An official website of the United States government
Here's how you know
A .mil website belongs to an official U.S. Department of Defense organization in the United States.
A lock (lock ) or https:// means you’ve safely connected to the .mil website. Share sensitive information only on official, secure websites.

News | Oct. 27, 2017

Protecting critical infrastructure from cyber threats information technology systems

By Robbie Carter DLA CERT

I know what you’re thinking, what is ICS and why do I even care? Well, do you like air conditioning in the summer time or heating in the winter? What about building security - do you like knowing that the door will unlock when you swipe your badge, or maybe more importantly, do you enjoy having the security that comes with the knowledge that when someone who doesn't belong in your building swipes their keycard, the door stays locked? All of those luxuries are controlled by Industrial Control Systems.

Industrial Control Systems or "ICS" is a general term used to encompass several types of devices that manage or regulate the behavior of other devices. ICS can be broken into sub categories to include Supervisory Control and Data Acquisition (SCADA), Distributed Control Systems (DCS) and Programmable Logic Controllers (PLCs). These categories encompasses everything from the HVAC system to the automatic lights in the building.

But why would someone want to target a HVAC system? I'm sure everyone remembers or is at least vaguely familiar with the 2013 Target Data Breach that is estimated to have compromised 110 million people; but did you know that Target was actually compromised through their HVAC system?1 Target used a third party company to manage their HVAC systems, which weren’t properly cordoned off from the rest of their network and were then able to be used as a pivot point that allowed the malicious actors to plant the malicious payload on the card processing system.

While Target is an example of someone using an ICS as a pivot point to reach other critical infrastructure, what about someone using the primary network to reach the ICS infrastructure? In March of 2016, malicious actors took control of hundreds of PLCs that governed the flow of toxic chemicals that were used to treat water at a regional water utility.2 The actors took advantage of the water company's poor security architecture that had multiple internet-facing systems with high-risk vulnerabilities on the same network as their SCADA platform. The actors were actually able to change flow rates of the toxic chemicals. Luckily, the alert system provided the water treatment facility enough time to reverse the chemical flow changes, minimizing the impact on the facilities customers.

The hack of the water treatment facility is an important lesson in ICS architecture and highlights the need for independent infrastructure. The malicious actors obtained access by exploiting a widely known vulnerability on an outdated operating system on a public facing web server that had absolutely nothing to do with the PLCs or any part of the ICS infrastructure. Had the PLCs been on their own network that was segregated from the water treatment facility’s primary network, the malicious actors would have never been able to access the PLCs from that vulnerable server.

Enterprises have vast network of industrial control systems from building door badge scanners and HVAC to refueling systems for our ships and planes. The need to protect these systems is as great as ever in 2017 as the landscape of potential threats to our safety is no longer purely physical. The water treatment facility attack could have put hundreds of thousands of lives in danger had it not been for a couple of alert operators paying attention to their monitoring systems. However, even with the proper safeguards in place; ICS networks are starting to become a bigger target for malicious activity because they have such a high potential of a catastrophic outcome. The only way to aid in eliminating these risks is to always be vigilant and maintain situational awareness.

 

References

  1. https://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/
  2. http://www.securityweek.com/attackers-alter-water-treatment-systems-utility-hack-report