In this article we take a closer look at what exactly industrial control systems security is and what it looks like in a modern “IIoT” and an “IT/OT” converged landscape. The infamous Stuxnet virus changed the industrial control systems landscape when it was first uncovered back in 2010.
This malicious worm wreaked havoc on Iran’s nuclear program using Microsoft Windows operating systems as a catalyst to exploit vulnerabilities in a host of Siemens Step 7 PLC’s. From here, Stuxnet took control of the variable speed drives that were spinning nuclear centrifuges, ultimately tearing them apart.
It is reported that Stuxnet destroyed one-fifth of Iran’s nuclear centrifuges, infected over 200,000 computers and caused over 1000 machines to fail prematurely.
When I first heard this story, like most of you, I was fascinated! While nobody ever claimed responsibility for Stuxnet, it is believed the worm was State sponsored jointly by the American/Israeli cyber-weapons division.
Governments and ISPs across the world monitor their users’ online activities. Currently, your IP [ipt_address] is visible to everyone. I strongly recommend that you get the and hide your identity so that your online activities remain anonymous.
I personally use and recommend you use one of , or . They are the fastest and most secure VPNs in the industry.
Join me as I do a post-mortem to uncover lessons learned from Stuxnet, explore current threats to our modern Industrial Control Systems, and discuss steps that can be taken to ensure your plant is ready for the next onslaught of cyber-attacks.
Industrial Control Systems Security Explained
Industrial Control Systems Security is a term that describes various technologies, such as Distributed Control Systems (DCS), Programmable Logic Control Systems (PLCs), Supervisory Control and Data Acquisition Systems (SCADA), all used in industrial automation and manufacturing.
The reality is that an alarming percentage of Industrial Control Systems (ICS) are susceptible to malicious attack by hackers. This was the findings of a leading global security firm Positive Technologies. In their report, they found that researchers were able to infiltrate 73% of the critical infrastructure establishments tested. In 82% of those successful infiltrations, researchers suggested that it was possible to,
“Gain a foothold and leverage it to access the broader industrial network, which contained ICS equipment.”
Of course industrial control systems aren’t new, these systems have been running global manufacturing processes for years. However, with the recent expansion of Internet and wireless technologies, industrial control systems are no longer running in isolated network topologies, also known as “air-gapped” networks.
Process Technologies goes on to say that,
“Vulnerabilities that would have been fixed years ago on ordinary systems often remain untouched, because organizations are afraid to make any changes that might cause downtime.”
These vulnerabilities pose a serious threat to national security and companies like Symantec are at the leading edge of providing solutions to ensure our critical infrastructure facilities are secure.
What Is Critical Infrastructure
Critical infrastructure are those processes, systems, facilities, technologies, and networks that, if lost, could pose a significant threat to needed supplies, services, and communications. Examples include the following.
Oil and Gas
Like the intent of Stuxnet, our critical infrastructure facilities would certainly be a target of any large scale cyber-attack. This is why millions of dollars in cyber-security measures are being implemented to guard against the devastation a worm like Stuxnet would cause.
How Are Critical Infrastructure Attacks Carried Out?
These attacks without question are sophisticated in nature. They are typically State Sponsored, although not by admission, and are often referred to as zero-day vulnerabilities. Zero-day exploits refers to the fact that developers have “zero time” to defend their software against the attack. Stuxnet is the classic example of a zero-day attack.
Typically the exploits will infiltrate a network usually by a USB flash drive or similar, allowing them to cross over the “air-gap”. From here the infection will spread itself to other computers on the network, often defeating emulation based network intrusion detection systems.
Once certain computers are infected that satisfy some preconditions (i.e. SCADA type control PC’s) it will find vulnerabilities in the PLC firmware or software and inject itself by way of malicious code or via communication protocols. This will allow it to manipulate PLC logic and ultimately the controlled process. Current attacks against embedded real-time operating systems (RTOS) include:
- Firmware Modification Attacks – attacker uploads a new firmware to the PLC.
- Configuration Manipulation Attacks – attacker modifies the logic.
- Control Flow Attacks – attacker finds a buffer overflow or RCE in the PLC.
- Authentication Bypass Attacks – attacker finds a backdoor password in the PLC.
- Hooking Functions for Industrial Control Systems malware (i.e., Stuxnet).
Looking at Stuxnet specifically, once it infected the project file (s7otbxdx.dll), belonging to Siemens WinCC/PCS 7 SCADA control software (Step 7), it was able to intercept communications between WinCC running on Windows and the target Siemens PLC (S7-300) that it was permitted to communicate. This allowed the infected code to be installed on the PLC devices unnoticed.
Stuxnet was a fascinating worm! It was very specific at what it was look for, otherwise, it laid dormant and undetected on the hosting PC until it was transferred to a PC that satisfied its conditions.
Stuxnet had three main components or modules: a worm that executed the necessary routines of the intended attack; a link file that propagated copies of the worm so it could spread; and a rootkit component that prevented detection.
While the entirety of the Stuxnet code still has much to be revealed, what is known is that it targeted very specific devices under very specific criteria. It required a specific manufacturer of variable speed drive, Vacon or Fararo Paya, and only attacked these drives if the operating frequency of the attached motors was between 807 Hz and 1,210 Hz. It would then periodically modify the frequency of the drives to 1,410 Hz and then to 2 Hz and then to 1,064 Hz thus changing the rotational speed of the motors.
