ACSM
Three cybersecurity lessons we can learn (or re-learn) from the history of industrial control systems attacks By Matt Hubbard, Director, Market Intelligence, Armis
F
rom the time engineers started building industrial control systems (ICS), bad actors have looked for and found ways into them. While the motivations for ICS attacks are timeless—espionage, sabotage, ransom, and even revenge—ICS cyber security threats have evolved to adapt to new technologies and security practices. The history of attacks is an interesting topic, especially as you wrestle with how to secure new technologies and stay ahead of threats. A document like the U.S. Department of Energy’s 2018 history of ICS attacks gives security, IT, and operational technology (OT) teams plenty of examples to study, with a timeline stretching from 1903 through the 21st century. I’ve picked out three incidents to show how industries have learned to deal with ICS cyber attacks over the decades and what we still need to keep in mind when securing ICS devices, data, and systems.
further. It infected the software downloads that ICS/SCADA manufacturers made available to their customers “in an attempt to infect the computers where the software is installed.” The security researchers who discovered the campaign noted that the content of the malicious code suggested that beyond data theft and espionage, the attackers may have been planning remote ICS hardware takeovers. Although it was novel at the time, remote takeovers where attackers tamper with critical infrastructure systems are a rising concern. ICS security lessons learned: Your ICS is only as secure as your least-secure vendor, so you need to have ongoing discussions about how security affects your relationship. Also, monitor device traffic continuously to quickly detect and respond to data exfiltration.
Lesson 1: Your ICS is only as secure as your most vulnerable third-party provider
Lesson 2: Identify and monitor every device in your environment
In 2014, attackers repurposed Havex malware, a remote access trojan (RAT) that initially targeted the energy industry, to go after ICS manufacturers and their customers. The known targets included ICS software manufacturers and at least one industrial camera vendor. In addition to sending RAT code through spam and exploit kits, the retooled Havex malware went a step
One of the most extensive and damaging ICS attacks on record was the December 2015 shutdown of the electrical grid in and around Kyiv, Ukraine that left more than 225,000 people without power. In a detailed analysis of the incident, Booz Allen Hamilton identified 17 steps the attackers took to infiltrate ICS systems, disrupt industrial processes, and destroy data.
28 | Australian Cyber Security Magazine
