Utility Week - authoritative, impartial and essential reading for senior people within utilities, regulators and government
Issue link: https://fhpublishing.uberflip.com/i/756666
UTILITY WEEK | 2ND - 8TH DECEMBER 2016 | 23 Operations & Assets Market view S ystems used for monitoring and control in utilities industries have been around for decades, but recently these systems have become internet connected and are now a key piece of government and indus- trial cyber-defence programmes. We have long feared the implications of the growing number of unsecure devices connecting to the internet. Earlier this year we predicted that utilities would become a prime target for attacks. The trend for attacks using networks of "zombie"-style robots to launch intensive assaults on critical sys- tems and infrastructure has grown at an alarming rate. We already know Internet of Things (IoT) devices are easily exploited and used in attacks, but the situation in Finland shows that the industrial version of these systems consisting of SCADA devices can also fail. In the Finnish attacks, hackers launched a distributed denial of service attack that put the heating system in an endless loop, making it unable to recover without expert intervention. The consequences of such a huge failure of mission critical systems can be serious. Luckily in Finland this situation was tem- porary, and the situation was merely incon- venient rather than dire, but imagine the potential consequences of a state-sponsored or politically motivated hacktivist attack on a national energy grid. Nearly half of energy suppliers believe that there is a significant threat from hacktivist groups, and 37 per cent think that campaigns would be state sponsored, yet the majority remain woefully unprotected. Many utilities use SCADA systems to monitor critical infrastructure and networks. Electric utilities, for example, use them to monitor current flow and line voltage, and to control circuit breakers to take sections of the power grid offline or online. There is a large diversity in SCADA sys- tems. Some use proprietary, special purpose communication protocols; others are based on open standards like Modbus, DNP3, ICCP, ControlNet, Profibus, and others (by esti- mate there are about 100 different protocols). The communication medium could be wired, wireless, radio, satellite or something else. Many Hollywood productions speak to the imagination through abuse of these systems. But until recently, hacking industrial con- trol systems required some form of physical access to the control network or the devices. This is no longer the case. The convergence of different types of proprietary networks and connections provides better, faster and more efficient monitoring and functionality, but has also increased the attack surface of the control network considerably. When initially designed, the protocols used in SCADA systems were not intended to link to the outside world, so security was not a consideration. However, with the improved communications protocols, these new devices can now be exposed to the internet, either deliberately or by oversight. With no built-in authentication, message repudiation or confidentiality, these systems that control our day-to-day lives are oen dangerously exposed. What is more, these systems are not regularly updated with the latest security patches for fear of uncontrolled downtime. In more recent SCADA devices, secu- rity features are present but are disabled by default to ease deployment and provide backwards compatibility for integration with existing devices and control systems. Older SCADA systems, actually the most widely used systems today, have no security fea- tures whatsoever. Even for systems that are not directly exposed to the outside world, what if a mali- cious node is added in the network? A mali- cious node can be programmed to wreak havoc among the devices, send fake sensor measurements and hide real issues; or simu- late issues, tricking operators into actions like shutting down parts of a production process. The major challenge of SCADA systems is their long lifecycle. Unlike other IT systems that typically last only a few years, SCADA systems last for many decades. It is difficult and costly to upgrade them and vendors hardly ever give guarantees patches will not interfere with normal operation. The impact of attacks against SCADA systems is considerable – it can disrupt and damage critical operations, cause major economic loss, and even claim human life. Understanding how to respond to and man- age the risks is critical. As hacking becomes more automated, utilities need to find new ways of fighting off the "Internet of Zom- bies". This means they too need to auto- mate, because people are simply not able to react fast enough to identify and mitigate an attack before harm is done. Of course, human security employees are not redundant. They now need to use their expertise to plan out the security poli- cies that should be put in place to deal with advancing technology, such as when new devices are introduced to a network. An approach to security that does not bear this in mind is unlikely to succeed. But those who understand the threat, prioritise security and build a cyber-army of their own will be well placed to defend today's attacks as well as those yet to come. Pascal Geenans, security evangelist, Radware The Internet of Zombies The cyber-attacks on two Finnish tower blocks that took internet- connected heating and water systems offline for two days should be a wake-up call for utility companies, says Pascal Geenans. Finnish cyber-attack • The central heating and hot water systems of two apartment buildings in the city of Lappeenranta, eastern Finland, were attacked by hackers. • The denial of service attack caused the system to get stuck in an endless loop of rebooting every five minutes. • The cyber-attack is believed to have lasted for nearly a week, starting in late October and ending on 3 November. "In more recent SCADA devices, security features are present but are disabled by default to ease deployment and provide backwards compatibility with existing systems"