Industroyer: yet another wake-up call for industrial control system security?

Another week, another threat to our Critical National Infrastructure as the “Industroyer” malware was announced last week.

This latest piece of malware is alleged to be able to take direct control of electricity substation circuit breakers, using industrial communication protocols. These protocols are used globally in power supply infrastructure and transportation control systems, but also in areas such as water and gas.

Just a few days earlier, Nexor had been hosting an event on “The Cyber Connected World”, as one of the partners in the East Midlands Cyber Security Forum. One of the examples highlighted at the event was the Ukrainian power plant attack in December 2015.

Now, it’s hardly news that Industrial Control Systems and companies operating SCADA (supervisory control and data acquisition) systems are vulnerable to being hacked. The go-to example being the Stuxnet attack on Iranian nuclear reactors, back in 2010. But that wasn’t the first, and there are examples stretching a lot further back in time, such as the cyber-attack on an Australian water sewerage in 2000.

Earlier this year, the European Union Agency for Network and Information Security (ENISA) reported that many senior managers in critical national infrastructure organisations were still unaware of the security risks in the industrial systems they operated.

Since the report came out, we have continued to see a running commentary of the threats posed to SCADA:

• Malware posing as legitimate software for Siemens control gear;

• US officials consider the cyber threat to the national energy supply;

• The publication of the joint CREST and NCSC “Industrial Control Systems Technical Security Assurance Position Paper”;

• And on to the latest threat to SCADA systems, the “Industroyer” malware.

Why are SCADA systems vulnerable to cyber attack?

Because SCADA systems are now so interconnected and exposed to the internet, or large public networks, they are now exposed to many more threats, ENISA warned.

The agency’s Communication network dependencies for ICS/SCADA systems report recommends several areas of improvement in how these systems are run to prevent major outages affecting the population.

ENISA urged operators to adopt a faster update and patching process to protect these interconnected devices. It highlighted a failing in the way such systems are updated or patched. Update processes are usually carried out by using standard computers/laptops, or even USB devices, which act as a potential entry point.

But as ENISA points out, it doesn’t need to be this way, there are better ways of getting information, such as vital updates, into Industrial Control and SCADA systems.

Data diode technology protects Industrial Control Systems

In Nexor’s white paper “Air-Gaps, Firewalls and Data Diodes in Industrial Control Systems”, an alternative approach is explored that looks at putting one-way network connections in place, based on data diode technology. This enables the business process, whilst reducing the risk.

The paper also looks at how data guard technology can further minimise the risk, by using content filtering to ensure only data related to the allowed business process can pass through the one-way connection.

We cannot avoid the need to join systems, but we can manage the risks by understanding the business information exchange needs, and by building solutions to enable those, and only those, data flows.