Black Hat

BlackHat 2015: Industrial hacking - the untold story

Hackers have been penetrating industrial control systems for at least a decade for extortion, yet little is known about how they gain access

Hacking of industrial plants for extortion is one of the biggest untold stories because such attacks are seldom reported, according to Marina Krotofil, a researcher at Hamburg University of Technology.

Hackers have been penetrating industrial control systems of utility companies on a large scale for extortion since at least 2006, she told visitors to BlackHat USA 2015 security conference in Las Vegas.

“Yet, almost 10 years later, we still know almost nothing about how the attackers are doing that because targeted companies are unwilling to make any information available,” she said.

Most of the attacks on operational technologies in the past 20 years have not been reported, which means exactly how attackers interact with industrial control systems remains unknown.

While the hacking of industrial control systems, including Scada systems, is commonly associated with causing physical damage, Krotofil said extortion is the most prevalent motivation.

“The most common goal is to be able to cause persistent economic damage,” she said, adding that targeted companies will be willing to pay large sums of money to stop it from happening.

Alternatively, attackers want to remain in the system undetected to cause as much economic damage as possible on behalf of competitors or any other hostile parties.

Most attackers do not aim to damage or destroy equipment because that raises alarms and does not allow for persistence in the system required for prolonged extortion or economic damage.

“Equipment damage cannot be undone by the cyber attacker and collateral damage is usually unclear and could cause compliance violations, which could lead to high-powered investigations and discovery if the attacker has not covered their tracks well enough,” said Krotofil.

The most common goal of attackers, therefore, is to impact the industrial production process so it affects the quality of the end product or raises operational and maintenance costs.

“However, most of these cases are not reported because if there is no compliance violation companies are not legally required to do so, and they are usually unwilling to risk damage to the reputation of the brand by going public,” said Krotofil.

Understanding attacks

In an attempt to redress the lack of knowledge around attacks on industrial control systems, Krotofil has developed a model for an attack on a chemical production plant.

“Only by understanding more about how attackers could access these systems, carry out reconnaissance, take control of systems, manipulate processes and cover their tracks can we attempt to formulate ways to defend against such attacks,” she said.

According to Krotofil, the research revealed that while it is relatively easy for attackers to access industrial control systems by jumping for enterprise IT systems and using a ready-made exploit kit, the real challenge is in designing a payload that would bring the targeted process into the desired state, which requires in-depth knowledge of the process and the related physics and chemistry.

“Once access is achieved, the attacker has to start thinking like a control engineer, a process engineer and a chemical engineer,” said Krotofil.

The attackers have to find out how the plant is constructed, what equipment is used, how it is used, how control loops work and where they are located, which is likely to require input from subject matter experts. But in designing the attack, she said, a good place for attackers to start is to look at accident reports for inspiration by looking at where things have gone wrong in the past.

There are a lot of things an attacker has to deal with, said Krotofil, including how to manipulate processes without triggering alarms and causing unintended knock-on effects. But if attackers wish to remain under the radar or hide that a cyber attack is responsible for changes in the production environment, she said there are several misdirection techniques at their disposal.

For example, Krotofil said timing changes to industrial processes, which coincide with specific shifts or maintenance operations, could trigger an investigation of company workers on duty rather than look at the industrial control systems involved.

Improved defence

According to Krotofil, the research revealed there are many steps involved in carrying out an attack on industrial control systems.

“If we understand what an attacker needs to do and how this is done, we can identify ways of making exploitation of systems more difficult and tracking actions of an attacker on a system,” she said.

This is important, she added, because the research has shown that defence methods are around 20 years behind attack methods.

“We are still not seeing much going on in defence. It often seems like the defence side is paralysed in comparison with the attack side,” she said.

According to Krotofil, it is important to understand that attacks on industrial control systems are mainly about causing persistent economic damage, and are much more subtle and sophisticated than just causing damage.

“Understanding what attackers need to do will help defenders to eliminate the low-hanging fruit and make attacks more difficult,” she said.

Read more about attacks on industrial control systems

  • Targeted attacks on industrial control systems are the biggest threat to critical national infrastructure, says Kaspersky Lab.
  • The Trusted Computing Group’s open standards include specifications for securing industrial control systems and infrastructure.
  • Cyber attackers can find specific physical attacks that engineers would typically not anticipate, says a security researcher.
  • Energy companies need to ensure everyone understands the importance of cyber security, says National Grid security manager.
  • Critical infrastructure organisations are commonly targeted by cyber attacks aimed at manipulating equipment or destroying data, a survey reveals.

Read more on Hackers and cybercrime prevention