Welcome back, my aspiring SCADA/ICS cyberwarriors!
SCADA and ICS are the most important cybersecurity issues in this decade. Although traditional IT is still saddled with a number of serious issues including ransomware, the threat to SCADA/ICS systems extends far beyond the individual facility and the profit margins of the individual company. The crippling of a SCADA facility can hamstring an entire nation! Consider the repercussions of a hack against the electrical grid or an oil or gas pipeline or the local water treatment plant. The impacts would be devastating (if you want to learn more about SCADA Hacking and Security, attend our upcoming training).
As we consider the impacts of future SCADA hacks, it's a good idea to look back at some of the most important SCADA/ICS hacks in history. Although it won't predict the future, it can provide insights to how SCADA hacks can be implemented and their potential impacts on a nation's or region's infrastructure.
Probably the most famous SCADA/ICS attack in history, this attack focused upon the Seimens PLC controllers used at the Iranian uranium enrichment plant at Natanz. Stuxnet, built by the US NSA and intended to slow the Iranian nuclear program, was released in 2009 in the Middle East and slowly worked its way throughout the world.
It used three zero-days in Microsoft Windows operating system to enter the system and then overwrote the ladder logic of the PLC's of the uranium centrifuges so that they could not precisely enrich the uranium at the proper concentration. Still one of the most sophisticated SCADA/ICS attacks to this day and a model of just how targeted and malignant SCADA/ICS attacks can be. For more detailed analysis of Stuxnet, read our Anatomy of Stuxnet.
The Triton/Triconex malware was first identified in December 2017 on the industrial control systems of a Saudi petrochemical facility. What makes this malware stand out from this group is that is what specifically designed to kill people. This malware infects the safety control systems (SIS) built by Schneider Electric that are designed to shutdown these facilities in the event of an accident or other dangerous event.
Although attribution is always a tricky exercise, FireEye reported that the malware most likely came from the Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM), a research entity in Russia. This malware is most noteworthy as it manifests the danger of SCADA/ICS attacks in a cyberwar scenario that could lead to loss of millions of lives.
Blackenergy3 was malware that was re-purposed to attack the electrical grid of the Ukraine in 2014. Originally developed as a DDoS tool, Blackergy3 was re-purposed to enable the attacker to access systems within an electrical utility in the Ukraine.
BlackEnergy 3 was a Microsoft Office macro malware that used a vulnerability, CVE-2014-4114 against Microsoft Office 2013, in the OLE packager 2 (packager.dll). This same vulnerability was enumerated as MS14-060 by Microsoft.
This attack was eventually used to compromise the Human Machine Interface (HMI) and then control the breakers that control the electrical grid. The attackers then selectively blacked out major portions of the Ukraine during the Russian attack in Eastern Ukraine. For more on Blackenergy3, read Anatomy of BlackEnergy3.
Shamoon was designed to steal and wipe out data at the world's largest energy company, Saudi Aramco. This attack in 2012, overwrote the data on the computer systems with an image of a burning American flag.
Unlike other SCADA/ICS attacks that target the industrial operations, Shamoon targeted the information on the facilities computers. This is unusual, as most SCADA/ICS attacks target the industrial operations and PLC's within the system that control operations.
Shamoon attempted to spread from the corporate network--where the data resided--to the SCADA network, but due to proper network segmentation and isolation (best practice), the malware was unable to spread. This attack was likely the work of Iranian hackers, the Saudi archenemies.
New York Dam
In 2013, Iranian hackers were able to access a small dam in New York State in the US. It appears to have been a test to see what they could access and there was little or no damage.
The attackers accessed the SCADA controls through a Internet connection via a cellular modem. Luckily, the system was in maintenance mode at the time, so no control features were accessible.
This attack highlights the vulnerability of Internet connected SCADA/ICS systems and their vulnerability. Many of these such facilities (dams, locks, water systems, etc) have chosen to go offline rather than be online and bear this risk of attack.
Many SCADA/ICS attacks go unreported. In most countries (including the US) there is no legal mandate to report these attacks, despite their national security implications. One such attack became known as Kemuri to protect the identity of the company. It was reported by Verizon Security in 2016 and involved an attack upon a water company.
The attackers accessed the valve and flow control application that controls the PLC's that mix the water treatment chemical processing (adding the proper chemicals to kill dangerous microbial growth and not so much to kill the humans drinking it). Although little damage was done due to the vigilance of the operators, if the attackers had better knowledge of this SCADA/ICS system, many lives within the community could have been lost and the economy disrupted.
CrashOveride or Industroyer was the first malware specifically designed to attack electric grids, but we can be certain it won't be the last. This malware is specifically designed to attack SCADA facilities using IEC 101, IEC 104 and IEC 61820, the communication protocols used in the electricity distribution industry.
The modules in CrashOveride/Industroyer are designed to open circuit breakers on Remote Terminal Units (RTU) and keep them open by running an infinite loop procedure that keeps even the manual operators, on-site, from closing them. This attack results in the de-energization of substations and forces operators to switch to manual operations to restart power.
Cashoveride/Industroyer and its variants could be a VERY destructive attack in a cyberwar scenario, potentially knocking out power to large swaths of an economy.
German Steel Mill
In 2014, a German steel mill was attacked with malware that first provided the attackers with access to the business network and the eventually the SCADA/ICS network. We only know of this attack because it was included anonymously in a German government security report without identifying the company or facility (this once again underscores that many SCADA/ICS attacks are unreported and unknown to the public).
The attackers were able to access the industrial control systems and caused multiple failures among these systems. The attackers had an intimate knowledge of the steel mill operations and the industrial control systems that managed it. This steel mill narrowly skirted disaster.
Unlike other SCADA/ICS attacks, the Night Dragon malware was a series of attacks that gathered information from the oil, energy and petrochemical industry facilities. Often referred to as Tactics, Techniques and Procedures (TTP) attack, this malware gathered information from this industry such as financial documents, operational procedures and bidding.
This attack in 2010 highlighted how unprepared the industry was to such attacks. This was a rather unsophisticated attack but could have caused significant damage if the attackers had targeted the HMI or other industrial system controllers.
SCADA/ICS systems are among the most critical systems to any economy, but are the least secure. Any modern warfare will assuredly include an element of cyberwar that will attempt to cripple these industries and hamstring the economy of the target. Many of these attacks go unreported but from those there are reported we can gain a glimpse of what these attacks might look like.