Anatomy of the attacks, SCADA, or włamaniach for industrial systems

Loud American attack the virus Stuxnet, which destabilized the year 2010 working centrifuges to enrich uranium in Iran, was like a cold shower for heads of IT many companies around the world. It turned out that you can crack into computer systems to supervise the course of technological processes or production (. SCADA, Supervisory Control And Data Acquisition) and cause significant damage. Possibility to organize such an attack is a water mill for industrial spies, unfair competition or extortionists. How long have these attacks in cyberspace? What techniques use criminals to break into SCADA systems? What are the implications for businesses? Your experience in assessing this phenomenon is divided Ruchna Nigam, analyst. Security with Fortinet's FortiGuard Labs laboratories.

SCADA systems are used in many different industries. Correspond, for example, control of the turbines in power plants or the correct transport of oil and gas in transmission networks. Airports are responsible for the operation of metal detectors. We can be found also in factories, where they are responsible for monitoring multiple processes, heating, ventilation or electricity consumption. Attacks on such systems can lead to serious damage to industrial installations, and as a consequence even to the elimination from the market of the undertaking concerned. That is why they are among the most destructive tools used by hackers. Of the above mentioned reasons are also very attractive for them.

It is alarming that only detect Stuxnetu made companies possible consequences of infecting SCADA infrastructure. He was not, in fact, the first known virus industrial system. The media hype surrounding the attack opened the eyes of the public. The first time it has been proven that advanced worms and viruses can destroy not only digital data on computers, but also the reactor cooling systems, production processes for environmental chemicals and energy network. All this adds up. the critical infrastructure of the Member States. Its instability is a priority in today's cyber war as, whose aim is to take control of an enemy State.

What is the history of attacks on SCADA systems? What was the evolution before Stuxnetem and after? Known attacks on industrial networks we can classify into three categories:

Unconfirmed targeted attacks

1982: First attack on industrial systems can happen already in the year 1982, and all had to start with Vladimir Vetrova, Colonel of the KGB and the spy, who at the beginning of years 80. He decided to cooperate with NATO and French history. Vetrov handed over to Allied almost 4000 secret documents, including a list of 250 active Soviet industrial spies around the world. The information contained in the files (Vetrova Farewell Dossier) suggest that the US Central Intelligence Agency (CIA), instead of immediately expose agents, decided to use the used a trick. As a result, the Soviet Union went a lot especially badly designed parts, which were then used to build the gas pipeline Transsyberyjskiego (Urengoy – Surgut – Chelyabinsk). It is believed that the SCADA system responsible for controlling the transmission of gas in the pipeline, which the Russians copied from a Canadian company, also introduced a Trojan horse that caused the famous explosion. None of the parties have never confirmed this scenario, and files only mention Vetrova deliberately damaged turbines.

1999: there have been reports about the attack from the year 1999 to Gazprom, the Russian gas Tycoon. Trojan horse that had hit the control system of one of the pipelines through the Organization of Crete (substituted by an enemy institution or country people), had a few hours to disrupt the flow of gas, but has never been by Gazprom confirmed.

Confirmed the attacks targeted

2009: World petrochemical corporations, including Exxon, Shell or BP have been attacked by a virus called the night Dragon (Dragon), distributed by email using spear phishing. Infected computers can be remotely controlled by a hacker. Attacker prześwietlili operational plans SCADA systems and stole from them important data.

2014: Havex appears hiding in the modified software installers for SCADA systems, available on the official website of the producers (!). It has been programmed to scan the local area network and data received from industrial installations, and then sends the collected information to the server command and control. Scenario activities included large-scale industrial espionage.

Another intruder-Blacken-was discovered on the server the command and control of an existing botnet. Is directed to users of the software SCADA GE Cimplicity and installs the executable files in the root directory of the program. Some of these executables are bots that can be remotely controlled. Blacken also refers to the design files Cimplicity, but in this case, the precise effect of the pest is not yet known.

It is worth mentioning also about the attack on one of the German steelworks. From the report of the German Federal Office. Information security (in German. Bundesamt für Sicherheit in der Informationstechnik), shows that in 2014 the year caused a serious financial loss and physical. The attacker used a social engineering tricks and phishing emails to gain access to the internal network, Huta. Then broke into industrial network. The hackers were very experienced not only in the field of computer science, but also had a huge knowledge of production engineering and control systems (PDF. Industrial Control Systems, ICS), and the process of steel production. It is so unfair competition or an interview of a foreign State. Though details of the operation of the pest were not disclosed, it resulted in abnormal individual control parameters of smelting process, which led to the uncontrolled closing blast furnace, causing massive damage.

Confirmed the attacks niecelowane

Interestingly, the world knows several completely random infection SCADA systems. The fact that they were not targeted does not mean that they were less threatening.

2003: nuclear power plant, Davis-Besse of Ohio in the United States and American rail operator CSX Corporation fell victim to Slammer worm and the Sobig. Slammer made a DoS attack (denial of service, denial of service) on a network of power plants, resulting in a 5 hour loss of control over its security systems. Fortunately without nuclear catastrophe. SoBig slipper filled with concrete while dispatching system and traffic lights, which resulted in significant delays in the movement of trains.

2004: air carriers such as British Airways, Railcorp or Delta Airlines fell victim of the Sasser worm, which used a buffer overflow for propagation to other vulnerable systems. Some of the aggressive varieties pest caused network overload. As a result, many flights and trains reported delays. In the worst cases, the flights were canceled.

2009: the French Navy was attacked by virus called Conficker. Use on vulnerabilities in Windows and steal passwords to administrators then proliferate on all vulnerable machines, obtain automatic updates and install other harmful malware. As his presence was compounded on the functioning of the entire system? Well, has resulted in the inability to reproduce the flight plans for grounded aircraft.

To summarize all known cases of attacks on SCADA systems, we can conclude several requests. First of all, with the exception of the Stuxnetu and the virus that attacked a German mill, no other attacks caused no physical damage. Why? As sophisticated as attack requires not only a lot of skills, but also technical expertise and financial resources. This does not mean, however, that such attacks will not be followed by more frequently, because the stakes are high. This is the second application. Over the years, the number of attacks on industrial systems clearly increases, though surely many of them, especially to industrial espionage, remains in deep secret. Looking at the evolution of the activities of cyber criminals, we can be sure that we will hear about similar incidents more often. For companies this means one thing – it's time to look at the security of their network.

Source: Fortinet

Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.