SCADA under attack
In April 2020, Israeli National Cyber Directorate alerted water utility companies after hackers took aim at their systems. The attackers targeted supervisory control and data acquisition (SCADA) systems linked to pumping stations, sewage facilities, as well as wastewater treatment plants. This prompt governmental notification urged energy and water organizations to update their software, reduce their digital exposure and change passwords which could have been compromised. Early identification and alerting of this threat was instrumental in ensuring these attacks did not impact operations, according to Israel’s Water Authority.
The increase of ICS (industrial-control systems) cyber attacks should be seen as a warning to enterprises across the globe regarding the security of SCADA systems and the consequences of a major breach. A 2019 spike in ICS bug submissions, led Trend Micro’s Zero-Day Initiative (ZDI) project to focus its January 2020 Pwn2Own contest on ICS devices and their respective software. In 2018, the ZDI purchased 224% more zero-day vulnerabilities in ICS software compared to the previous year,” ZDI said. “This growth is sustaining in 2019 so far, which proves the increasing need to identify vulnerabilities and harden these systems before they are exploited.
SCADA systems control critical infrastructure
According to the National Communications System (formerly part of the United States Department of Homeland Security) SCADA systems are supervisory software used to monitor and control a plant or equipment in industries such as telecommunications, water and waste control, energy, oil and gas refining and transportation. By using a distributed database of points that represent an input or output value, SCADA can simplify the direct monitoring or remote control of industrial equipment or assets. This software also provides hackers, cybercriminals, and nation states the opportunity to remotely disable, destroy, or even exploit critical infrastructure across the globe.
Governments all around the world are rapidly identifying SCADA systems as critical assets, particularly as these systems are spreading from large organizations working in the sectors mentioned above to a host of small and medium companies hoping to improve the efficiency of their industrial facilities. According to the market research company Technavio, “the global SCADA market will grow by 8.22 billion during 2020-2024, which represents a 5% average annual increase.” This upward trend underscores how widespread SCADA systems are today, as well as the critical nature of their security.
Hacking industrial control systems becomes more and more accessible
One may think industrial-control systems are more secure than an average IT (Information Technology) system. Nevertheless, according to the 2019 Global ICS and IoT Risk Report written by the cybersecurity company CyberX, “84% of OT (Operational Technology) networks of industrial sites have at least one remotely accessible device using protocols such as RDP, VNC and SSH.” These protocols are often used in conjunction with SCADA software to decrease labor costs and improve operations by enabling administrators to configure devices remotely. However, these protocols also increase the attack surface for malicious actors; thus, decreasing the overall security of the equipment, system, or infrastructure.
The 2019 Global ICS and IoT Risk Report paints a bleak picture of the level of cybersecurity of ICS (Industrial Control Systems), specifically:
- 69% of industrial sites have plain-text passwords traversing their ICS networks which may be sniffed by attackers through protocol analyzers
- 57% of them are not running anti-virus protections that automatically update signatures
- 53% of them are using outdated Windows systems
For years security threat researchers have warned organizations and governments about the level of exposed IOT (Internet of Things) devices, including SCADA systems whose use of Internet-connected devices make these systems particularly vulnerable. As far back as the 2012 DEFCON, the pentester, Dan Tentler revealed a sample of the unsecured systems that he found using Shodan. His examples included a car wash that could be remotely controlled by anyone, and perhaps more worrisome, the traffic control system of an entire city or a French hydroelectric infrastructure control system. These findings and many subsequent ones demonstrate the real threat from state-sponsored hacking groups to script kiddies with only a basic knowledge about the way ICS work to critical infrastructure utilizing SCADA systems.
Avoiding the impact of a SCADA compromise
SCADA systems often face a larger panel of cyber threats than classic IT environments, based on their key role in production processes. Indeed, the compromise of ICS may involve data theft, economic espionage, or a drop in the productivity of employees. Immobilization of production processes could impact the economic viability of industrial companies; however, the risk does not stop here. Other potential alterations of the production process by malicious actors may cause a drop in quality levels of products, potentially exposing employees to health and safety issues inside factories and citizens in geographic proximity. Continuous auditing of these systems to assess their security and smooth operation is vital.
Protecting your company’s industrial systems
According to security researchers, the first steps every company must take to protect their SCADA systems do not significantly differ from preventive actions taken to secure other layers of internal networks. Strong passwords and updating operating systems are the number one priority. Establishing robust baseline practices and comparing real-time traffic to patterns are also key to protecting these systems. Finally, whitelisting legitimate IP addresses assists in securing infrastructure using SCADA software.
At CybelAngel, we scan for data leaks across every layer of the internet, including the hundreds of thousands of exposed internet-connected devices existing outside the enterprise perimeter. Our proprietary Augmented Intelligence processes combine machine learning algorithms and cybersecurity experts protect your critical assets by reducing your exposure to malicious actors.
Get your MyExposure Assessment today. See where your data is leaking into the vast Internet.