For industries running Industrial Control Systems (ICS) the consequences of an attack could be disastrous. Not just on a financial or reputational level, but also on a human level.
Yet we see so many systems that remain insecure.
How high really are the stakes when it comes ICS security? We take a look at some of the potential consequences of an attack.
1. Drastically-reduced productivity
Stuxnet was the first targeted attack on ICS. It showed that not only was an attack possible, but that industrial and infrastructure networks were now fair game for hackers with the skill, motivation and ideology to do so.
The aim of this attack, however, wasn’t to shut down the system fully, but instead to hamper the progress and reduce the nuclear enrichment capabilities of Iran.
To do this attackers utilised a number of Zero-day vulnerabilities to gain access to the network. Once inside, the attack targeted enrichment centrifuges, varying the speeds in order to destroy the equipment. All the while hackers had also gained control of the monitoring system, tricking the operators to think that operations were proceeding normally.
It is estimated that the 500-kilobyte Stuxnet computer worm destroyed 984 uranium enrichment centrifuges, constituting a 30% decrease in enrichment efficiency. As a consequence, it is estimated that the Stuxnet attack put Iran’s nuclear capabilities back by up to five years.
For most organisations there is a commercial pressure, as well as potential regulations, to keep industrial systems up and running. Especially if they’re responsible for critical national infrastructure such as the electricity grid.
Any attack that brings down such systems can cause widespread disruption. That’s exactly what happened in the Ukraine in 2015, when hackers managed to shut down power distribution centres and substations, cutting power to an estimated 225,000 customers in the region.
It is known is that systems were infected with a malware called BlackEnergy. This was delivered via spear phishing emails with malicious Microsoft Office attachments, which then spread and infected the network.
Whether BlackEnergy was ultimately responsible for the disruption is still being investigated. However, attackers were able to gain remote access to systems, access vital command files and lock operatives out of their own networks.
The power outage didn’t last long, one to six hours, however the repercussions of the downtime where felt for months and according to a report the systems were still running ‘under constrained operations’ two months after the attack.
Is downtime preventing you from improving security? We take a look at the issues.
Fines for data breaches are set to increase under new General Data Protection Regulations (GDPR). The maximum of £500,000 that the Information Commissioner's Office (ICO) could potentially fine is being raised to 4% of a company's worldwide turnover, or €20m (£17m), whichever is the higher.
Some breaches may fall under this regulation, especially if sensitive data is accessed or stolen in the process. However most industrial system attacks may fall under the new Security of Network and Information Systems (NIS) Directive which are set to be formalised in 2018.
“The NIS Directive will help make sure UK operators in electricity, transport, water, energy, transport, health and digital infrastructure are prepared to deal with the increasing numbers of cyber threats. It will also cover other threats affecting IT, such as power failures, hardware failures and environmental hazards.” - gov.uk
Under these proposed regulations it is expected penalties will be similar, if not identical, to those introduced under GDPR.4. High remedial costs
It’s not just the fines that an organisation need to be concerned about, the remedial costs of any breach need to be considered.
The Deepwater Horizon disaster in 2010, which saw millions of gallons of crude oil leak into the Gulf of Mexico, is an example of just how high the remedial costs of an industrial failure can be.
On top of all the reputational damage, “BP has estimated the final total cost of its Deepwater disaster, which claimed the lives of 11 workers, at almost $62bn (£47bn)”.
A cyber attack still hasn't been ruled out in terms of what caused the disaster. Modern technology and increased connectivity allows oil and gas networks to be operated remotely. However, this provides greater scope for hackers to target the electronic infrastructure.
The Deepwater Horizon disaster received massive global attention, and the subsequent regulatory and political backlash was in many respects a watershed moment for the industry.5. The human effects
Whether it be energy, electric, water, nuclear, pharmaceutical or manufacturing, an attack has the potential to affect people's lives and can ultimately cause fatalities.
There have been no reports of any deaths directly due to an ICS attack to this date, but that’s not to say there haven’t been close calls.
In 2016, an unnamed water treatment plant in America was attacked by hacktivists. Targeting the organisations online payment applications the attackers were able to gain access to admin credentials and ultimately access to the company's supervisory control and data acquisition (SCADA) system. This allowed them to steal data and more worryingly alter settings related to water flow and the amount of chemicals used in water treatment.
Thankfully the company did have warning systems in place and were able to rectify the problem without impacting the customer.
The issues preventing security improvement
As you can see, the consequences of security inaction need to be taken seriously, and security should be a key priority for any organisation operating an Industrial Control System.
We know that security is a concern, however, there are a range of issues that need to be overcome before many companies can start the process, especially when there are commercial pressures to keep systems up and running.
So, what’s stopping you improving your ICS security?