There’s a common misconception that SCADA systems are difficult to attack and exploit because they’re so isolated. However, SCADA systems are victimized at an alarming rate, according to a recent report by Fortinet:
Among organizations that use SCADA or ICS, almost 60% experienced a data breach in the last year. Only 11% report that they have never experienced a breach 63% of organizations reported that the SCADA/ICS security breach affected the safety of their employees A major impact on financial stability was reported by another 58% of organizations
With the SCADA market predicted to grow to $13.43 billion by 2022, we can expect the frequency and intensity of attacks to grow. Attacks by exotic cyberweapons like Stuxnet and Flame made headlines in the early 2010s and fostered a fear that similar weapons may be on the way. However, cybersecurity experts warn that attacks from run-of-the-mill sources like phishing campaigns are more likely and equally as dangerous. In this article, we’ll define some of the most common social engineering attacks used against ICS/SCADA systems. We’ll also discuss which groups are most likely to attack industrial control systems.
Common threat actors
Attackers targeting SCADA networks come in all shapes and sizes. Knowing who’s spearheading the attack will give you insight into the attacker’s motivation, goals and the resources they have at their disposal. It can also help administrators gauge the potential impact of the attack. Common threat actors include:
Hostile nations Industrial spies Disgruntled employees Terrorists Hackers Criminal groups Hacktivists
Common social engineering threats
Cybersecurity experts have rightfully pointed out a number of security flaws in SCADA, but the biggest weak point is the user. Attackers utilize social engineering to trick employees into divulging information or providing access to the system. Compared to highly complex threats like Stuxnet, social engineering is much easier to execute and doesn’t require the same level of skill or resources. Let’s take a look at the most common social engineering threats facing ICS/SCADA systems today.
Phishing
Phishing attacks are the most common threat across the cyber landscape, and industrial control systems are no exception. Infosec describes phishing attacks as using “emails, social media, and instant messaging, and SMS to trick victims into providing sensitive information or visiting malicious URLs in the attempt to compromise their systems.” While a phishing attack may not be enough to bring down an entire power grid overnight, it can provide attackers with the foothold they need to escalate the attack. Most phishing attacks against SCADA networks are carried out with the goal of surveillance, not infection. The attackers want to know more about the system itself, including how it works and whether or not they can maintain a backdoor to exploit in the future.
Spearphishing
A power grid going down in the dead of winter and stranding nearly a quarter-million people without power sounds like the plot of a spy thriller, but it actually happened in Ukraine in December 2015. The attack began with a spearphishing campaign that targeted system administrators and IT staff at three Ukrainian electric companies. Unlike plain-old phishing, spearphishing is tailored to a particular individual. Attackers attempt to trick the victim by carefully crafting a false sense of legitimacy, such as sending an email that appears to come from a trusted source. It’s common for attackers to research the intended target prior to sending the email so that it appears as personal and authentic as possible. So how did this play out in Ukraine? Workers received emails containing a malicious attachment disguised as an innocent Word document. Upon opening the document, the recipient was prompted to enable macros which installed a program that opened a backdoor to the intruders.
Pretexting
Pretexting is the “practice of presenting oneself as someone else to obtain private information. Usually, attackers create a fake identity and use it to manipulate the receipt of information,” according to Infosec. Like other forms of social engineering attacks, pretexting relies on manipulation instead of high-tech worms and cyberweapons. Several attempted attacks have been launched against utility companies via phone call. The attackers set up the attack by figuring out which third-party vendors the utility companies worked with. Next, they called personnel at the companies, posing as vendor representatives, and tried to convince them there was a problem. To solve the problem they would need, you guessed it, remote access to the system.
Best practices for defending SCADA networks
Launching an attack against an ICS/SCADA network is no harder than attacking any other network, according to Dave Marcus, director of security research at McAfee. Marcus further explains that cyber forensic investigating and reporting at these facilities is often quite poor, meaning attacks could fly under the radar for a long time before they’re finally detected. When it comes to deflecting social engineering attacks, Marcus suggests that SCADA network admins do the following:
Conduct extensive penetration testing Train staff in counter social engineering techniques Plan for the worst-case scenario and put appropriate countermeasures in place Build a solid network with law enforcement
Conclusion
Keeping SCADA networks up and running is challenging without the right security protocols in place. Many networks still rely on outdated technology and legacy software that leaves them vulnerable to attack. When successful, these attacks can be incredibly destructive to financial stability and public safety.
Sources
INSIDE THE CUNNING, UNPRECEDENTED HACK OF UKRAINE’S POWER GRID, Wired ICS-CERT: Social Engineering and SCADA Security, Infosec Island Independent Study Pinpoints Significant SCADA/ICS Security Risks, Fortinet Michael Robinson, “The SCADA Threat Landscape”