Supervisory Control and Data Acquisition (SCADA) system is a computer application used to monitor and control a plant or equipment at the supervisory level.
SCADA systems are used in many different industries to collect and analyze real-time data, as well as to control functions, which makes them a target to malicious hackers. Because of that it's important to defend your system against SCADA threats and attacks.
As a trusted provider of remote monitoring and control solutions, we know that it's critical to understand and be aware of real-world threats and vulnerabilities that exist within SCADA systems. After all, you can't defend your network from something you know nothing about.
So, to get a better insight at SCADA hacking incidents, let's take a look at a timeline of recent cyberattacks on SCADA systems.
In 2010, Stuxnet was the one of the most complex malware known. It infected control system networks and it was presumed by some to have damaged as many as one-fifth of the nuclear power centrifuges in Iran.
The Stuxnet malware was a wake-up call to SCADA systems around the world because it was considered the first known threat to target specifically SCADA systems in order to control networks. The US Department of Homeland Security's (DHS) Industrial Control Systems Cyber Emergency Team (ICS-CERT) issued multiple guidelines on how to defend against the Stuxnet malware, which also infected systems in the US.
The Stuxnet was really dangerous because it could self-replicate and spread across multiple systems through many means, such as:
Removable drives: The malware would take advantage of the auto-execution vulnerability.
LANs: The Stuxnet malware would utilize security breaches in the Windows Print Spooler.
Server Message Block (SMB): Stuxnet used SMB to provide shared access to files, printers, and other devices by benefiting of a vulnerability in the Microsoft Windows Server Service.
Network file sharing: The malware would copy and execute itself.
Siemens WinCC HMI database server: The malware would copy and execute itself.
Siemens Step 7: Stuxnet would copy itself into Step 7 projects in such a way that it is automatically executed when the Step 7 project is loaded.
The Stuxnet malware was a weapon designed to look for a specific software to be installed on and the exact equipment to be connected to a SCADA system. If it didn't find all of these things, it'd self-eliminate. If it did find all the precise configurations it was looking for, it modified and sabotaged the code on PLCs by adding ladder logic directly into them.
The PLC with the modified code would send incorrect data to the HMI, which would display wrong information to the network operator - who would think that everything is ok.
A lesson learned from Stuxnet is that a sophisticated threat can likely attack any system, so the ability to detect and recover from a cyber-attack is critical.
Night Dragon is a series of Tactics, Techniques, and Procedures (TTPs) used in a series of coordinated, secret, and targeted cyber-attacks made public in 2010.
These attacks targeted global oil, energy, and petrochemical companies. Files of interest focused on operational oil and gas field production systems, and financial documents related to field exploration and bidding. In some cases, the files were copied and downloaded from company web servers by hackers. In other cases, the hackers collected data from SCADA systems.
The Night Dragon attacks weren't sophisticated, however, they showed just how simple techniques are enough to break into energy-sector companies. Night Dragon stole valuable information, but they could've just as easily take control of an HMI, which could then have provided the attackers with the remote control of critical energy systems.
In 2011, Hungarian cyber security researchers discovered three information-stealing malware: Duqu, Flame, and Gauss. It is believed that these three malware are related since they all use the same framework.
Duqu was a malware designed to perform information gathering. It was designed to attempt to hide data transmissions as normal HTTP traffic by attaching encrypted data to be extracted in a .jpg file.
Flame is a complex malware designed to steal information by using:
Key stroke logging.
Extraction of geolocation data from images.
Flame could send and receive commands and data via Bluetooth, and it stored its gathered information in SQL databases. It used both network connections and USB flash drives for communication. Flame infected computers by disguising itself as a Windows Update by using a fake Microsoft certificate.
The malware Gauss is also intended for information stealing. It gathered the following information from the attacked systems:
Passwords, cookies, and browser history by intercepting user sessions in different browsers.
Computer network connections.
Processes and folders.
BIOS and CMOS RAM details.
Local, network, and removable drive information.
