Wednesday, 16 January 2013

Attacks against ICS industrial Control System on the rise

Industrial control system (ICS) It is a general term that encompasses several types of control systems used in industrial production, including supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and other smaller control system configurations such as skid-mounted programmable logic controllers (PLC) often found in the industrial sectors and critical infrastructures.

ICSs are typically used in industries such as electrical, water, oil, gas and data. Based on information received from remote stations, automated or operator-driven supervisory commands can be pushed to remote station control devices, which are often referred to as field devices. Field devices control local operations such as opening and closing valves and breakers, collecting data from sensor systems, and monitoring the local environment for alarm conditions.

Industrial control system technology has evolved over the decades. DCS systems generally refer to the particular functional distributed control system design that exist in industrial process plants (e.g., oil and gas, refining, chemical, pharmaceutical, some food and beverage, water and wastewater, pulp and paper, utility power, mining, metals). The DCS concept came about from a need to gather data and control the systems on a large campus in real time on high-bandwidth, low-latency data networks. It is common for loop controls to extend all the way to the top level controllers in a DCS, as everything works in real time. These systems evolved from a need to extend pneumatic control systems beyond just a small cell area of a refinery.

The PLC (programmable logic controller) evolved out of a need to replace racks of relays in ladder form. The latter were not particularly reliable, were difficult to rewire, and were difficult to diagnose. PLC control tends to be used in very regular, high-speed binary controls, such as controlling a high-speed printing press. Originally, PLC equipment did not have remote I/O racks, and many couldn't even perform more than rudimentary analog controls.

SCADA's history is rooted in distribution applications, such as power, natural gas, and water pipelines, where there is a need to gather remote data through potentially unreliable or intermittent low-bandwidth/high-latency links. SCADA systems use open-loop control with sites that are widely separated geographically. A SCADA system uses RTUs (remote terminal units, also referred to as remote telemetry units) to send supervisory data back to a control center. Most RTU systems always did have some limited capacity to handle local controls while the master station is not available. However, over the years RTU systems have grown more and more capable of handling local controls.

The boundaries between these system definitions are blurring as time goes on. The technical limits that drove the designs of these various systems are no longer as much of an issue. Many PLC platforms can now perform quite well as a small DCS, using remote I/O and are sufficiently reliable that some SCADA systems actually manage closed loop control over long distances. With the increasing speed of today's processors, many DCS products have a full line of PLC-like subsystems that weren't offered when they were initially developed.

This led to the concept of a PAC (programmable automation controller or process automation controller), that is an amalgamation of these three concepts. Time and the market will determine whether this can simplify some of the terminology and confusion that surrounds these concepts today.




 In 2012, energy, water and commercial control systems faced numerous attacks, including the use of a search engine to find thousands of exposed systems.
Industrial control systems came under increasing scrutiny and attack in 2012, with almost 200 documented incidents, according to a report released last week by a component of the U.S. Department of Homeland Security.

Energy firms accounted for more than 40 percent of the 198 incidents reviewed by the Industrial Control Systems (ICS) Cyber Emergency Response Team (CERT), and water utilities took a distant second place with 15 percent of the incidents. While some of the cases were caused by security researchers using the Sentient Hyper-Optimized Data Access Network (SHODAN), a regularly updated directory of ports, to find exposed industrial control systems, the majority were serious breaches, the report stated.

The group took part in responding to almost two dozen attacks on oil and natural gas firms, discovering that sensitive information on the operations of the supervisory control and data analysis (SCADA) systems had been accessed by the attackers.

"Analysis of the targeted systems indicated that information pertaining to the ICS/SCADA environment, including data that could facilitate remote unauthorized operations, was exfiltrated," the report stated.

Researchers and security professionals have focused on threats to industrial control systems and critical infrastructure for nearly a decade. However, the Stuxnet attack on Iranian uranium-processing equipment galvanized the critical-infrastructure industries into taking such threats seriously.

Yet change has come slowly: A year ago, researchers found that systems that use SCADA, an architecture for networked control systems, were still widely vulnerable. In November 2012, two rival vulnerability research firms underscored the issue by finding almost four dozen vulnerabilities in major SCADA products.

Such vulnerabilities seem to be the rule among industrial control products. ICS-CERT coordinated with more than 55 industrial-control system makers to report 171 vulnerabilities. The issues ranged from buffer overflows to input validation issues to cross-site scripting attacks. Products including hard-coded passwords accounted for seven of the security issues, the ICS-CERT report stated.

The group increased the pressure on the suppliers to fix their products' security failings in a timely manner, allowing ICS-CERT to publish details of a partic
ular vulnerability 45 days after notifying the vendor of the issue.

Suppliers were not alone in exposing security problems. One researcher using the SHODAN search engine to find Internet-accessible industrial control systems discovered about 20,000 systems accessible via the Internet.

"A large portion of the Internet facing devices belonged to state and local government organizations, while others were based in foreign countries," the ICS-CERT report stated. "(We) worked with partners as well as 63 foreign CERTs in the effort to notify the identified control system owners and operators that their control systems/devices were exposed on the Internet."

The ICS-CERT noted six incidents involving the nuclear sector but stressed that the group was not aware of any network breaches.

1 comment:

  1. Nice blog post. It was a nice article on ICS cyber security challenge. I want to share more information on ICS/SCADA security. Thanks

    ReplyDelete