“Doomsday” Scenario - A Real Threat or an Intentional Intimidation?

Cyber experts around the world warn of a “Doomsday” scenario where a cyber attack on a country’s critical infrastructure will lead lead to a massive death toll. Daniel Ehrenreich, a control systems expert, explains what the challenges are and how to cope with them

“Doomsday” Scenario - A Real Threat or an Intentional Intimidation?

Industrial Control Systems (ICS) supervise the production of energy, water and sewage, oil and gas, industrial enterprises, and other critical infrastructure. Most types of control systems such as SCADA, DMS, BEMS, DCS and EMS were adapted for highly reliable operation, and cyber security features were not defined as an important requirement. Those engaged with operation and maintenance know, that the age of control equipment ranges from 7-15 years, and this is another reason to refrain from complacency. Nowadays resources available to attackers are sponsored by hostile states, commercial or criminal organizations, so defending a critical infrastructure against cyber-attack has become a significant challenge. Considering these trends, the question is not whether a serious national attack (as the September 11 attacks) may occur, but how to ensure business continuity and operation of critical facilities after such event.

Is the Threat Real?

On this topic the opinions are divided, depending on the expert and the day he plays the role of "national relaxer" or the "prophet of hate". IT defense must assure data Confidentiality, Integrity and Availability (CIA), but while dealing with control systems the main emphasis is always on safety and reliability. Information secrecy is pushed to low priority, because control systems are not required to hide operational values ​​(exceptions apply) communicated between process control units and the control center.

With regard to critical facilities, no manager is authorized to calm down nor talk about upcoming tragedy, but rather to be on alert and expect new threats, such as not seen before. There is no dispute on the fact that computer based devices have software bugs causing security vulnerability, and because of that critical infrastructure is always at risk. These weaknesses expose the control system to malicious attacks and their capacity to cause harm. 

Following are few examples: Denial of Service (DoS) or the more severe Distributed Denial of Service (DDoS) are aimed to disable the control system operation but without causing damage to the facility. Remote Administration Trojan (RAT) attack operates as an "internal agent" running malicious software to steal information, spy on processes or create a fake user name and a password. Man in the Middle (MitM) attack disrupt the control by modifying operational values, and reporting false values, to create losses and damages similar to the Stuxnet event.

Cyber defense and information security authorities seek to minimize risks by reducing in advance the number of flaws and identify as quickly as possible the attack tracks. These failures fall into several categories, and we must seriously refer to each:

Inadequate physical security: All know that cyber security cannot be assured without effectively preventing unauthorized people from entering the electronic security perimeter (ESP) area.

Exposure to attack starting through email: Lack of awareness regarding risks generated by a friendly email, which may install a keystroke logger sending out data to a hostile entity.

Neglecting hardware upgrade: Obsolete equipment is not immune to cyber-attack and this could undermine the system resiliency. Users do not have a clear policy as for hardware upgrade.

Careless password management: Correcting people's bad practices is difficult. Often we come across people who are lacking awareness in regard cyber security dangers.

Use of outdated anti-virus: Updates are rarely deployed due to fear of disrupting the control operation and uncertainty if the new antivirus code works with the control system.

Incorrect network architecture: Control architectures using legacy IEDs, PLCs and RTUs were structured as "flat" without adequate security zoning to block uauthorized transitions.

Internet Connections: People wrongly believe that if their system is indirectly linked to the Internet via a firewall and through corporate network, the system is safe from cyber attack.

Contaminating code (malware) spreading: An internal attack through USB, or via a wireless link (backdoor) may spread easily, if no zone separation is deployed between control sections.

Operating System configuration: Control systems must continuously operate without the possibility of software updates, and many systems operate without hardened/blocked ports.

Configuration of defense units: Firewall setup is complex especially for sophisticated devices. Faulty provisioning of a firewall or “reset attack” may convert them to “transparent”.

How Defense is Deployed?

Vulnerabilities listed above are only part of a long list of assault routes. Critical Infrastructure Protection (CIP) is a challenging task, mainly due to complexity of control architectures. Since there is no “silver bullet solution” within reach for all threats, the right process to mitigate the risks of cyber-attacks is based on "preventive care” deployed in multiple levels.

Firewalls and Demilitarized Zone (DMZ) solutions are aimed to block unauthorized data. These are installed since first deployment and are constantly upgraded. Implementation of defense measures which examine the data integrity provide additional protection against cyber-attacks. 

Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) are analyzing data gathered via sensors (data sniffers, taps) from several points in the network. The IDS is reporting to the Security Operations Center (SOC) and the IPS allows access blocking.

It is important not to use proprietary encryption but only AES 256 standard (Kerckhoffs's principle). Using encryption (though not always required), makes it difficult to carry out MitM attacks, as attackers cannot change values ​​and but blindly sending replay messages.

Zero Day attacks exploit flaws that were discovered on the same day (Zero day vulnerability), for which there are no available safeguards. Implementation of software to recognize abnormal communication or control processes (Anomaly detection) may help detecting these attacks.

Periodic scanning of installed controllers, software versions and of available memory, can be used as a "self-study" process, which itself allows to discover anomalies and deviation from processes, even actions which are done by people authorized to maintain the system.

Unidirectional Security Gateway (known as Diode) perform segmentation between network zones. The data may flow in only one direction, usually outbound the control system, and there is absolutely no path for data-packets flow in the opposite direction - into the control system.

Security Information Event Monitoring (SIEM) performs cyber-attack detection by analyzing the information collected into the SIEM from several locations. Important to emphasize that the information must flow “one way” into the SIEM to reduce the risk of cyber-attack.

Allocation of Resources 

The number and severity of attacks are growing because attackers are funded by hostile states, commercial and crime organizations to cause outage, damage or generate profit. Although there is no prior information on a specific date when the attack may take place, but chances to happen are growing. Obviously operators of critical facilities should act with greater determination and wisdom to be "one step ahead of attackers". This must lead to investments and allocation of resources, because the potential harm represents a serious threat to the security and welfare of citizens. 

Daniel Ehrenreich is a consultant acting within Secure Communications and Control Experts. He has over 25 years’ experience related control systems for critical infrastructure such as electricity, water, gas and power plants as part of his activities in Motorola, Siemens and Waterfall Security.

You might be interested also

The Iron Dome System. Credit: Rafael’s Spokesperson’s Office

Rafael Ends 2023 With Record NIS 14 Billion in Sales

The company also saw a net profit of NIS 588 million and a record in new orders, amounting to NIS 30 billion. It has been working intensively during the ongoing Swords of Iron War