Are industrial control systems the new frontline for cyber warfare?

This article is my thoughts around how warfare is likely to evolve in the digital age. It has been edited down and published as two different articles on various sites around the net. Following is the full (long) version …

AdobeStock_100279302 [Converted]

Warfare down the millennia has always been about brute force, whether that be the hand-to-hand fighting of old or today’s much more sophisticated and devastating weapons of war. Once military targets have been hit, the aggressor’s attention usually turns to disrupting infrastructure and industry, in an attempt to plunge a country into chaos and demoralise the civilian population.

However, with the growth of computing and its spread into all areas of modern life, other more subtle ways of conducting warfare and causing widespread panic are available. Brute force is no longer necessary. Cyber warfare can have an equally devastating impact.

In the modern world, we are now critically dependent upon industrial control and SCADA (Supervisory Control and Data Acquisition) systems in many areas of life. They are widely used, for example, in electricity production, oil and gas extraction, communications, the provision of water and waste services, and transport services.
Disruption of any of these can very quickly lead to chaos and have a devastating effect on both the military and civilian populations. All an aggressor has to do is find a way to breach our industrial control systems, and, given the current state of awareness of security around such systems, this is not very difficult to do.

Take, for example, the recent hacking attack against The Ukraine, which succeeded in knocking out power supplies for up to 1.4 million residents. It was done through the social engineering attack known as spear phishing. An infected Word document was used to introduce BlackEnergy malware into critical systems. http://www.bankinfosecurity.com/ukrainian-power-grid-hacked-a-8779/op-1

It was also social engineering which introduced that classic piece of industrial control malware, Stuxnet. It is now widely believed that Stuxnet was originally developed by an American/Israeli alliance, specifically to attack the control systems within Iran’s nuclear industry. It eventually destroyed around 20% of Iran’s centrifuges. The belief is that it was introduced into their system via an infected USB stick. Statistically, 60% of found USB sticks get plugged straight in, with this rising to 90% if the USB stick has a recognizable logo on it. https://en.m.wikipedia.org/wiki/Stuxnet

The Slammer Worm has also wreaked havoc with a variety of critical infrastructure systems such as emergency services, air traffic control, water systems, ATMs, electrical companies, and even a nuclear power plant’s process computers and safety display systems.

Dams have always been a popular target in warfare. Operation Chastise, more commonly known as the Dam Busters raid on the Möhne and Edersee Dams, started life on Barnes Wallis’s drawing board in early 1942. Over a year later they had developed the required technology and at the cost of 53 lives and 8 aircraft they breached the dams causing huge casualties and a massive blow to the Nazi war effort. Fast forward to 2013 and in response to the attacks on its infrastructure (including the release of Stuxnet), Iran hit back when Iranian hackers infiltrated the Bowman Avenue dam situated just 20 miles outside New York City. They gained access to the flood control dam’s control systems via a cellular modem. Although they did not take control of the systems or cause any disruption, they were able to see what cyber defences were in place and how the computer systems worked. They were extremely close to being able to cause death and disruption on the scale of the Dam Busters but without risking their own lives and without the hassle of buying and maintaining a squadron of heavy bombers.

Pretty much throughout the history of war, great battles have been fought to control the movement of supplies and troops. These were often around key points like bridges. The Battle of Sterling Bridge in 1297 was a symbolic but short lived victory for William Wallis. Now fast forward to 1990 and the Iraqi invasion of Kuwait and you have the Battle of the Bridges. These and many other battles were fought to control critical supply routes. But why bother with all that tedious shooting at people and manoeuvring of armoured divisions? Why not turn all the traffic lights to red? Grid lock a few major cities and industrial areas. Apparently it is frighteningly easy to gain access to traffic control systems. Mostly they have wireless control and communication systems that are easily compromised with little more than a laptop and a wireless card giving access to the entire unencrypted network. http://www.networkworld.com/article/2466551/microsoft-subnet/hacking-traffic-lights-with-a-laptop-is-easy.html

Let’s jump just a short distance into the future and it is likely that we will see fully automated driverless lorries and vans making deliveries. So how easy are they going to be to disrupt? Although driverless technology is still being closely scrutinized the general concepts of hacking connected cars are already being explored. Very recently researchers revealed a vulnerability in the Chrysler Jeep which caused the virtual recall of 1.4 million vehicles. It was demonstrated that a hacker could wirelessly access the control systems of the Jeep with the potential to disable the brakes and steering. Although a recall notice was issued, owners were sent a USB stick that allowed them to apply an update themselves without the need to take the vehicles back to a dealer. Chrysler also implemented network level security protection to block the exploit on the Sprint cellular network that connects their cars to the Internet. http://www.wired.com/2015/07/jeep-hack-chrysler-recalls-1-4m-vehicles-bug-fix/

Or why not think bigger? Attacking trains is another military classic, but who needs aircraft and bombs when you have a TV remote? Way back in 2008 a 14 year old Polish kid modified a TV remote control and effectively turned the tram system in his home town into his own personal train set. It was all fun and games until four trains got derailed. If a lone teenager can manage this then what can a determined nation state manage? http://www.theregister.co.uk/2008/01/11/tram_hack/

You would have thought that they would tighten up railway security after an incident like that, but apparently not. The Great Train Robbery 21st Century style. Now they can steal the whole train! Because trains travel long distances across country borders the systems controlling them have to communicate with each, but this tends to be in a somewhat haphazard manner. The whitehat group SCADA Strangelove recently exposed some major vulnerabilities within the control and route planning systems of many, if not most, railway control systems. If the Internet connection to the points is interrupted, the trains will simply stop. More malicious and concerted attacks could be devastating causing derailments and crashes. In theory you could even steal a whole train by taking control of it and driving it to your secret lair, assuming your “secret” lair is on a rail network of course.
https://www.rt.com/usa/327514-absolutely-easy-hacking-train-systems/

Research by Kaspersky Lab gives us some idea why such incidents happen. It highlights the fact that there is still a great lack of awareness about how vulnerable industrial control systems are and what needs be done to protect them. Kaspersky’s research highlight five particular misconceptions –

‘Five Myths of Industrial Control Systems Security.’ http://media.kaspersky.com/pdf/DataSheet_KESB_5Myths-ICSS_Eng_WEB.pdf

1. Myth – Industrial control systems are not connected to the outside world. Fact – Most industrial control systems have eleven connections to the Internet.

2. Myth – We are safe because we have a firewall.
Fact – Most firewalls allow “any” service on inbound rules.

3. Myth – Hackers don’t understand SCADA.
Fact – More and more hackers are specifically investigating this area.

4. Myth – We are not a target.
Fact – Stuxnet showed us that just because you weren’t the intended target of industrial hacking, doesn’t mean you won’t become a victim.

5. Myth – Our safety system will protect us.
Fact – The chances are that your safety and control is using the same operating system with the same vulnerabilities.

Conclusion
Cyber security is now much more prominent in everyone’s consciousness than it was just a few years ago. Unfortunately, this doesn’t seem to have filtered down yet to areas such as industrial control and SCADA systems. As these systems have the potential to be the new front line in warfare, it is critical that we focus more attention on protecting them, and consequently protecting our essential infrastructure and services from those who might want to do us harm.

And remember, next time some dodgy character down the pub offers to sell you a train, it could be stolen.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s