Attacks on SCADA facilities are not always attacks on SCADA Systems But don’t relax yet

By

When SonicWall published its 2015 Annual Threat Report, a standout statistic was the jump in attacks on SCADA (supervisory control and data acquisition) facilities. Telemetry data showed attacks increasing from 91,000+ in January 2012 to 675,000+ attacks in January 2014. I’ve been asked whether these are always attacks on the control systems themselves. The answer is no. In fact, most often the attacks are not a direct attack but rather indirect. The reason is that SCADA systems are not directly accessible from the Internet. Thank goodness for that. Think of the damage that could be done daily if these systems were part of an easily attacked threat surface. Think of the extortion opportunities. Think of the financial motives. Think of all the havoc that could be wrought given what these systems actually control.

In fact, what is SCADA? SCADA refers to types of industrial control systems (ICS). Wikipediaâ„¢ defines Industrial Control Systems as, “computer-based systems that monitor and control industrial processes that exist over the physical world. SCADA systems historically distinguish themselves from other ICS systems by being large-scale processes that can include multiple sites and large distances. These processes include industrial, infrastructure, and facility-based processes . . .” OK, think refineries, clean water plants, power plants, and . . . gulp . . . nuclear power plants. So, yes, these are real important systems. As you would expect, there is a lot of concern when you see data on SCADA facility attacks. After all, the list of possible nightmares is long and dramatic.

But, are any of these dangers real? The answer is kind of yes, and kind of no.

The reality is that “most” of the access to SCADA systems is off the grid. At least, off the Internet. So, Joe Hacker is usually not in a position to poke and prod along and launch an attack. In fact, Joe Hacker is usually not very acquainted with the underlying systems, rendering Joe Hacker somewhat ineffective even if he had direct access.

OK, so should we relax? No. Here’s why. Hundreds of thousands of times every month, the infrastructure that houses SCADA systems is attacked. The point of the attacks is often to gather information about the networks and points of vulnerability, i.e. reconnaissance. Repeating from above, SCADA systems historically distinguish themselves from other ICS systems by being large-scale processes that can include multiple sites and large distances. If these are large-scale systems that require communications over great distances, might a schematic of the entire infrastructure be valuable? Would information on control points for access to the wired or wireless network be useful? What about data on multiple points of physical or control points for wireless locations? Would the service log information about where service was performed be of value to an attacker? How about delivery schedules, hardware equipment purchases, requisition information, deployment information, upgrade cycles, etc.? If you were going to attack a system that is not on the Internet, yet those networks used much of the same equipment used on the Internet (servers, wired networks, closed wireless networks, etc.) could you get the info you need to attack the network?

The answer is most likely yes. And clearly, there are a lot of people that agree, especially bad people. Thus, the huge jump in SCADA attacks as reported in the threat report. Consider this: A power company has a lot of locations from which they control remote equipment. That equipment for example controls the pressure in pipelines. If the systems utilize closed wireless, you would then still have the opportunity to utilize proximity to attempt an intrusion to a vulnerable system. Today’s Industrial Control Systems are distributed. These systems have both automation and have a way to communicate over distances. This creates a threat surface.

These systems also face cost and productivity demands. As facilities continue to depend on more traditional Internet “type” equipment, they are increasingly vulnerable to attack. The more wireless used, the greater the chance proximity can become a vector of attack.

Lastly, we certainly know that some attacks have been successful. There is, of course, the famous case of the nuclear centrifuge that was attacked and severely damaged. That was a proof point. Some considered that unlikely to be repeated as it was a state sponsored attack. Yet, if you simply realize that bad guys come in all shapes and sizes, and when you consider what is at stake, then yes, we all should wake up and realize, even systems not on the public Internet can provide enough data that causes risk at a terrifying scale. Common sense security is not enough. Common sense paranoia is a good place to start.

For more information on our research on SCADA attacks, read the 2015 SonicWall Security Annual Threat Report.

SonicWall Staff