Standard content for Members only
To continue reading this article, please login to your Utility Week account, Start 14 day trial or Become a member.
If your organisation already has a corporate membership and you haven’t activated it simply follow the register link below. Check here.
The cyber-attacks on two Finnish tower blocks that took internet-connected heating and water systems offline for two days should be a wake-up call for utility companies, says Pascal Geenans.
Systems used for monitoring and control in utilities industries have been around for decades, but recently these systems have become internet connected and are now a key piece of government and industrial cyber-defence programmes.
We have long feared the implications of the growing number of unsecure devices connecting to the internet. Earlier this year we predicted that utilities would become a prime target for attacks. The trend for attacks using networks of “zombie”-style robots to launch intensive assaults on critical systems and infrastructure has grown at an alarming rate.
We already know Internet of Things (IoT) devices are easily exploited and used in attacks, but the situation in Finland shows that the industrial version of these systems consisting of SCADA devices can also fail. In the Finnish attacks, hackers launched a distributed denial of service attack that put the heating system in an endless loop, making it unable to recover without expert intervention.
The consequences of such a huge failure of mission critical systems can be serious. Luckily in Finland this situation was temporary, and the situation was merely inconvenient rather than dire, but imagine the potential consequences of a state-sponsored or politically motivated hacktivist attack on a national energy grid. Nearly half of energy suppliers believe that there is a significant threat from hacktivist groups, and 37 per cent think that campaigns would be state sponsored, yet the majority remain woefully unprotected.
Many utilities use SCADA systems to monitor critical infrastructure and networks. Electric utilities, for example, use them to monitor current flow and line voltage, and to control circuit breakers to take sections of the power grid offline or online.
There is a large diversity in SCADA systems. Some use proprietary, special purpose communication protocols; others are based on open standards like Modbus, DNP3, ICCP, ControlNet, Profibus, and others (by estimate there are about 100 different protocols). The communication medium could be wired, wireless, radio, satellite or something else.
Many Hollywood productions speak to the imagination through abuse of these systems. But until recently, hacking industrial control systems required some form of physical access to the control network or the devices. This is no longer the case. The convergence of different types of proprietary networks and connections provides better, faster and more efficient monitoring and functionality, but has also increased the attack surface of the control network considerably.
When initially designed, the protocols used in SCADA systems were not intended to link to the outside world, so security was not a consideration. However, with the improved communications protocols, these new devices can now be exposed to the internet, either deliberately or by oversight. With no built-in authentication, message repudiation or confidentiality, these systems that control our day-to-day lives are often dangerously exposed. What is more, these systems are not regularly updated with the latest security patches for fear of uncontrolled downtime.
In more recent SCADA devices, security features are present but are disabled by default to ease deployment and provide backwards compatibility for integration with existing devices and control systems. Older SCADA systems, actually the most widely used systems today, have no security features whatsoever.
Even for systems that are not directly exposed to the outside world, what if a malicious node is added in the network? A malicious node can be programmed to wreak havoc among the devices, send fake sensor measurements and hide real issues; or simulate issues, tricking operators into actions like shutting down parts of a production process.
The major challenge of SCADA systems is their long lifecycle. Unlike other IT systems that typically last only a few years, SCADA systems last for many decades. It is difficult and costly to upgrade them and vendors hardly ever give guarantees patches will not interfere with normal operation.
The impact of attacks against SCADA systems is considerable – it can disrupt and damage critical operations, cause major economic loss, and even claim human life. Understanding how to respond to and manage the risks is critical. As hacking becomes more automated, utilities need to find new ways of fighting off the “Internet of Zombies”. This means they too need to automate, because people are simply not able to react fast enough to identify and mitigate an attack before harm is done.
Of course, human security employees are not redundant. They now need to use their expertise to plan out the security policies that should be put in place to deal with advancing technology, such as when new devices are introduced to a network.
An approach to security that does not bear this in mind is unlikely to succeed. But those who understand the threat, prioritise security and build a cyber-army of their own will be well placed to defend today’s attacks as well as those yet to come.
Please login or Register to leave a comment.