Firewalls and two-factor authentication have become the norm when protecting our information technology (IT) systems from the threat of cyberattacks. However, hackers have begun exploiting a new method of attack on systems that are often far less secure but even more critical: Industrial control systems (ICS). These systems are the computers that regulate simple things like building climate control or fire suppression systems. These systems also control facilities like water treatment plants, oil refineries, and power grids.
ICS are easy targets because of their age; most control mechanisms were installed or implemented in the machines more than two decades ago before widespread cyberattacks became a considerable threat. Protected only by simple security measures, ICS has become the newest focus of hackers worldwide.
Though we’re only now seeing large-scale attacks on these systems, they’ve been happening for a while. For example, in 2013, hackers broke into the supervisory control and data acquisition (SCADA) system of the Bowman Avenue Dam in New York. Luckily, they did not do any damage because the dam gates were offline for maintenance. However, if they had been able to open the gates, it could have been disastrous for the citizens downstream of the dam.
A recent example of how a cyberattack can affect a population was the Colonial Pipeline hack in 2021. Though the hackers did not attack through the ICS, they uncovered a virtual private network (VPN) password through a data breach. This strategy also threatens ICS security. Once the hackers had the password, they downloaded 100 gigabytes of data from the company’s internal network and held it for ransom.
Unfortunately for the United States’ east coast, the Colonial Pipeline is exceptionally vital. It supplies nearly half of the fuel from Texas to New Jersey annually. Colonial decided to shut down the pipeline for six days to prevent the ransomware from spreading throughout its entire network. The effect rippled up and down the coast. Airlines shut down due to jet fuel shortages, and while gas stations weren’t expected to run out of gasoline, they did as people panicked and bought gas to stockpile.
Colonial Pipeline ended up paying a ransom of $4.4 million, though federal agencies were able to recover more than half of it. While criticized for making the payment and legitimizing the attacker’s methods, Colonial stood by their decision and hoped it would speed up the recovery time.
If that much havoc could be created by shutting down an oil pipeline for six days, consider the attack on JBS, a Brazil-based meat processing company. The attack, which also occurred in 2021, cost the company $11 million in ransom. JBS is the world’s largest meat producer, and by shutting down its Brazilian headquarters, slaughterhouse operations from Australia to the United States ceased.
All of this proves that even if your business bank accounts come with security features like biometric or multi-factor authentication (both undefeatable), your money is still at risk from bad actors targeting systems other than the bank itself.
Unfortunately, profit isn’t always the motive for an attack. This mentality is especially dangerous when an attack occurs on an ICS. Although ransomware was the mechanism in the JBS attack, revenge was the motive. Payback was also likely the motive for the Bowman Avenue Dam attack.
One of the concerns with ICS is the old-fashioned way they communicate. For example, when a water treatment plant takes its controls online to reduce the cost of having operators physically present, therein lies an opportunity for a data breach. Once a hacker has infiltrated the ICS, it’s easy to head in either direction to cause damage. In one direction, the ICS connects to the SCADA, and hackers control the pump system, chemical injections, and potentially even floodgates. In the other direction, the ICS connects to the IT network of the organization. If that organization happens to be a municipality, as is the case for many water treatment plants, the entire city is now under threat.
It may be prohibitive for a company or a municipality to install a completely new ICS. An alternative solution is minimizing the contact the ICS has with the external internet. One way to protect an ICS like a water treatment plant is to install unidirectional gateways between each network. A unidirectional gateway only allows the flow of information in one direction. In this manner, data from the ICS can be sent to the IT system but cannot flow in the other direction. If hackers were to gain access to the IT system, they wouldn’t be able to access the ICS and, in turn, the SCADA system that controls the equipment. By keeping the ICS off the internet, it creates less opportunity for it to be infiltrated.
A further level of security would be to install a sandbox filter through which the data flows from the ICS to the IT system, again unidirectionally. Screening the data before it reaches the IT network will enhance the ability of the security systems to detect malware. Security professionals could use the same sandbox to test out new vendor software before installing it into the system. Savvy hackers may discover the system’s use of a sandbox and prepare their malware with a time delay, which is why a time advance on the sandbox’s clock should be included as part of the testing procedures.
Though industrial facilities have known for years how crucial protecting their IT systems is, only minor consideration goes to their internal systems like industrial controls. It’s currently impossible to protect against all the ways an ICS can be attacked, but it is possible to upgrade the security system to protect against most of them. If security issues are left unaddressed, the results are compound and often magnified. Once hackers are inside an ICS, it no longer becomes a simple monetary risk of ransomware. When the facility controls the public’s access to electricity, gas, or clean water, it’s a recipe for disaster.