The cyber threat world is big and extensive, and therefore in order to fully understand the scope of threats to critical infrastructure, businesses need to understand the main areas that industrial control systems (ICS) are vulnerable.
According to Check Point, the pure-play security vendor, the three key areas to be aware of are the IT network, insider threats (whether intentional or unintentional), and equipment and software.
Attacking through the IT network
ICS usually operate on a separate network, called OT (Operational Technology), Check Point says. OT networks normally require a connection to the organisation’s corporate network (IT) for operation and management. Attackers gain access to ICS networks by first infiltrating the organisation’s IT systems (as seen in the Ukraine case), and use that 'foot in the door' as a way into the OT network.
The initial infection of the IT system is not different than any other cyber attack that happens on a daily basis, Check Point says. This can be achieved using a wide array of methods, such as spear phishing, malicious URLs, drive-by attacks and many more.
Once an attacker has successfully set foot in the IT network, they will turn their focus on lateral movement, according to the vendor. Their main objective is to find a bridge that can provide access to the OT network and 'hop' onto it. These bridges may not be properly secured in some networks, which can compromise the critical infrastructures they are connected to.
The threat within
Traditional insider threats exist in IT networks as well as in OT networks. Organisations have begun protecting themselves against such threats, especially after high profile attacks such as the Target hack or Home Depot (and the list is continuously growing). In OT however, the threat is increased.
Similar to IT networks, insiders can intentionally breach OT networks with graver consequences. In addition to this 'regular' threat, there is the unintentional insider threat. Unlike IT networks, OT networks are usually flat with little or no segmentation, and SCADA systems have outdated software versions that go unpatched regularly. Unwitting users often inadvertently create security breaches, either to simplify technical procedures or by unknowingly changing crucial settings that disable security, Check Point says.
The bottom line remains the same either way: the network that controls the critical infrastructure is left exposed to attacks. This is proven time and again as one can easily encounter networks that were connected to the internet by accident, according to Check Point.
Meddling with critical components
The last avenue that endangers ICS is tampering with either the equipment or its software. There are several ways to execute such an operation:
- Intervening with the equipment’s production. An attacker can insert malicious code into the PLC (Programmable Logic Controller) or HMI (Human Machine Interface) which are the last logical links before the machine itself.
- Intercepting the equipment during its shipment and injecting malicious code into it.
- Tampering with the software updates of the equipment by initiating a Man in The Middle attack, for example.
So, how can you protect critical infrastructure?
To fully protect any critical infrastructure, whether it is an oil refinery, nuclear reactor or an electric power plant, all three attack vectors must be addressed, Check Point says.
It is not enough to secure the organisation’s IT to ensure the security of the production floor. A multi-layered security strategy is needed to protect critical infrastructures against evolving threats and advanced attacks, the company says.