The Benefits of Deception for SCADA Environments
Recently, SC Magazine published an article covering several vulnerabilities that Positive Technologies found in GE supervisory control and data acquisition (SCADA) systems where an attacker could intercept passwords and disrupt utility and factory operations. While this particular vulnerability is limited to GE Proficy and Cimplicity SCADA systems, other manufacturers face similar issues. Such vulnerabilities are troubling because most companies are unable to reliably monitor the networks where SCADA systems communicate, nor are they consistently patched and updated. SCADA systems were meant to be open, robust, and easily operated and repaired, and as such, security is not natively part of their design. Many of these solutions also run on older XP operating systems, where security patches are no longer available and given the cost and complexity to upgrade, are kept in production. As a result, they continue to be vulnerable to typical network attacks and possess a strong need for efficient early detection.
Conventional incident response plans don’t account for SCADA, as responding to an attack on an industrial control system (ICS) is completely different from a traditional incident. Some of the standard IR steps just don’t translate to a power plant or manufacturing plant. The SCADA environment is chiefly concerned with uptime, and operators of those networks rarely apply vendor patch updates for security bugs and other issues if the patch could potentially disturb an existing system configuration, or require any downtime or disruption. Plants will not allow an incident response team to reboot running systems during an investigation, risking disruption to operations. Recovery is challenging, as programmable logic controllers (PLCs) cannot be re-imaged the same way a desktop computer can. Logging is another issue, as most industrial systems don’t typically collect event logs like a conventional computer does, or if it does, the logs may not feed to a SIEM. This makes it difficult to investigate an incident, let alone determine where the attack originated from in the first place.
The extent to which SCADA systems can be leveraged by an attacker was first demonstrated by the Stuxnet malware, identified in 2010, that targeted Iran’s nuclear centrifuges. The malware targeted programmable logic controllers (PLCs) made by Siemens, which allow the automation of electromechanical processes such as those used to control machinery on factory assembly lines, amusement rides, or centrifuges for separating nuclear material. Anonymous sources in the Washington Post claimed the worm was designed to sabotage Iran’s nuclear program with what would seem like a long series of unfortunate accidents. Stuxnet reportedly ruined almost one-fifth of Iran’s nuclear centrifuges.
The current batch of vulnerabilities won’t necessarily cause this much damage, but they do require some measure of concern. The vulnerabilities found in General Electric’s Proficy and Cimplicity line of HMI/SCADA systems allow malicious actors to capture passwords and potentially cause read/write failures on authorization databases. Positive Technologies also found a critical fault in the security mechanism of these systems that allows remote access to industrial process controllers. With this much access, an attacker can wreak havoc on a manufacturing process and erase historical data needed to investigate the issue.
So how do organizations reliant on SCADA systems secure their environment? The Attivo Networks ThreatMatrix Deception and Response platform is a recognized by Gartner, Inc. and other analysts for its effectiveness in detecting threats in specialty networks, particularly SCADA.
Attivo Networks takes a different approach to detecting cyber-attacks on ICS- SCADA devices. Instead of relying on signatures or known attack patterns, Attivo uses deception technology to lure the attackers to a BOTsink engagement device. Customers have the flexibility to install their own Open Platform Communications (OPC) software while running popular protocols and PLC devices on the BOTsink solution making it indistinguishable from production SCADA devices. This provides real-time detection of attackers that are conducting reconnaissance to mount their attacks on critical facility and energy networks. Additionally, BOTsink forensics capture information including new device connections, issued commands and connection termination, enabling administrators to study the attacker’s tools, techniques, and information on infected devices that need remediation.
The Attivo SCADA solution is provided through a custom software image that runs on its BOTsink appliance or virtual machine. SCADA BOTsink deployment and management are provided through a central dashboard, which provides network visibility, device management, and threat intelligence dashboards and reporting.
Regardless of the threat or SCADA device in use, the ThreatMatrix platform provides the needed visibility to in-network threats and forensic reports to promptly shut down attacks on critical infrastructure that may range from fuel sensors to critical infrastructure in auditoriums, or even cruise ship infrastructure. Although each of these is very different, the need is the same, protect the infrastructure so that there is no disruption to service, man-made disaster or risk to human safety.