Essentials for ICS/SCADA defence

In Summer 2016, as we cranked up our efforts to get deep into the Industry Security landscape, we had the pleasure to host Christine Kinch as our intern and researcher. For three months, she dug into the interesting area that is Industrial Control Systems (ICS) and SCADA. We are pleased to present to you Christine’s impressions from the summer in Prague, working with Citadelo, and her conclusions from the months of research.

Actual Ethical Hackers

The challenging and ever-changing landscape of cybersecurity and the IT Sector in general is a prime example of the need for continuing professional development and as an undergraduate, BSC(Hons) IT Security, the desire to gain practical skills to complement the theory led me to a Central European internship during this summer vacation – working for Citadelo; a tightly knit team of IT security professionals dedicated to finding vulnerabilities in corporate IT environments.

The need to test every possible angle for intrusion was clarified for me whilst having an informal chat with Tomáš Zaťko, CEO. Tomáš described how Junior team members would take advice from Senior Pentesters when faced with an IT environment not revealing its vulnerabilities. This combined effort would always prove fruitful.

This, to me, indicates a number of things including the professionalism and camaraderie that is prevalent, the determination to test every possible attack vector and the CEO having a strong connection with staff, their challenges and interactions.

What it also indicates is the requirement for a thorough, determined and methodical approach to penetrate a system and this has been an overriding factor during my internship researching ICS/SCADA network security and the superior nature of some of the malware they are faced with.

The ICS Battleground

As a mature student, with a background in programming, testing and application support, I was delighted to be assigned research in this complex and challenging arena – “Arena” may not be descriptive enough as it is becoming something more of a battleground for cyber-espionage and cyber-terrorism.

If you are not familiar with terms such as ‘STUXNET’ and ‘SCADA’ you may be wondering what the fuss is about? Allow me to offer a brief overview…

Industrial Control Systems (ICS) are responsible for most of humanities basic needs; heat, light, food, fuel and medicines are met by systems governed by Industrial Control; those that are part of process and manufacturing environments.

Synchronised Control and Data Access (SCADA) is the internal network for the Control System and a term that is commonly misused to represent ICS.

ICS Timeline

From the following timeline it becomes obvious these systems were designed before the internet reached its current level of maturity – when they embraced Ethernet/TCPIP they became connected and this makes them highly vulnerable to attack as security provisions were not in-built.

  1. 18th Century saw the commencement of the Industrial revolution
  2. 1900s and we see remote systems being controlled by electrically operated switches (relays)
  3. 1950s Industrial hardware controlled by ticker and punch paper tape
  4. 1960s Systems become subject to distributed control
  5. 1969 Embedded systems – Programmable Logic Controllers (PLC)
  6. 1979 Modicon invented Modbus – a serial line protocol for communications between electronic devices
  7. 1986 : General purpose computers become control points for PLCs
  8. 1992 : ICS embrace TCP/IP and gain connection to the internet

Challenges and Threats

The threat, for potential cyber-espionage, on these control systems is serious, potentially catastrophic and gaining popularity in the ethical and non-ethical hacking communities. Government agencies are proactively seeking ability for the monitoring and domination of these systems.

It is a recognised fact that critical infrastructure providers can not afford complacency. Systems that were historically built for reliability, control and safety have, since their embrace of Ethernet/TCPIP, become vulnerable to cyber threats.

When you are pitted against heavily financed and military trained groups which may be umbrella’d under cyber-terrorism or cyber-espionage, the threat and potential for significant service disruption, hardware damage, financial costs and worst-case – the loss of life, cannot be overlooked.

If we ask ourselves “What has been solved?” in regard to cyber security, we have to consider the definition of the word. It can be viewed as effectively dealing with a problem. Has cybersecurity been solved? The answer can only be “No”.

Whilst the necessary analysis of known and specific malware can raise awareness and implementations to counter these attacks; focusing on particular malware examples can shrink the mindset of the defenders. There are many tools and techniques available for hardening of your system but malware is continuously evolving.

It is not unreasonable to deduce that security implementations are becoming more and more layered. There is good reason for this, for example, many ICS systems cannot tolerate downtime – they measure performance in milliseconds.

If we consider Black Energy malware, which was recently used in part on the Ukrainian Power Grid attack in 2015, which resulted in over 225,000 Customers’ electricity supply being disrupted for hours, we can find documented evidence that during 2015 at least 12 different versions were in circulation. Yes! Black Energy is still alive and well and these versions indicate that their targets are specific.

The challenge is increasing exponentially. Attacks are more and more frequent, more elaborate, more strategically planned, designed and executed. We have to think like Hackers; very serious and highly experienced Hackers. Next, we have to think ahead – will the next attack be an evolvement of existing malware, a combination or something as yet un-encountered.

“Forewarned is Forearmed” is a relevant adage and some experts recommend ‘Attack Trees ‘as the best defence against future attacks but there are arguments against this type of modelling. An attack tree aims to map out all the possible entry points into a network or system which is far from irrelevant but we need to consider the underpinning methodology.

What is needed is a collaborative effort where the gain is not financial but relevant to all those involved in cyber security and, certainly not least important, the essential involvement of the ICS industry whose knowledge and experience must be taken into careful consideration. This is something already realised by Citadelo as they undertake an ambitious project, SECUREA, to establish an open-source methodology for security auditing/development and are keen for any interested parties to get in touch.


About the author

Citadelo is a firm of ethical hackers on your side. We think like hackers, but we don't abuse it. On the contrary, our main goal is to reveal vulnerabilities without causing damage. We have been conducting simulated attacks for our clients since 2006
Show more from author

Related blogs

How to order a pen test

Blog | | Martin Hanic
Although people working in the IT security industry may consider this question to be as trivial as "How to order a phone charger", for many, writing a purchase order for a penetration test can be like designing a nuclear power plant.

Unofficial Patch Tuesday – MSMQ Privilege Escalation Vulnerability Hotfix

Blog | | Citadelo
This security patch resolves a public vulnerability in the Windows Message Queuing Service (MSMQ) discovered by KoreLogic

We found vulnerability of CMS Made Simple

Blog | | Citadelo
CMS Made Simple is a free, open source CMS to provide developers, programmers and site owners a web-based development and administration area. In 2010 it won the Packt Publishing annual award for open source content management.

ExtendedMacro – BurpSuite plugin

Blog | | Citadelo
BurpSuite Proxy is one of the most used HTTP proxy application for web penetration testers. This tool is one of the best in its category, but sometimes we encounter a situation requiring additional functionality which is not provided by Burp itself.