It also installed a rootkit, the first of its kind on industrial control systems, that hid the malware on the system and masked the changes in rotational speed from monitoring systems.
This YouTube video released by Stanford University dissects Stuxnet in all its glory.
Current Defenses Against Attacks
There are measures that can, and have been put in place since Stuxnet to defend against industrial control systems attacks. These include,
- Memory Attestation – being able to provably secure remote systems from heap-based overflow attacks.
- Firmware Integrity Verification – detects unauthorized changes to firmware from any rogue or malicious code execution.
- Hook Detection – preventative measure to guard against both Code Hooking and Data Hooking.
Some applicable defenses for PLC’s, specifically, will include,
- No hardware modifications are typically done to the controllers. To upgrade a controller (aside from firmware upgrade) means purchasing an upgraded off-the-shelf model.
- Firmware Integrity Verification – as discussed above can be implemented to guard against rogue manipulation.
- Logic Checksums – a small sized datum derived from a block of logic for the purpose of detecting errors that may have been introduced during data transmission or storage.
- Limited CPU overhead – meaning any spike in CPU utilization beyond the normally executing code can be easily detected.
- No virtualization support required – meaning exposure to other “less-secure” operating systems are not an issue.
There are also some more complex non-trivial PLC intrusion detection software’s currently being developed, they are,
- Doppelganger (Symbiote Defense) – an implementation for software “symbiotes” to aggressively adapt and defend against embedded software attacks.
- Autoscopy JR – a host based intrusion detection which is designed to detect kernel rootkits for embedded control systems.
The actual implementation details of these two non-trivial intrusion detection systems is beyond the scope of this article, however, research papers are available online if you are interesting in reading more about these topics.
How To Make Your Facility Secure
Almost certainly the biggest problem with companies inability to “lock-down” or secure their critical industrial control systems, is lack of resources. Yes, large companies have been pouring millions of dollars into the technology required to secure their automation systems, however, not enough investment is going into the human capital required to manage this technology.
In my experience, in almost all cases, security is a “side-job” that Controls Engineers and IT personnel rarely think about when it comes to industrial control systems. They simply are tasked out with other projects, and don’t have the time to take down systems to address security issues.
That said, a few best practices can certainly help achieve an overall cyber-security plan. Below I’ve listed 7 items you can be thinking about right now.
- Know the Industrial Control Systems installed in your facility. In order to have any chance at protecting your facility, you first need to have a handle on exactly what it is that you have in your facility. Documenting all your controls hardware, software and firmware revisions is a first step in securing your plant.
- Ensure complete and accurate controls documentation. Irregardless if you’re deploying a new control system or updating an existing one, updated documentation is essential. Do you understand what the system is designed to do under a faulted condition? Do you know what proprietary networks are implemented? Information such as this is critical to truly understanding the risks.
- Have cyber-security control system policies in place. A common mistake I am seeing in industry is assuming that IT policies and procedures are going to effectively protect your control systems. They are fundamentally different systems with different needs – IT security is more focused on network related vulnerabilities regardless of the impact on industrial control systems. Where OT (operational technology) personnel are focused on the integrity and availability of the control systems.
- Create a baseline for critical device outputs. Recording baseline values for your critical operations is essential in detecting malicious activity. Know where you processes should be running, this is critical from a quality perspective and security perspective.
- Understand how IT security measures are impacting your control systems. Simply put, IT should NOT be doing anything directly to a control systems without proper OT personnel supervision. For example, typical password authentication for IT systems will lock you out after 3 to 5 failed attempts. Could you imagine a nuclear plant at risk of meltdown when an OT personnel scrambling to access a password protected zone gets locked-out from frantically trying to enter a code!
- Fully understand and document network access. There’s no denying that connecting your industrial control systems into a network can make them easier to manage and administer. However, it is important to understand the security implications of doing so. Asking yourself questions like, what assurances do you have that anyone accessing your network is read-only? What control can be exercised over a network? Do your vendors require remote access and how is that access controlled?
- Have an incident response plan in place. The likelihood that your industrial controls systems will come under an attack by a hacker is very low. However, the impact one can have on your operations can be disastrous. If an attacker wants to target you organization, chances are it will be difficult to stop them.If they’ve done their homework they’ve already found a vulnerability and will leverage it to setup a “base camp” in your facility. At this point the only thing you can do is have a plan in place to mitigate the damage. Therefore, it is critical that if a worst-case scenario happens, you have a tested business continuity plan in place, which includes fresh backups of all the “at-risk” systems in your facility.
I hope you have enjoyed this article, and I do encourage you to become a member of our growing community of professional engineers, technicians and technologists, Register Here!
Also, check out our YouTube Channel to see some great videos…and don’t forget to like and subscribe to our channel!
If you enjoyed this article be sure to check out some of these good reads too:
- How To Become A PLC Programmer
- How Much Does A PLC Programmer Make
- PLC Versus Microcontroller – What’s In Your Plant?
- Essential Tools Every PLC Programmer Needs
- Difference Between DCS And PLC
- How To Implement A ControlLogix PID Controller
Lastly, if you run into any problems in your day-to-day engineering activities please be sure to check out our Live and Interactive PLC Forum!
And if you so desire, assist other community members by replying or offering helpful information to the questions or challenges they may be facing right now!