Unknown system attacks

At the 2014 Automation Summit, experts discuss the big areas of attack for hackers.

By Greg Hale, ISSSource July 24, 2014

You are under attack and you don’t even know it. That was the subject of a demonstration and talk Tuesday entitled "ICS Security Today Awareness and Practice" at the 2014 Siemens Automation Summit.

"We are trying to protect people, production, property, environment and the economy," said Marc Ayala, senior technical advisor at security provider Cimation. He talked about how many people are qualified and actually know something about enterprise security and the number he came up with was 50,000 true experts. When it comes to Industrial Control System (ICS) or Supervisory Control and Data Acquisition (SCADA) security, Ayala said there were "500 people that know ICS security."

The industries most likely targeted, Ayala said, were energy and transportation.

One of the first things a user needs to accomplish is to evaluate risk, said Eric Forner, ICS/SCADA security engineer at Cimation.

Threats are coming from hackers that could be conducting automated attacks, or from nation states that develop exploits and know how control systems work, Forner said. A third area is from internal attacks, "which is more of a threat than the other two."

Another area that is a big attack area and has the potential to get bigger is social media attacks, Ayala said. All you have to do is send a person a malicious email with an attachment from a person they may be familiar with and that person now becomes a victim. "That is the pivot point where an attacker can then go in and start viewing the system," Ayala said. "You have to be very careful with who you connect with."

Keeping bad guys out of the system is vital as the demonstration by Forner proved. In the demo, Forner was able to bypass a firewall and jump right into a system and take it over.

Most firewalls are usually in place because a standard has told people to put them in, but they end up having an "allow anything command," Forner said. That ends up being important as Forner was able to use various commands to work his way through a PLC without too much of a problem. But the way in to any system is through IP addresses found on the Internet, the researchers said.

One of the problems, Forner said, was the industry’s reliance on incredibly old Modbus/TCP protocol. Port 502 is the Modbus TCP port and it is one of the top ports under attack," Ayala said.

In the demo, there was a level transmitter that would shut the system down when the fluid reached a certain level, but when they issued a few commands to get into the system, they essentially owned the process. When that happened all indicators showed the operator the tank was not at an overflow level and is actually decreasing, but in reality the tank ended up overflowing. They were able to override the safety interlock and take down the process.

As an extra added bonus, after overflowing the tank, the researchers then took command of the HMI in the system and downloaded a game of solitaire. Yes, this was a demo at a conference, but that could be a real life experience that could cause an incident.

"Cyber security in ICS/SCADA is a life safety issue and must be treated as such," Ayala said. "Safety is everywhere and it is constant. With all our total interconnections safety is all the time now."

Gregory Hale is the editor and founder of Industrial Safety and Security Source (ISSSource.com), a news and information website covering safety and security issues in the manufacturing automation sector. This content originally appeared on ISSSource.com. Edited by Brittany Merchut, Project Manager, CFE Media, bmerchut@cfemedia.com