Also, Gauss could infect USB drives to steal information from other computers.
An important point to keep in mind from the Duqu, Flame, and Gauss information-stealing malware is how complex attacks can begin.
In 2012, Saudi Aramco, the largest energy company in the world, suffered a malware attack in its computer systems. This malware - called Shamoon - overwrote data on over 30,000 computers with an image of a burning American flag.
Shamoon was an information-stealing malware, which also included a destructive module. The affected systems became inoperable since the malware overwrote most of the files with random data, and once it happened the information couldn't be restored.
The Shamoon malware also hit another target, the Qatari natural gas company, RasGas, which is one of the largest liquefied natural gas (LNG) companies in the world.
Although, Shammon attempts to spread itself to other devices on a local network, both Saudi Aramco and RasGa got lucky because this malware had no direct impact on their SCADA systems. Even so, the ability to recover from a destructive cyber-attack is an important lesson from these attacks.
Often cyber-attacks into SCADA systems happen via the organization's business network, and from there affecting the operation's remote control system. However, the opposite occurred in 2013, when hackers broke into a third-party that maintained Target Store's HVAC control system.
The attackers have the objective to steal credit card data from Target. In order to do that, they gained access to Target's business network via its' building control systems. Then, they uploaded malicious credit card stealing software to cash registers across Target's chain of stores.
The total cost to Target for the attack, security upgrades, and lawsuits is estimated at $309M. Seventy million customers were affected.
All of these expenses were the bottom line of taking advantage of a building automation system. The Target breach proved that the - often forgotten - cyber security of building automation is indeed important.
A small dam in New York was accessed by Iranian hackers in 2013. This intrusion was not elaborate, since it was simply a test by the attackers to see what they could access.
This small utility, called Bowman Dam, controls storm surges. Its SCADA system was connected to the Internet via a cellular modem. The SCADA system was at maintenance during the time of the attack, so no control features were available; only status monitoring.
It's assumed that the dam was attacked due to its vulnerable Internet connection and lack of security controls, rather than a targeted cyber-attack. But the most concerning aspect of all this is who was conducting the intrusion, and the technical capability they showed by directly manipulating SCADA equipment.
When SCADA systems are directly exposed to the Internet, they become an easy target for any potential hacker.
In 2013, a malware called Havex was discovered that focused on SCADA.
One important aspect to Havex is that the US Government identified the RIS as the group behind it. This is critical because Havex is an advanced malware targeting SCADA systems. The malware communicated with a C2 infrastructure that could send instructions to provide enhanced, unknown capabilities to the malware.
In 2014, the German government released its annual findings security report. It described the general cyber-threat situation in Germany.
The report shortly outlined an attack on an undetermined German steel mill. At first, the attackers gained access to the business network of the steel plant. After that, they worked their way into the production network. They caused many failures of individual control systems, ultimately preventing a blast furnace from shutting down in a controlled manner, causing extensive damage to the plant.
The technical abilities of the hackers were very sophisticated. They were knowledgeable not only in advanced IT security but they were also prepared with detailed knowledge of SCADA and the steel production process.
In 2014, ICS-CERT published a series of alerts describing a sophisticated malware that had jeopardized many SCADA systems. This malware was using a variant of the BlackEnergy malware.
Like Havex, BlackEnergy targeted important SCADA products like HMI master stations.
A usual BlackEnergy attack included modules that search out any network-connected file shares and removable media that could help the malware to spread across the affected environment.
In 2015, the first known successful cyber-attack on a power grid cut electricity to nearly a quarter-million Ukrainians.
The attackers shut off power at 30 substations, leaving around 230,000 people without electricity for up to six hours. SCADA equipment wasn't working, and power restoration had to be done manually.
Attackers perform the outage by using a BlackEnergy 3 malware version.
This attack was a wake-call to ensure that power grids around the world are protected against such threats.
In 2016, according to Verizon Security Solutions an undisclosed water company experienced a cyber-attack on its SCADA system. Verizon gave the water company the fictitious name of "Kemuri" to protect its identity.
