Anti-phishing vital in Scada protection, says expert

A high proportion of cyber attacks, including those against Scada control systems, are enabled by phishing attacks.

A high proportion of cyber attacks are enabled by an extremely customised and plausible phishing attacks, says Rohyt Belani, CEO of phishing awareness training firm PhishMe.

According to security firm Mandiant, 99% of the security breaches it investigated in 2012 started with a targeted spear-phishing attack.

Research has revealed this includes attacks against Scada control systems at top energy firms,  Belani told attendees of the (ISC)2 Security Congress 2013 in Chicago.

Most Scada systems are not exposed to the internet, which means attackers need to break in and find a way to move internally to get to the Scada systems, he said.

Read more about phishing attacks

The easiest way to break in is to use a phishing email to trick an employee within the target organisation to click on a link that downloads malware onto the organisation’s network, said Belani.

In one case study, attackers profiled an energy company employee who worked the 11pm to 7am shift monitoring Scada systems.

Using social media and other publically available information, the attackers were able to determine that the target employee was married with four children.

The attackers fired a single phishing email that appeared to come from the energy company’s HR department offering a discount health insurance plan for families with three or more children.

The employee did not recognise the email was a phishing attack and clicked the link the download the application form, unwittingly downloading attack malware.

“It is important for companies to understand how well attackers do their homework to make sure phishing attacks are extremely credible,” said Belani.

PhishMe has found that on average 58% of employees will fall for a simulated phishing attack and click on a potentially dangerous link.

But 18 months on, after several more simulated phishing emails sent as part of a PhishMe training programme, that figure typically drops to just 8%, said Belani.

Most companies have a 3%- 4% churn in staff, he said, so there will always be people who are not phishing-aware, but that is a much more manageable risk compared with 58%, he said.

“By building user profiles, companies can fine-tune their training and instead of worrying about all employees all the time, they can concentrate on those who present the greatest risk,” said Belani.

But, he said, as resilience and awareness increases, so does the number of suspected phishing incidents reported to security teams, which can be overwhelming, he said.

To avoid this problem, PhishMe has developed an Outlook email plugin that enables employees to tag suspicious emails and push them through at the click of the button to an automated process.

According to Belani, one company that has implemented this was able to identify three attempted phishing attacks out of 700 employee reports over just 15 days without impacting the security team.

Since launch two months ago, around 26 PhishMe customers have implemented the email plugin, including two energy companies, said Belani.

“Energy companies have a large number of non-IT savvy users, which makes if more challenging to get them to participate, but it is happening,” he said. “Users can be more resilient and they can become more active participants in the security of any organisation.”

Read more on IT suppliers