Security of industrial systems must be a top priority

The idea that hackers could switch off a country’s electricity, water, oil and gas supplies is a nightmare scenario – but it could happen

Many senior managers in utilities, transportation, healthcare and manufacturing are unaware of the security risks in industrial systems, according to the European Union Agency for Network and Information Security (Enisa).

Industrial control systems and companies operating Scada (supervisory control and data acquisition) systems are now commonplace, and some of these are highly interconnected with other corporate networks and the internet.

Some devices lack encryption protocols, and there is also a lack of adequate logging, which makes it harder to identify the root cause of security breaches, said Enisa.

Because Scada systems are now interconnected and exposed to the internet, or large public networks, they are now exposed to many more threats, the agency warned.

Enisa’s report comes seven years after the Stuxnet worm demonstrated the devastating consequences of a targeted attack on industrial systems that use Scada, and the 2015 attack on the Ukrainian power grid.

Enisa urged manufacturers and operators to adopt a faster update and patching process to protect these interconnected devices, but because many Scada systems run in critical national infrastructure, this is not easily done, it warned.

The agency’s Communication network dependencies for ICS/Scada systems report recommends several areas of improvement in how these systems are run to prevent major outages affecting the population.

The report said many security incidents could be avoided if employees and top management were aware of the risks they face each day. Risk assessment was needed for both Scada and IT systems, said Enisa.

Read more about securing industrial systems

According to a report published in March 2016 by the Sans Institute, the attackers responsible for the Ukrainian power grid outage used spear phishing emails, variants of the BlackEnergy malware, and the manipulation of Microsoft Office documents that contained the malware to gain a foothold in the electricity companies’ IT networks.

Among the challenges facing security professionals, according to Enisa, is that ICS/Scada systems make use of technologies and protocols that are very different from those used in traditional IT systems, so standard security measures cannot be reused.

The use of proprietary or specific protocols, processes, data structures and I/O interfaces makes the simulation of attack scenarios very complex, requiring emulation environments that are not always available, the agency said.

The use of proprietary firmware forces security professionals to use specific tools to access firmware or even analyse its workings to detect anomalies.

Enisa also highlighted a failing in the way such systems are updated or patched. Update processes are usually carried out by using standard computers/laptops, or even USB devices, which act as a potential entry point. This complicates the forensic investigation, Enisa warned.

Read more on IT risk management