research, Investigations, Solutions and Knowledge (RISK) Team there were several cyber-attacks by a “hacktivist” group against an unnamed water utility’s Supervisory Control and Data Acquisition (SCADA) platform, which were discovered during an assessment of the utility’s networks and systems.
According to the report, the SCADA platform- an AS/400 system- was used to control the water district’s valve and flow control as well as a majority of the IT functions that stored customer and billing information. By exploiting vulnerabilities in the payment application web server, the hackers were able to manipulate the settings related to water flow and the amount of chemicals used to treat the water. The impact that this could potentially have doesn’t need to be stated as it is pretty obvious.
Now, we have Iranians breaching critical infrastructure. The Department of Justice has confirmed that it was a group from Iran who hacked the New York dam in 2013. From DOJ:
A grand jury in the Southern District of New York indicted seven Iranian individuals who were employed by two Iran-based computer companies, ITSecTeam (ITSEC) and Mersad Company (MERSAD), that performed work on behalf of the Iranian Government, including the Islamic Revolutionary Guard Corps, on computer hacking charges related to their involvement in an extensive campaign of over 176 days of distributed denial of service (DDoS) attacks.
This team also launched DDoS attacks against the financial sector, with a collective reported cost of tens of millions of dollars in remediation across the three years they were operating. “In unsealing this indictment, the Department of Justice is sending a powerful message: that we will not allow any individual, group, or nation to sabotage American financial institutions or undermine the integrity of fair competition in the operation of the free market,” Attorney General Lynch Loretta Lynch said last Thursday.
Unfortunately, none of this is new. The white hat community has been throwing red flags since 2010. We noticed a critical security threat and politics stepped in and shut it down. Without an organized body (half of these are federally run, half of them are local authorities), the ability to enforce cyber legislation across all SCADA dependent environments is extremely difficult. This leads us to an even bigger question – what can we expect in the future?
Last year I gave a talk at the NJWR Conference on Scadaploitation, and how I could compromise a water reclamation authority because of an operations picture they posted on their website that included open activity logs (with IP’s) of their SCADA systems. Hard to believe that an executive director could authorize something that stupid in this day and age, but alas, it is. The main point is that afterwards, there were tons of questions about fundamentals. Here are the top three questions I received:
- How do we secure our employees? Can we train them better?
- What exactly is a usb policy, and how does that protect us?
- Should we take these threats seriously? Will it really happen to us?
One of these questions came from a director from an unnamed major river basin authority in the Philadelphia region. There is a severe lack in fundamental knowledge and awareness that can be remedied for cheap. The question now is whether they actually will. The talk that I gave was over a year ago, and now SCADA systems are becoming a more enticing target for global threats. This is not going to change, and they are not going to stop. Be prepared to learn, and be prepared to make changes to policies and procedures to provide a little more security. This is no longer a question of “well, it might happen..”. It will happen; it is now just a matter of when.
So, from a security professional to the Federal Government- We told you so.