As SCADA Threats Grow: How to Lock Down Risk

by Ross Dyer

Another day, another warning of an impending cyber security crisis in the West. However, this time it’s come from the lips of former NSA and US Cyber Command boss General Keith Alexander. Last week he claimed that Western energy firms are unprepared for a potentially “catastrophic attack” on their infrastructure. The worst case scenario could involve a synchronised blitz on power plants, refineries and the national grid, possibly accompanied by a simultaneous attack on the banking system.

While we certainly need to keep our calm when talking about such doomsday scenarios, it’s true that the energy sector in the UK has suffered from years of under-investment in its cyber defences. With the threat growing day by day, it’s time to start taking these kinds of threats seriously.

The bad guys
If anyone knows what he’s talking about, Alexander, with his years of experience, does. He claimed that the US, UK, Russia, Israel and Iran all have the capabilities today to carry out cyberwarfare at the highest levels. Iran in particular has already been highlighted in a security report last year as having conducted significant reconnaissance missions to “establish a foothold in the world’s critical infrastructure.”

To that list we can probably also add China. Although Alexander didn’t mention the People’s Republic in that interview with The Telegraph, his successor Michael Rogers certainly did – last year.

Nation states might not want to physically disrupt our infrastructure, yet. But they can certainly steal data and IP which could give them a competitive advantage in industrial design. Then there is the threat from terrorist extremists. They might not have the capabilities yet, but as the attacks on French TV channel TV5Monde taught us recently, they’re learning fast and have already been using cyber channels to effect kinetic change in the real world.

The problem with SCADA
The problem with much of the cyber security in the UK’s energy industry, and indeed in other sectors where industrial systems play a major role, is that it has suffered from years of under-investment. For decades most of these industrial control systems were little known, and not connected to the internet. This made them doubly unattractive targets for attackers.

Now many of them are connected to the outside world but still running old and unsupported OS versions. In short, they’re an idea target for hackers. Stuxnet and Flame proved what a well crafted attack on such as SCADA system could achieve, but those were extreme, highly sophisticated examples. There are many more which have not received as much publicity.

The problem IT managers in this sector find is that vendors can be slow to patch, and even when patches are available, these systems are so critical that they can’t afford to be offline for a second while they get patched. Which means that many remain vulnerable.

What to do
We need to see the next UK government take a lead on this. The coalition has already prioritised critical infrastructure protection in its £650 million National Cyber Security Strategy, but the steps it has set out to improve matter since have been rather vague.

Here’s a quick check-list of things that organisations in this space need to consider. It’s not exhaustive but it’s a start:

  • Do a risk assessment on current systems – then you’ll know what shape you’re in security wise
  • Refresh cyber security education and awareness for staff
  • Maintain strong physical and network access controls on a least privileged access basis
  • Disconnect any public-internet facing systems that don’t need to be connected
  • Consider whitelisting tools to ensure only authorised apps and code run on servers
  • File integrity monitoring will alert you to any unusual activity indicative of a targeted attack
  • Continuous monitoring of your environment is essential: SIEM tools can help
  • Keep systems up to date. Virtual patching can help reduce your risk exposure

Leave a Reply

Your email address will not be published. Required fields are marked *