Still according to Verizon, attackers accessed the water district's valve and flow control application that manipulates PLCs that control the water treatment chemical processing. They then altered the number of chemicals entering the water supply, affecting water treatment and production capabilities. This caused water supply recovery times to increase.
The Kemuri breach was serious and could easily have been more critical. If the hackers had more time and more knowledge of the SCADA system, Kemuri and the local community could have suffered serious consequences.
In 2016, one year after Ukraine suffered a major cyber-attack on its power grid, Kiev unexpectedly went dark again.
Cyber-attackers caused monitoring stations to abruptly go blind and breakers to trip in 30 substations. Shutting off electricity to approximately 225,000 customers.
Even though this second attack was much more sophisticated than the first one, power was restored in around three hours. However because the attackers had sabotaged management systems, operators had to travel to substations and manually close breakers the attackers had remotely opened.
While the first attack used remote control software to manually trip breakers, the second used complex malware that directly manipulated SCADA systems.
The sophisticated malware used in that second attack would later be identified as CRASHOVERRIDE.
The CRASHOVERRIDE (or "Industroyer") malware was the first-ever malware specifically designed and deployed to attack electric grids.
This the fourth piece of SCADA-tailored malware used against specific targets, with Stuxnet, BlackEnergy-2, and Havex being the first three. And it's the second malware ever designed for disrupting physical industrial processes - Stuxnet was the first.
The only functionality of the CRASHOVERRIDE malware is to attack leading to electric outages. It's framework has modules specific to SCADA protocols, such as IEC 101, IEC 104, and IEC 61820.
The modules in the malware are meant to open circuit breakers on RTUs and force them into an infinite loop to keep the circuit breakers open, even if grip operators tried to close them. This resulted in the de-energization of substations, forcing grid operators to switch to manual operations in order to restart power.
DHS issued a CRASHOVERRIDE malware Technical Analysis alert on June 12, 2017. It alerted US critical infrastructure of the serious threat that this malware poses.
In 2018, the City of Atlanta, Georgia, and the Colorado department of Transportation were hit with ransomware called SamSam.
In Atlanta, attackers requested $51,000 in crytocurrency to restore the city's data. It also caused a multi-week outage to Atlanta's website, blocking payments, business licensing, ticket processing, and court functions. The attack also erased Atlanta Police Department's dashcam archives.
Colorado faced multiple attacks in the span of weeks, with the ransomware mainly affecting employee computers and some transportation systems.
The bad news: Supervisory Control and Data Acquisition attacks have become more and more aggressive over the past years.
The good news: network operators are increasingly taking more proactive defensive measures to defend their systems against cyber attacks.
The previous list of SCADA attacks emphasize greatly the importance of the ability to respond to critical incidents and be able to analyze and learn from what happened is crucial.
As a network monitoring provider, one of our main priorities is to help you put into practice the use of real-time network monitoring, which is a main security best practice today in order to detect and avoid attacks. So, to make sure your mission-critical data is confidential and secure, our products offer many security features.
The NetGuardian 832A RTU, for example, supports SNMPv3 to send encrypted traps to your master so unintended recipients can't simply look at the messages. The 832A also features other security measures, such as HTTPS for secure web viewing of the alarm data.
Another example is the T/Mon master station. It has the option to support HTTPS web viewing and, like the NetGuardian 832A, it has passwords that control the level of access individual users have to the system. And don't forget that we can customize any of our products to meet your security needs.
If you want to know more about remote monitoring and SCADA security, and how we can tailor our devices to fit your requirements, simply drop us a line and tell us what you need.
You need to see DPS gear in action. Get a live demo with our engineers.
Have a specific question? Ask our team of expert engineers and get a specific answer!
Sign up for the next DPS Factory Training!
Whether you're new to our equipment or you've used it for years, DPS factory training is the best way to get more from your monitoring.Reserve Your Seat Today