Attacking SCADA systems

Supervisory control and data acquisition (SCADA) is a control system architecture that uses computers, networked data communications and graphical user interfaces for high-level process supervisory management, but uses other peripheral devices such as programmable logic controllers and discrete PID controllers to interface to the process plant or machinery. The operator interfaces which enable monitoring and the issuing of process commands, such as controller set point changes, are handled through the SCADA computer system. However, the real-time control logic or controller calculations are performed by networked modules which connect to the field sensors and actuators. (from Wikipedia).

Definition of processes

Industrial processes include manufacturing, process control, power generation, fabrication, and refining, and may run in continuous, batch, repetitive, or discrete modes.

Infrastructure processes may be public or private, and include water treatment and distribution, wastewater collection and treatment, oil and gas pipelines, electric power transmission and distribution, and wind farms.

Facility processes, including buildings, airports, ships, and space stations. They monitor and control heating, ventilation, and air conditioning systems (HVAC), access, and energy consumption.

Scenarios

A virus or a worm using personal computers as simple vectors to attack such systems may turn quite dangerous. Just imagine the software in charge to automate a factory, to control the ventilation of a military bunker, to connect to electro-medical instruments or simply to check and maintain the rotation speed of the centrifuges that isolate UF6 (yes, Uranium exafluoride) to enhance the nuclear fuel of plants (and weapons): a virus, or simply a self-replicating worm, could wreak havoc on such environments. Or better, did.

Stuxnet

Stuxnet is a malicious computer worm, first uncovered in 2010 by Kaspersky Lab. Thought to have been in development since at least 2005, Stuxnet targets SCADA systems and was responsible for causing substantial damage to Iran's nuclear program. Although neither country has openly admitted responsibility, the worm is believed to be a jointly built American/Israeli cyberweapon whose control was lost.

Stuxnet specifically targets programmable logic coltrollers (PLCs), which allow the automation of electromechanical processes such as those used to control machinery on factory assembly lines, amusement rides, or centrifuges or separating nuclear material. Exploiting four zero-days flaws, Stuxnet functions by targeting machines using the Microsoft Windows operating system and networks, then seeking out Siemens Step7 software. Stuxnet reportedly compromised Iranian PLCs, collecting information on industrial systems and causing the fast-spinning centrifuges to tear themselves apart.

Stuxnet has three modules: a worm that executes all routines related to the main payload of the attack; a link file that automatically executes the propagated copies of the worm; and a rootkit component responsible for hiding all malicious files and processes, preventing detection of the presence of Stuxnet. It is typically introduced to the target environment via an infected USB flash drive,, thereby crossing any air gap. The worm then propagates across the network, scanning for Siemens Step7 software on computers controlling a PLC. In the absence of either criterion, Stuxnet becomes dormant inside the computer. If both the conditions are fulfilled, Stuxnet introduces the infected rootkit onto the PLC and Step7 software, modifying the codes and giving unexpected commands to the PLC while returning a loop of normal operations system values feedback to the users.

The progenie

Was the catching of Stuxnet enough to improve plant security? Apparently not.

A November 2013 article in Foreign Policy magazine claims existence of an earlier, much more sophisticated attack on the centrifuge complex at Natanz, focused on increasing centrifuge failure rate over a long time period by stealthily inducing uranium hexafluoride gas overpressure incidents. It was called "Stuxnet's secret twin".

On 1 September 2011, a new worm was found, thought to be related to Stuxnet. The Laboratory of Cryptography and System Security (CrySyS) of the Budapest University of Technology and Economics analyzed the malware, naming the threat Duqu.

In May 2012, the new malware "Flame" was found, thought to be related to Stuxnet.

In December 2017 it was reported that the safety systems of an unidentified power station, believed to be in Saudi Arabia, were compromised, when theTriconex industrial safety technology made by Schneider Electric SE was targeted, in what is believed to have been a state sponsored attack. The computer security company Symantec claimed that the malware, known as "Triton", exploited a vulnerability in computers running the Microsoft Windows operating system.

Fool me once, shame on you; fool me twice, shame on me...

It is curious to note how all these worms access zero-day flaws on the Microsoft Windows operating system: a zero.day flaw is, by definition, a computer software vulnerability that is unknown to those that would be interested in mitigating the vulnerability. Now, connecting the dots, we are conducted by hand to believe that the creators of this cyberweapon knew vulnerabilities hidden to the producer of the operating system (Microsoft) but kept the secret to use it against their enemies, and leaving all the other millions of users of the same system open to random hacker attacks. To be honest we have to add a couple thoughts:

1 - The worm was carefully designed to attack a peculiar chain of hardware/software

2 - The last ransomware swarm that kneeled Europe was due to a completely careless behaviour of the security sysadmins, who were guilty for not updating the systems with the last security patches on often obsolete operating systems

In other words, before assessing there is a Political conspiracy against the poor final user, consider how much you have done to secure your own domain.

Other Stuxnet-like cyberattacks

In June 2014, another malware designed to attack industrial systems was detected as attacking a number of companies in Europe. Manufacturers of industrial applications and machines in Europe and USA were targeted by Havex, a remote access trojan that collects data from ISC/SCADA systems.

The attack, which can be labeled as a watering hole attack, was apparently an attempt to harvest intelligence needed for further attacks on infrastructures built using hardware by the targeted manufacturers.

While no such subsequent attack was detected, the 2014 Havex attack reminds us that cybercriminals – whether state-sponsored (as apparently in the case of Stuxnet) or financially motivated – have tools and information available to attack industrial systems.

Industroyer was most probably the malware that shut down the power grid in Kiev, Ukraine’s capital, in December 2016. More importantly, Industroyer is the first ever malware capable of attacking power grids automatically (in comparison to BlackEnergy, which was also used to attack the Ukrainian power grid but the actual power outage had to be executed manually). With minor adjustments, it is capable of doing significant harm to electric power systems in the EMEA region and potentially in other parts of the world, including the USA. It could also be refitted to target other types of critical infrastructure like water or gas utilities or transportation control systems.