Imagine it's 1903 and you're standing in front of a large hotel on a remote peninsula cliffside in Poldhu (Cornwall, UK). Despite the large antennas next to it or the huge kite that sometimes flies antennas even higher, you might not realize you are looking at the site of historic wireless telegraph communications — or the victim of the first wireless cyberattack. Guglielmo Marconi, an Italian credited as the inventor of radio and the father of wireless, was about to wirelessly transmit a telegraph message 300 miles away to the Royal Academy of Science in London. Before Marconi could start his message, the receiving apparatus tapped out another Morse code dispatch coming from a stronger radio signal:
"Rats… Rats… Rats… Rats."
More nasty messages aimed at Marconi soon followed. As it turned out, a wired telegraph company hired Nevil Maskelyne, a British magician and fellow radio hobbyist, to disrupt Marconi's demo, proving in the process that open radio communications are not "secure and private" channels.
According to the Department of Energy's (DOE) History of Industrial Control System Cyber Incidents report, this was one of the first recorded "cyber" attacks on an industrial control system (ICS). While wireless telegraphy hadn't quite been "industrialized" yet, this incident still demonstrated the potential risk posed by critical ICS that society relies on.
ICS are the computers — sometimes very specialized — that control the operation of industrial technology found in energy plants, water and gas utilities, communication infrastructure, and manufacturing. ICS also includes supervisory control and data acquisition (SCADA) systems, which are the computers that remotely monitor and control ICS operational technology (OT).
While ICS equipment is often very specialized, it can suffer the same software and hardware vulnerabilities that afflict traditional computers. Security experts have long warned that hackers would target ICS, and incidents like the recent Colonial Pipeline ransomware attack prove that point (something many observers, including WatchGuard, predicted years ago). More concerningly, successful ICS attacks have accelerated in frequency and impact over the last five years.
However, we can protect these systems, especially if we learn from history. Here are five key security lessons we have learned from past ICS attacks:
1. Insiders Threaten Even the Most Secured Systems
In 2008, Maroochy Water Services (MWS) in Queensland, Australia, started suffering wastewater pump failures, resulting in the unplanned release of over a million gallons of untreated sewage. These failures happened without any faults or alarms going off. In the end, it turned out a disgruntled contractor had stolen computer and radio equipment and was sabotaging these pumps as revenge for not receiving a permanent position.
Protecting yourself from malicious insiders can be hard but having strong asset management controls and processes for quickly revoking the privileges of ex-employees can help. As an extra lesson, MWS also realized its equipment's wireless radio communications were not encrypted. If you are going to use a publicly accessible communication medium, you must secure and encrypt it.
2. Obscurity and Airgaps Don't Equal Impenetrable Security
In 2010, the Stuxnet attack on the Iranian nuclear program opened the Pandora's box of state-sponsored ICS cyberattacks. This sophisticated attack caused Iranian uranium enrichment centrifuges to spin out of control, essentially tearing themselves apart. It involved extremely advanced malware exploiting four zero-day flaws, the first-ever programmable logic controller (PLC) rootkit targeting a very proprietary device, and even an alleged double agent to walk the malware through an airgap.
If you learn anything from Stuxnet, it's that with the right amount of money, time, and motivation, even the most secure facility can be breached. If the system you protect is critical, you need very advanced security controls and procedures to fend off state-sponsored threat actors.
3. Watch Out for Spear-Phishing
In 2014–15, alleged Russian threat actors installed BlackEnergy malware onto Ukrainian power-company computers via spear phishing (containing a booby-trapped Word document). The malware gave them the access to shut down power for nearly a quarter million Ukrainians for six hours. (This happened again in 2016 with CRASHOVERRIDE malware.) This is only one of many ICS breaches that started with spear-phishing, including the 2012 Shamoon wiper malware, 2012 US natural gas pipelines attacks, and a 2014 German steelworks hack.
The lesson is obvious: Spear-phishing is an extremely popular tactic in ICS attacks. Make sure you train your users regularly on how to identify and avoid spear-phishing emails.
4. Digital Attacks Can Cause Physical Damage and Death
In 2017, experts investigating system failures in a Saudi Arabian petrochemical plant found very specialized ICS malware designed to disable industrial emergency shutdown and safety systems and cause physical damage. TRITON is widely considered to be the first cyberattack intended to cause human casualties.
Protecting ICS systems isn't important only for the services they offer but also for our own physical safety.
5. ICS Is Susceptible to Ransomware
Historically, ICS attacks seemed the realm of nation-state and terrorist threat actors, but now cybercriminals have come to play too. Our 2019 ICS prediction came true when Norsk Hydro, a global aluminum smelter company, got infected by ransomware, causing it to shut down some products and revert to manual processes. More recently, this happened with the Colonial Pipeline.
While these incidents have different root causes, it proves that criminal actors are now sophisticated enough to crack ICS companies, and ICS makes a good target for extortion. It also suggests that airgaps in ICS OT were largely a myth in 2020. If you are an ICS company, you need a detailed business continuity and disaster recovery plan that allows you to quickly restore your services in any calamity, including a ransomware cyberattack.
That's just a tiny handful of lessons we can extract from only a few ICS cyberattacks. There are many others, and they seem to be occurring with more frequency.