Narong Jongsirikul - Fotolia

UK industrial control systems targeted, warns leaked NCSC document

Industrial control systems across several UK sectors have been targeted in recent activity by known state-sponsored attackers, according to a leaked report by the UK National Cyber Security Authority

The UK is one of several countries targeted by cyber attackers seeking to compromise industrial control systems (ICS), according to a leaked document from the National Cyber Securty Centre (NCSC).

Some ICSs may have been compromised in attacks by advanced state-sponsored hostile threat actors, according to an NCSC document leaked to Motherboard by an energy industry source and confirmed by two others on condition of anonymity.

Although modern ICSs typically found in the energy sector and other suppliers of critical national infrastructure are designed to be secure, legacy systems were not.

The fact that many of these legacy systems are still widely used has, in recent years, raised concerns about the resilience to cyber attacks.

But according to Airbus, there are a growing number of options available to protect legacy systems. The aircraft manufacturer is among suppliers that are developing ways to add security where it was lacking.

Kevin Jones, head of cyber security innovation at Airbus, told Computer Weekly recently that there is a good level of awareness, understanding and protection among operators of critical national infrastructure (CNI)  in the UK, and attacking ICSs is not as easy as many people think.

Despite vulnerabilities in individual components, once these are put together in a bigger system, it is a lot more difficult to exploit those vulnerabilities than some people claim, said Jones.

“In the lab, it is easy to exploit these vulnerabilities because we have direct network access to the PLCs [programmable logic controllers], but in the real world there are a few things that can help to make it more difficult for would-be attackers, such as good network security, including various filters on the web traffic,” he said.

However, cyber defence of CNI is a key focus for the NCSC and the leaked document warns of cyber attacks targeting energy, engineering, industrial control and water supply companies. The NCSC is also believed to be providing technical guidance to affected organisations.

The uptick in this activity is believed to be fairly recent and potentially connected to reports of malicious emails sent to senior engineers at the Electricity Supply Board (ESB), which supplies Northern Ireland and the Republic of Ireland, and US government warnings in June 2017 of attacks targeting nuclear and energy firms.

Read more about ICS security

The leaked document said: “The NCSC is aware of connections from multiple UK IP addresses to infrastructure associated with advanced state-sponsored hostile threat actors, who are known to target the energy and manufacturing sectors.”

These connnections are being made using the server message block (SMB) data transfer protocol in Microsoft Windows that was exploited by WannaCry and Petya, as well as the hyper text transfer protocol (HTTP).  

The NCSC is believed to be investigating whether the hackers were trying to capture user credentials. Credential theft is a common attack technique because it enables attackers to move around targeted systems undetected.

The standard advice for blocking credential abuse is to implement multifactor authentication systems so that even if a username and password is compromised, attackers will still not be able to access systems without additional authentication using tokens, one-time passwords or biometrics.

The leaked document went on to say: “The NCSC believes that due to the use of widespread targeting by the attacker, a number of industrial control system engineering and services organisations are likely to have been compromised.”

The NCSC told Computer Weekly that it does not comment on leaked documents. A spokesperson said: “We are aware of reports of malicious cyber activity targeting the energy sector around the globe. We are liaising with our counterparts to better understand the threat and continue to manage any risks to the UK.”

Social engineering

Security commentators say social engineering seems to be a key focus for the attackers behind the latest activity targeting national infrastructure.

“Targeting engineers with access to control systems with phishing messages is pretty straightforward and, if successful, could be extremely damaging,” said Andrea Carcano, founder and chief product officer at Nozomi Networks.

“In tandem, although air-gapping offered a degree of protection, the way our nuclear plants, and any infrastructure for that matter, is maintained today means this practice is defunct.”

According to Carcano, engineers commonly plug in their own devices to perform diagnostic checks. “Should that engineer’s device have been compromised, this action could unleash malware directly into the heart of each component being checked, which then crawls and burrows deeper into the infrastructure,” he said.

CNI providers have to assume that all parts of critical infrastructure are being probed for vulnerabilities from a risk management point of view, said Carcano.

“Risk management is an ongoing process. Up-to-date patching and the use of artificial intelligence and machine learning to immediately identify suspicious network communications and incidents helps to harden the security that guards industrial control systems,” he added.

Read more on Hackers and cybercrime prevention