- Register


Home>Guides>MAD Guide>Cyber threats to industrial control systems
Home>AUTOMATION>Security>Cyber threats to industrial control systems

Cyber threats to industrial control systems

13 January 2015

As consumers and general Internet users, we take care that we do not fall victim to cyber attacks. It’s equally important to think about cyber security in automation systems. The hack of a control system can result in lost production time, stolen intellectual property, injuries, or worse. Standard IT security practices provide some level of protection but further measures may be needed, reports CDA's Andy Pye

"Industrial control technologies were largely built on proprietary systems never meant to be connected to the Internet,” says Lancope’s director of security research, Tom Cross. "Additionally, conventional security approaches can introduce too much downtime or interfere with the correct operation of SCADA systems.”

SCADA & ICS protection

Belden has released the Tofino Enforcer Software Development Kit (SDK), a toolkit using the patented Deep Packet Inspection (DPI) technology to protect supervisory control and data acquisition (SCADA) and industrial control system (ICS) protocols.

Developers can design custom-loadable security modules (LSMs) for the wide variety of SCADA and ICS protocols currently in use, without having to disclose sensitive internal information.

"Most major companies have proprietary network architectures, and for competitive reasons, they do not want to publicly share things, like source code,” said Frank Williams, senior product manager for security at Belden. "With SDK, they can address specific needs - creating exactly what they need to protect their internal protocols.”

XP legacy systems

Microsoft ended support for its 12 year old Windows XP operating system during April 2014. This means that XP customers no longer receive security updates or tech support from Microsoft. As a Windows component, all versions of Internet Explorer for XP also became unsupported. XP will be largely unprotected from malware and cyber attacks the next time an XP vulnerability is discovered.

But many organisations use applications that can only run on XP because they are incompatible with later versions of Windows. Others are unwilling to upgrade because drivers aren’t available for expensive pieces of equipment they use, such as medical devices and other equipment.

With XP use so widespread, there’s also a chance that migration projects miss several machines. Some companies aren’t even sure of which machines are running XP and which aren’t. Hence, it is important to take security measures for XP systems that haven’t been upgraded yet, starting with a real-time inventory of connected devices.

ForeScout CounterACT can produce an inventory all applications and processes running on connected systems to help identify the subset of XP systems that are running essential legacy applications. It can also continuously monitor remaining XP systems to identify those that are running Internet Explorer and/or Office 2003 and mitigate these risks. Based on company policy, CounterACT can automatically remove/upgrade Office 2003, quarantine the XP system until Office 2003 is removed or alert the administrator/help desk to schedule removal. Other remedial actions include:

  • Block or restrict network access
  • Limit and lock down applications, services and ports on XP machines
  • Plan for future XP exploits
  • Establish a migration strategy


The malware campaign known as Dragonfly surprised those concerned with industrial cyber security on several fronts. Initially, it was notable as the first malware since Stuxnet in 2010 to specifically target Industrial Control Systems (ICS) components.

Research done by Joel Langill of RedHat Cyber, showed that its target was most likely the pharmaceutical industry, rather than the energy industry as initially reported. This represented the first time that a sophisticated attack vector had gone after the discrete manufacturing sector.

Many common security measures were ineffective against Dragonfly, because it "trojanised" software from credible ICS vendors

Dragonfly was also remarkable because of the methods and pathways - so-called devious Offense in Depth techniques - it took to get to the control system. Many common security measures were ineffective against Dragonfly, because it "trojanised" software from credible ICS vendors. Users thought the software they were installing was legitimate and, thus, would have deliberately disabled their AWL defences when installing upgrades. Unfortunately, the leading AV suppliers did not release signatures for the malware until mid-2014, past the peak window of activity for Dragonfly.

Although Dragonfly collected information on industrial control systems, it did not harm these systems. Instead, it gathered information for the likely purposes of counterfeiting or competitive intelligence. It would, nonetheless, be easy for its creators to modify its modules for destructive purposes in the future. Allowing malicious code to be executed on the systems by unauthorised users made it possible for any user to install damaging software on any industrial system, regardless of the permissions officially granted to them.

SCADA vulnerabilities

Recently, researchers discovered flaws in SCADA computer systems which control major critical national infrastructure, including oil and gas. And 60,000 industrial control system devices are at risk of attack.

As reported in CDA in 2014, IT security data and analytics company Rapid7 identified and disclosed a number of vulnerabilities in the Windows-based industrial production control system CENTUM CS 3000 R3 sold by Yokogawa Electric. Originally released in 1998, 7600 systems for plant operation and monitoring have been sold, including power, chemical and petrochemical plants in Europe, the USA and Asia.

The vulnerabilities could allow an attacker to perform a denial of service (DoS) or get system privileges to execute arbitrary code.

Yokogawa created a patch to mitigate the reported vulnerabilities. Rapid7 also recommended upgrading the software and protecting access to engineering projects by making sure they can only be accessed remotely through VPN or gateway products.

"The discovery of these recent flaws has demonstrated that organisations are either still not taking cyber security seriously or are simply bewildered by system vulnerabilities - currently, a high volume of cyber security incidents go unreported,” says Tony Burton, Critical Infrastructure Protection Business Lead, Thales UK.

"Cyber-defences need to be tightly integrated with processes to bolster resilience and ensure that industrial system devices are protected from potential hacks. In order to remain poised to react to this evolving threat landscape, power companies need to continually assess their defence capabilities."

Future research

In recognition of this threat, research co-funded by the Engineering and Physical Sciences Research Council (EPSRC) will focus on the cyber-security of the UK’s vital industrial control systems which run, for example, manufacturing plants, power stations, the electricity grid, and the rail network.

The Research Institute in Trustworthy Industrial Control Systems (RITICS), based at Imperial College London, is co-ordinating the research, with a £2.5 million investment into new projects at Queen’s University of Belfast, the University of Birmingham, City University London and Lancaster University.

The University of Birmingham team will carry out a detailed security analysis of the National Grid and The Rail Safety and Standards Board to build an understanding of possible failures. "A cyber-attack on the railways wouldn’t affect safety as the trains are designed to be fail-safe but it would cause major disruption as trains would stop all over the network,” says Professor Clive Roberts.

Researchers at Queen’s University of Belfast will investigate vulnerabilities within the national grid as wind or solar generated electricity comes on stream. Where the grid operates over the telecoms network it could be vulnerable.  Professor Sakir Sezer said: "Should the telecoms systems that support the control system be compromised, the impact of the resultant loss of electricity supply would have far-reaching consequences.”