The United States has the largest network of internet connected industrial control systems (ICS) in the world, which means that this aspect of critical infrastructure is extremely vulnerable since much of these ICS are in private hands.
Ukrainian Power Outage
ICS are used to control a huge and diverse portion of critical infrastructure ranging from oil production to water supply and are at varying levels of security throughout the country. I’ve attached some resources to better understand ICS and what kinds of attacks can occur. These are all great examples of how critical infrastructure can be targeted through cyber attack.
Kemuri Water Company Attacks:
The Kemuri Water Company was the name Verizon gave to their hacked client in its 2016 Data Breach Digest. This hack gave the attackers access to the control systems of highly dangerous chemicals for water treatment and to the general operations of the water flow. Fortunately, the hackers didn’t have enough information on the system to effectively do any of this before they were caught.
This is an excerpt from an article from a 2016 SecurityIntelligence article detailing a few more examples of cyber security attacks:
“ICS Malware Targets European Energy Company
The SFG malware, discovered in June 2016 on the networks of a European energy company, created a backdoor on targeted industrial control systems. The backdoor delivered a payload that was “used to extract data from or potentially shut down the energy grid,” according to security researchers at SentinelOne Labs, as reported by The Register.
The Windows-based SFG malware is designed to bypass traditional antivirus software and firewalls. It contains all the hallmarks of a nation-state attack, likely of Eastern European origin.
New York Dam AttackUkrainian Power Outage
In March 2016, the U.S. Justice Department claimed that Iran had attacked U.S. infrastructure by infiltrating the industrial controls of a dam in Rye Brook, New York. The attackers compromised the dam’s command-and-control (C&C) system in 2013 using a cellular modem.
This is troubling because it represents one of the first major efforts of a foreign government entity to commandeer U.S. infrastructure. Although the attack happened in 2013, it wasn’t reported or attributed until 2016.
In December 2015, a power company located in western Ukraine suffered a power outage that impacted a large area that included the regional capital of Ivano-Frankivsk, Reuters reported. [Investigators discovered that cyber criminals had facilitated] the outage by using BlackEnergy malware to exploit the macros in Microsoft Excel documents. The bug was planted into the company’s network using spear phishing emails.
These three attacks succeeded primarily due to the lack of situational awareness by both the employees and management of the firms in question. This is not surprising, given the increase of automation and internet connectivity within the industrial world.”
Methods of attack in these situations can vary greatly. Some of the key vectors of attack according to IBM’s report on Security Attacks on Industrial Control Systems include buffer overflows, SQL injections, and Spear phishing. Though the details of how these operate is certainly not within the scope of this committee, research in to how to defend against such attacks may be useful in proposing preemptive legislation. For further reading on ICS attacks, check out the IBM report linked below.
Comments
Post a Comment