By Gregory Hale
It is not enough to get into the system, attackers now want to linger to learn and steal as much information as possible from its victims.
The new wave of attack vector to get in is social networking, which supplanted the denial of service attacks that were so prevalent a few short years ago, said Jonathan Pollet, founder of Red Tiger Security, during his discussion entitled, “Hacking SCADA Systems – 2012 Year in Review,” Wednesday at ICSJWG Spring Conference 2012 in Savannah, GA.
“Spear phishing email techniques are coming from someone you trust and the next thing you know you computer is infected,” Pollet said. “It is increasingly getting difficult to hold back the attacks coming in.”
When it comes to social engineering, “You can’t always take anything at face value,” Pollet said.
There is no doubt SCADA systems have a big target on their backs these days.
SCADA has changed quite a bit from 20 years ago where the “control room had buttons and levers to push. The only security you had to worry about was making sure you had locks and keys. Today SCADA control rooms are IT systems that are looking like data centers,” he said.
“SCADA and industrial control systems (ICS) products do not go through the same rigorous security lifecycle process as enterprise systems,” Pollet said. “SCADA lags the IT world by 5-10 years. So we are just seeing vendors now making plans to test products for security flaws. We now have thousands of legacy devices that have never been tested for security. We are still struggling as an industry to secure products.”
To prove how simple it is to hack into systems, Pollet showed one video of how quick and easy it was to get into a system. Within three minutes he was able to get in. Once he got in, “we can now do anything the operator can do at that point,” he said
On top of the problems with SCADA systems, Pollet also said foreign governments are on the attack and trying to pilfer as much information as possible.
“Nation states establish a covert presence on a network in order to obtain sensitive information,” Pollet said. “Foreign governments are very interested in obtaining cyber security advantages.”
There are ways to ensure manufacturers can maintain a safe defense and part of it includes training personnel to understand what an attack looks like so they can ward off the bad guys.
Using a football analogy, Pollet said it is one thing to work on defense, but users today should understand where the hacker is coming from.
“The best defense always understands the offense,” Pollet said.
Pollet said it is very easy to fret about the gloom and doom of the potential of attacks hitting the industry, but he added users have to remember there are ways to secure systems out there today.
“There are technologies out there holding back the tide,” he said.