Protecting Industrial Control Systems Against Cyberattacks - Part 2
Industrial Control Systems (ICS) are the foundation that support numerous industries around the world. They form the backbone of industrialized society, including energy and power grids, food and beverage plants, oil and gas refineries, recycling plants, transportation systems, water treatment plants, manufacturing facilities and many more.
Critical infrastructures are so much a part of daily life that we rely on them every single day without giving them a second thought. Until they are suddenly interrupted.
The many types of ICS systems include a complex network of instrumentation and technology used in industrial production plants. The most common type of ICS is a SCADA - supervisory control and data acquisition – system, followed by DCS - distributed control system. Other smaller control systems exist as well.
SCADA systems manage operations equipment, devices, networks, and controls that operate and automate the industrial processes. Commands from the SCADA or DCS systems are distributed through remote stations to field devices. Each ICS environment functions somewhat differently depending on its industry. All are built to carry out complex tasks efficiently in their individual fields.
Types of Critical Infrastructure
Critical infrastructures can be categorized in the following sectors:
Defense Industrial Base
Food and Agriculture
Healthcare and Public Health
Nuclear Reactors, Material, and Waste
Water and Wastewater Systems
A single compromise to these systems can result in devastating physical, financial and environmental damage, impacting thousands and amounting to millions in losses.
Threats to Critical Infrastructure in the United States
Sophisticated hackers, including nation states, are targeting critical civilian infrastructure. They use advanced techniques to bypass conventional security systems. Most have been dangerous because attackers were able to take direct control over facilities. Such control is possible through power station switches and circuit breakers or leveraging industrial communication protocols used worldwide in power infrastructure, transportation control systems, water and gas delivery, and more.
In Verizon’s 2020 Data Breach Investigation’s Report (DBIR), 4,000 data breaches out of 32,000 incidents impacted critical infrastructure.
In the energy sector, at the start of 2020, the United States had 22,731 electric generators at 10,346 electric power plants. In the nuclear sector, ninety-six functional commercial nuclear reactors at 58 nuclear plants were operating in 29 states. Four-hundred forty (440) power reactors are stationed around the world with 55 under construction and 109 more being planned.
The Department of Homeland Security (DHS) has already discovered that Russia has broken into US power grids. Claiming hundreds of victims, Russian attackers began their attacks on the US utilities by targeting key vendors working with industrial control facilities. The hackers said their intent was to learn how the ICS worked. But the DHS confirmed they knew more. They had enough access and information to throw switches and disrupt service.
Recent Attack in Florida Shows Just How Bad an ICS Attack Could Be
Severe attacks have already occurred on many ICS systems around the globe. Then some time goes by without a big headline and for various reasons - a shortage of resources, time, budget, operational feasibility - nothing changes. But no one can afford inertia, as February 5, 2021, reminded us. The Bruce T. Haddock Water Treatment Plant in Oldsmar, Florida was invaded by hackers two times in one day on Super Bowl Sunday. The attacks came at 8:00 am and 1:30 pm.
The water plant runs on Windows 7, which hasn’t had an update or support in over a year. The FBI issued a warning about upgrading systems to supported operating systems. After the attack, the FBI, Cybersecurity and Infrastructure Security Agency (CISA) and others put out an alert saying, "Windows 7 will become more susceptible to exploitation due to lack of security updates and the discovery of new vulnerabilities. Microsoft and other industry professionals strongly recommend upgrading computer systems to an actively supported operating system."
They have made previous warnings as well. But changing from Windows 7 could be too significant an undertaking for these kinds of plants to tackle any time soon. This is a common situation for critical infrastructures still relying on outdated software.
The water plant also had a dormant TeamViewer remote desktop application that allows for desktop sharing and remote access on its system. The TeamViewer app has a vulnerability, identified as CVE 2019 18196. While the app wasn’t actively being used by the water plant, it provided the perfect access door for the attackers to get inside.
Hackers Changed Settings to Drastically Increase Levels of Lye in Public Drinking Water
The bad actors gained the ability to change critical settings of the water treatment plant. The first login at 8:00am may have been a test effort. At 1:30pm they logged in remotely again and after 3-5 minutes, they opened several functions within the systems.
One of those functions was a control where they raised the amount of sodium hydroxide (lye) in the water from an acceptable level (100 ppm) to harmful levels (11,100 ppm). In low quantities, it controls water acidity and removes unwanted metals from drinking water in treatment plants. In high quantities, this substance is used as lethal drain cleaner and is not a safe level for drinking water. The hacker raised the amount from 100 parts per million to 11,100, a toxic amount.
No one knows why the attackers chose the times of day they did. They might just as easily have made this change in the middle of the night when no one would have witnessed it. But this time, guardian angels in Florida were on duty. It was pure coincidence that a plant manager saw the hacker’s actions playing out in real-time onscreen by noticing the mouse cursor moving.
As soon as the hackers finished their deadly task, the manager immediately reversed the dangerous settings. One can’t overstate the good fortunate of that timing. Due to an automated delay of 24-36 hours before any change in settings would take effect, the public was fortunately not endangered.
This time, Florida residents were spared a disaster. But this kind of takeover is every hacker’s objective. They had achieved full control of the most dangerous settings in the water plant. Luckily, no one was harmed, but disaster was only narrowly avoided by a chance intervention.
Florida Water Attack Details - Tactics Included Phishing, Credential Stealing, DLL Injection
The hackers carried out the attack using several different tactics. Using phishing and key logging attacks, the attackers phished the login credentials of a supervisor.
The CVE 2019 18196 vulnerability allows a DLL injection to get side loaded into the system. They extracted the passwords to access the SCADA HMI and SCADA web interface to take control of the most critical systems. Once logged into the victim’s machine, the attackers could connect to the Team Viewer application, which also connected directly to the SCADA system.