Industrial Control, like many other systems, are vulnerable to insider attacks. However, they have the additional challenge that they are still largely based on technology from several decades ago, when systems were totally air-gapped from the rest of the world.

Imperiled SCADA Systems

Sean Newman | Corero Network Security


Please tell us a bit about Corero Network Security?

Corero Network Security is focused on delivering solutions which keep organizations online in the face of Distributed Denial of Service (DDoS) attacks.  Our SmartWall solution includes high-performance physical and virtual appliances which inspect network traffic at line-rate, looking for DDoS attacks.  When SmartWall appliances detect DDoS traffic, they mitigate it automatically in, typically, less than a second.  The speed and accuracy delivered by the solution ensures that the target is unaware it is being attacked and is able to continue normal operations.


Can ICS/SCADA systems be compromised from the inside?

Industrial Control, like many other systems, are vulnerable to insider attacks.  However, they have the additional challenge that they are still largely based on technology from several decades ago, when systems were totally air-gapped from the rest of the world.  Back then, security was purely physical, with systems behind doors and under lock and key.  From that perspective little has changed, so an insider with credentials, or an outsider who can access these systems via a rogue device on the inside, is able to change settings and modify the behavior of systems and processes.


How easy is it to impact these systems from the outside?

As Industrial Control Systems were traditionally isolated, these systems and their communication channels did not have security built-in by design.  And, as they evolved, standard networking technology was adopted which enabled them to be connected to the broader network and, ultimately, the Internet.  This opened up new opportunities for remote monitoring and control, for example, in locations where having an operator physically present was not convenient but, this has left systems exposed and vulnerable to miscreants with other objectives on their minds.  Password controls may now be in place on these systems, but experience shows that these often provide little challenge to today’s attackers so, once bypassed, there is little to prevent their progress.


How damaging could these attacks be?

Damage is somewhat subjective but, anything with a control system could be impacted by an attacker with the motivation.   This could range from spoilt product batches, to data centers in meltdown when HVAC settings are adjusted, to life-threating situations resulting from power and other service disruptions, as seen in the Ukraine last year.


Could a DDoS attack take down production?

When attackers have the ability to take control of production systems from multiple angles, including adjusting process settings, or completely cutting the power to them, then it’s more down to the motivation for the attacker than whether any particular system can be impacted.


What kind of implications could even small DDoS attacks have?

The common perception of DDoS attacks is that they are just highly visible massive floods of traffic, for extended periods of time, which overwhelm all other network traffic to the point where access is not possible.  In fact, when you start looking at all traffic flowing on the Internet you find that these attacks are the tip of the iceberg and, in fact, the majority of DDoS attacks are in fact much smaller.

From across Corero’s customer base, we typically see that over 70% of DDoS attacks are actually less than one gigabit per second in size and last less than ten minutes. The reason is, that attackers are now typically much more calculated and only send the volume of traffic needed to overwhelm the particular system they are targeting.  There are a number of benefits for the attacker with this approach, in that they don’t need to generate as much traffic, which can be costly and time consuming for them, and there is less chance that the attack will be detected and mitigated, before the damage is done.


How can ICS/SCADA systems be protected?

There are multiple ways that the protection for such systems can be enhanced.  Examples include; Intrusion Prevention Systems on gateways to ICS networks, ensuring that control data cannot be sent directly from external untrusted systems, as well as independent monitoring systems which can flag any unplanned changes to a system. >From a service continuity perspective, employing DDoS protection can ensure that legitimate control and monitoring data can always get to its intended destination.


How would a small company go about implementing some these protections and what effect does that have on the production line?

The unfortunate truth about cyber-crime today, is that size often does not matter.  If you’re connected to the Internet, and an attacker somewhere on the planet has the motivation, then you could be targeted.  Increasingly the motivation is financial, in the form of extortion, and we have seen a worrying rise in the use of DDoS for ransom campaigns, where any business can be targeted and asked to pay a ransom, usually in crypto-currencies, such as Bitcoin.  The only real answer here is to employ the latest always-on, automatic, DDoS protection, either deploying it directly, or choosing a service provider who can offer you such protection.


About Sean Newman
Sean Newman is Director of Product Management for Corero Network Security. Sean has worked in the security and networking industry for over twenty years, with previous roles including global Product Manager for Cisco, who he joined as part of their acquisition of cyber-security vendor Sourcefire, where he was Security Evangelist and Field Product Manager for EMEA.  Prior to that he was Senior Product Manager for endpoint and network security vendor Sophos, after having spent more than 12 years as an Engineer, Engineering Manager and then Senior Product Manager for network infrastructure manufacturer 3Com.


The content & opinions in this article are the author’s and do not necessarily represent the views of ManufacturingTomorrow

Comments (0)

This post does not have any comments. Be the first to leave a comment below.

Post A Comment

You must be logged in before you can post a comment. Login now.

Featured Product

The Wire Association International (WAI), Inc.

The Wire Association International (WAI), Inc.

The Wire Association International (WAI), Inc., founded in 1930, is a worldwide technical society for wire and cable industry professionals. Based in Madison, Connecticut, USA, WAI collects and shares technical, manufacturing, and general business information to the ferrous, nonferrous, electrical, fiber optic, and fastener segments of the wire and cable industry. WAI hosts trade expositions, technical conferences, and educational programs.