Although such attacks are rarely made public, a decoy set up by the security firm on an ICS typically used to control national infrastructure saw 1,300 attempts to gain unauthorised access in a single month.
“Of these, 400 were successful,” said Andrey Nikishin, special projects director of future technologies at Kaspersky Lab.
The successful attacks included 34 connections to integrated [software] development environments (IDEs), seven downloads of programmable logic controller (PLC) firmware, and one case of reprogramming a PLC with the hacker’s software, he told a Kaspersky Lab ICS executive conference in London.
“This is especially worrying in the light of the fact that we have found lots of examples of industrial control systems that are connected to the internet, which means they are hackable,” said Nikishin.
The first stage to any targeted attack, he said, is information gathering and preparation. “Attackers will scour social media for information on ICS operators who can be targeted through well-crafted email phishing attacks to infect control systems.
“They will also look at other public sources of information, such as television documentary programmes and media photogaphs, which have been known to provide clues about control systems at nuclear plants,” said Nikishin.
The best known instances of targeted attacks on industrial control systems include the Stuxnet attack on an Iranian nuclear enrichment plant and the Shamoon attack on Saudi Aramco.
“The Shamoon attack was simple. It was designed to delete everything on infected machines, which is really dangerous and the type of attack that the oil and gas industry fears,” said Nikishin.
“And it has been revealed only recently that Stuxnet included functionality that enabled the collection of vast quantities of data from infected ICS machines,” he said.
Accidental infections and insider threats
While targeted attacks are the most dangerous, operators of industrial control systems also need to be aware of accidental infections and insider attacks.
“Although Stuxnet was designed to disrupt operations at a specific nuclear plant, it accidentally infected around 300,000 industrial control systems around the world,” said Nikishin.
more on critical national infrastructure
- Is UK critical national infrastructure properly protected?
- Government to monitor companies supporting critical national infrastructure
- Critical infrastructure security: Electric industry shows the path
- GRC Management and Critical Infrastructure Protection
Each one of these infections was capable of collecting information about the infected system and transmitting that back to the malware controllers.
Any ICS connected to the internet also runs the risk of being infected with ransomware such as Cryptolocker.
“This is a big headache and a major concern for many operators of industrial control systems who fear their systems will be cryptographically locked and held for ransom,” said Nikishin.
Spanair JK5022 is an example of where an accidental infection had fatal consequences, he said.
In 2008, one of the now-defunct airline’s ground computers was infected with a Trojan virus, but not as the result of a targeted attack.
However, the malfunctioning of the infected computer has never been ruled out as a contributory factor to the failure of warning systems.
“Critical warning systems prior to take-off failed to work, with the result that an aircraft crashed, killing 154 people on board,” said Nikishin.
Finally, industrial control systems are vulnerable to attack by insiders acting out of revenge and greed or because they are being blackmailed.
Some of these attacks are discovered after a relatively short time, but other have been known to run for years before being detected, said Nikishin.
“In one case an insider altered a few lines of code for a control system at an oil and gas company to siphon off free fuel, but that was discovered after three months.
“In another case at a Russian mining company, a gang altered code to divert tons of iron ore that netted them $50m before the scam was discovered after three years,” he said.
Kaspersky Lab expects the emerging trend of attacks on contractors to continue and grow.
“Suppliers of critical national infrastructure and operators of industrial control systems are usually well defended, but their suppliers and contractors are often relatively easy targets,” said Nikishin.
Similarly, attackers are expected to target industrial control systems because industrial networks potentially offer an easier way in to the more heavily protected corporate IT systems.
Attackers are also expected to target and compromise remote controls systems, where such systems have been introduced to cut costs and for ease of use without due consideration to security.
“All sorts of things, including public transport systems and even battleships, are being equipped with remote control systems, which are conceivably open to compromise,” said Nikishin.
Kaspersky Labs is also warning of potential attacks on building control systems for CCTV, air-conditioning, lighting and access control.
“The analysis of malware has revealed components for controlling office doors, so attackers could theoretically block access to targeted buildings, which could be dangerous,” said Nikishin.
“From experience, my feeling is that the situation is likely to go from bad to worse,” he said.