Malware introduced via USB stick, human error, phishing and intrusions via remote access, are just some examples of threats that affect the industrial sector. The attack dynamics chosen by hackers continue to evolve, and there are many cases that testify to this. One such case was Stuxnet: an emblematic event in 2010 involving an attack on industrial devices that revealed the complexity and risk level of OT technologies.
The attackers
Script kids, as the cliché goes, are computer science students who attempt to break into company systems with just a few tools and purely for fun.
In the context of production, sophisticated attacks and industrial espionage are certainly more dangerous. In these cases the objective is to copy the data; the difficulty lies in tracing the origin of the attack and which device it precisely targets.
In the case of ransomware, however, the systems are encrypted in their entirety and the attacker usually demands a ransom of an economic nature or threatens the dissemination of sensitive data on the dark web.
Lastly, in the case of organized groups, there is a real intention, often for military purposes, to strike at a particular organization.
The most “common” attackers in today’s world of OT are hackers and insiders (mainly perpetrators of ransomware attacks or industrial espionage).
The genesis of OT attacks: Stuxnet malware
Stuxnet was the first famous event to target OT systems, when an organized group with military intentions sabotaged an uranium enrichment plant in Iran, causing the centrifuges to be blocked.
The virus was propagated via a USB stick; the malware remained latent for some time within systems connected to a Siemens PLC with a defined configuration.
When the malware reached the target configuration it mechanically damaged the centrifuges by causing sudden accelerations and decelerations. However the SCADA system returned data suggesting the centrifuges were working normally, preventing the operator from noticing what was really happening.
The dynamics of Stuxnet
The Stuxnet attack is often cited in cyber security literature to draw attention to the attack dynamics and technological risk to which OT devices are exposed.
This malware, spread as a result of a deliberate attack, targeted engineering stations (Windows PC machines on which specific project management programs were installed), and in particular those with Siemens Step 7 software used to dialogue with and program the PLC.
It is clear that if the attack had been directed at any other device of the same type, the spread of malware would have had the same effect; it is essential to understand that the case study is not so much dependent on the device as on the complexity of the attack.
Whenever the malware detected the installation of Step 7, it worked in parallel:
- Editing the data-blocks, i.e. entering the code that was automatically executed by the PLC
- Altering the DLL, the library that Step 7 uses to dialogue with the PLC, by overwriting it
- Masking the design part on the HMI/SCADA side, i.e. giving the operator the impression that everything was working normally, despite the attack in progress
The attack was complex in the way it made changes and altered operation of the plant. In addition, this case shows the danger of organized crime which, with a high level of knowledge, can manage to go as far as rewriting the code (which can lead to complete loss of control of the plant).
Stuxnet dates back to 2010, and since then there have been many other attacks on production with different dynamics of greater or lesser complexity. The trend of attacks is growing, and what makes the difference is whether or not you are ready to contain the damage.
Other examples of attacks on industry
Many companies have been affected by “cryptolocker”, a virus that encrypts some of the most sensitive company data and spreads within the network, reaching numerous devices.
In attacks of this type, the encrypted data is returned only upon payment of a ransom (typically in Bitcoin).
Cryptolocker malware enters the IT corporate network through the domain. The exchange of data between IT and OT opens the doors to the attacker who can then access all industrial devices linked to the same Active Directory domain.
Security prevention in such cases can be done, for example, through network segmentation, which helps to limit the spread of the virus.
The ransomware attack can generally be stopped by isolating the malware with a network cleanup. In this way, the damage to the company is limited thanks to the prior adoption of Security Management procedures, which prevent data breaches.
Counteracting strategies
One of the cornerstones of OT cyber security is therefore threat analysis, to protect against ransomware attacks as well as even more sophisticated attacks.
Cyber security is a continuous risk prevention mechanism, involving:
- Employment of qualified personnel
- Attention to internal errors and oversights
- Adoption of security technologies
- Specificity of customers’ contractual requirements
- Implementation of compliance standards, specifically IEC 62443
Do you need immediate assistance in regard to Industrial Cyber Security?
Go back to the blog