By Gregory Hale
There was a mindset industrial control systems were a fixed capital asset, but those days are going away and the system is now more of an operational cost.
That mindset changes things.
“Now everything is connected to everything else,” said Marty Edwards, director of Control Systems Security Program at ICS-CERT with the U.S. Department of Homeland Security during a talk today at the 2012 Siemens Automation Summit. “We hear people say ‘my system is air gapped’ and, no, it is not.”
Not only do you have to have security programs on your platform, you have to understand what is going on at all times, Edwards said. Know your traffic.
“It is mostly about understanding your system. You should know all the nodes on your system and know when things are happening,” he said.
Edwards said when a company suffers an attack, the company may suffer a financial or data loss, but no one suffers an injury. One issue behind the danger of an industrial control system being under attack is “when you make a change, a physical thing can happen.”
On top of that there are tools available on the Internet to help attackers gain access to code to help them exploit a system somewhere. In addition a potential hacker can look through tools like SHODAN and find Internet facing devices with no real defense.
There are different kinds of attacks, Edwards said, the lowest level on the spectrum is those that just download items off the Internet and try to wreck havoc for the victim.
The next level up is the criminal element that can try to extort money from the potential victims. If a victim reports what happened, law enforcement agencies can get involved and file charges if they can find the criminal.
“We have strong laws on the books and we can prosecute,” Edwards said.
Another form of attack is the Advanced Persistent Threat (APT) like the famous Stuxnet event. Stuxnet was a virus that affected the Siemens system at the Natanz nuclear enrichment facility in Iran. The virus was on the system at least a year before anyone discovered it. The virus helped destroy centrifuges at the plant. ISSSource reported the U.S. and Israel were the brains behind Stuxnet.
Last year, there were reports of another potential attack hitting a water plant in Springfield, IL, coming from Russia and Germany, Edwards said.
The Curran-Gardner Water District network feared they were victims of an attack and the word spread they suffered a compromise at the hands of Russian attackers.
In a post Stuxnet world, the initial report ended up leaked and the story spread across the world. While the water district did suffer a pump failure, it was not at the hands of a hacker, but rather it was just a pump gone wrong.
Before anyone knew the end result, investigators from the FBI and from ICS-CERT flew in to investigate.
As it turned out the German and Russian IP addresses found on the water company’s system came from a contractor that worked on the network was on vacation – in Germany and Russia.
After a detailed analysis, DHS and the FBI found no evidence of a cyber intrusion into the SCADA system.
In a charged atmosphere where everyone involved didn’t really know what was happening at first ended up being quickly resolved because the water district had a forensic response plan in place so they knew what to do and when to do it.