Does a connected world make the underlying infrastructure a sitting duck for cyber criminals?

Smart cities offer infinite possibilities, promising smoother operations for organizations, ease- of-access for citizens, efficient energy consumption and seamless connectivity. But, are things as rosy as they seem?

On 23rd December last year, a meticulously planned cyber attack took down an entire power grid in Ukraine, leaving 230,000 residents in complete darkness. As if that wasn’t enough, the attackers went the extra mile, cutting down electricity at the power station along with the backup power supplies.

The incident raised a lot of questions, with the most important one being – with the world increasingly getting connected and smart cities coming up, is it becoming easier for cyber criminals to access and attack critical infrastructure?

To get to the base of the problem, it is important to understand what kind of control systems run most of the existing infrastructure.

Supervisory control and data acquisition (SCADA) is a control system for remote monitoring and control that operates with coded signals over communication channels (using typically one communication channel per remote station).

With the commercial availability of cloud computing, SCADA systems have increasingly adopted Internet of Things technology to significantly reduce infrastructure costs and increase ease of maintenance and integration. As a result, SCADA systems can now report states in near real-time and use the horizontal scale available in cloud environments to implement more complex control algorithms than are practically feasible to implement on traditional programmable logic controllers.

That is the good part. Now over to the bad news.

SCADA systems that tie together decentralized facilities such as power, oil, gas pipelines, water distribution and wastewater collection systems were designed to be open, robust, and easily operated and repaired, but not necessarily secure.The move from proprietary technologies to more standardized and open solutions together with the increased number of connections between control systems, office networks and the Internet has made them more vulnerable to types of network attacks that are relatively common in computer security.

Consequently, the security of some SCADA-based systems has come into question as they are seen as potentially vulnerable to cyber attacks.

In particular, security researchers are concerned about:

  • The lack of concern about security and authentication in the design, deployment and operation of some existing networks.
  • The belief that systems have the benefit of security through obscurity through the use of specialized protocols and proprietary interfaces.
  • The belief that networks are secure because they are physically secured and disconnected from the Internet.The large numbers and widespread reliance on such systems by all of a country’s critical infrastructures represent a systemic threat to their continued operation. Additionally, the necessity to reboot, repair, or replace large numbers of geographically widely dispersed systems will considerably impede a country’s recovery from such an assault.Follow this link for a detailed analysis on how the hackers shut off the power grid with surgical precision.

Here are some excerpts from the article with a few notes of our own

“He watched as cursor navigated purposefully toward buttons controlling the circuit breakers at a substation in the region and then clicked on a box to open the breakers and take the substation offline.”

This can be achieved only if someone has a backdoor (a trojan) installed in the specific system which possesses the features to control power grids remotely. From the series of events mentioned above one can observe that “the cursor navigated purposefully” can be done using a RAT (remote administration tool). A rat specifically targeted those systems by means of social engineering or purposefully by someone who had access to those systems. This is why regulatory laws (compliance) are of utmost importance when it comes to the internal controls and access level controls. Only authorised personnel should be allowed to access such type of critical level systems, or anybody can drop or install a trojan via USB or email.

“Although he tried frantically to log back in, the attackers had changed his password preventing him from gaining re-entry.”

Possibly, a Key-logger recorded each and every key that got pressed in the victim system and it was all sent to the attackers through email or server in a clear text format. The attacker determined the password and was able to change it, stopping the genuine user to take back the control.

“It could have started out with cybercriminals getting initial access to the network, then handing it off to nation-state attackers who did the rest.”

When you don’t know which system to attack or, when you know only the subnet of IP address where this system might be sitting, a attacker intrinsically chooses the network where that system is residing or it might be an internal job where someone could have given those network details to the attacker. It was a thoughtfully planned and well funded attack.

There is one more case, where they may have created a worm which specifically has the feature of taking the control of the system, like “Stuxnet” – a malware that attacks SCADA systems (Siemens’ WinCC/PCS 7 systems) running on Windows operating systems. The malware uses four zero-day attacks to install a rootkit which in turn logs into the SCADA’s database and steals design and control files. The malware is also capable of changing the control system and hiding those changes.

“The phishing campaign delivered email to workers at three of the companies with a malicious Word document attached.”

Had their firewalls detected any abnormal behaviour or had they been up-to-date while handling a sensitive project such as this one, the situation could have been avoided. Hacking by means of social engineering relies heavily on misleading or tricking the human controlling the machine more than the machine itself.

SCADA systems are used to control and monitor physical processes, examples of which are transmission of electricity, transportation of gas and oil in pipelines, water distribution, traffic lights, and other systems used as the basis of modern society. The security of these systems is important because compromise or destruction of these systems would impact multiple areas of society far removed from the original compromise. This blackout for example, caused by a compromised electrical SCADA system caused tremendous financial losses to all the customers that received electricity from that source.

The reliable function of SCADA systems in our modern infrastructure may be crucial to public health and safety. As such, attacks on these systems may directly or indirectly threaten public health and safety.

Sources:

  1. https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/
  2. http://www.eenews.net/stories/1060040399
  3. http://www.darkreading.com/vulnerabilities—threats/lessons-from-the-ukraine-electric-grid-hack/d/d-id/ 1324743
  4. http://betanews.com/2016/02/01/blackenergy-3-malware-targets-ukranian-power-facilities/
  5. https://en.wikipedia.org/wiki/SCADA