Cybersecurity: What you don’t know can hurt you

When WannaCry ransomware brought down two million computers in May last year, Australia largely dodged the attack.

Why? Because it took place after close of business on Friday when most people weren’t logged into their computers.

But it was a lucky break. Australia is perhaps more prone to cyber attacks than many other countries thanks to its economic reliance on mining, oil and gas extraction and distribution.

Attacks on organisations in these industries are on the rise globally due to vulnerabilities in industrial control systems (ICS) such as supervisory control and data acquisition (SCADA), programmable logic controllers (PLCs) and other control technologies.

Remember Stuxnet? That was an attack on an ICS that disrupted Iran’s uranium enrichment facility in 2009, and an attack on an ICS-disconnected transmission lines serving Kiev, Ukraine, in 2016.

Australia is not immune to similar attacks. Utilities, mining, minerals and energy companies and manufacturers invest heavily in ICS and without this technology, these businesses simply cannot operate.

It’s therefore imperative everyone in these industries understands what makes them so vulnerable. Here are a few red flags to watch out for.

Unpatched Windows operating systems

Well before the WannaCry attacks, Microsoft had issued the patch to remedy the vulnerability for all supported versions of Windows.

It seems some businesses didn’t bother patching, or were running old, unsupported versions of Windows, thus enabling the attacks to go ahead.

In an industrial setting, engineering workstations and human machine interfaces (HMI) are extremely vulnerable on this front, as they often run outdated and unpatched Windows operating systems.

This is akin to putting out the welcome mat to adversaries, who can access industrial systems via this vulnerability without even needing control systems-specific knowledge.

Unauthenticated protocols

When an ICS protocol lacks authentication – that is, the ability to make sure data comes from a trusted source – any computer on the network can send commands that alter the physical process, such as changing the set point or sending an inaccurate measurement value to the HMI.

Outdated hardware

Simply put, there’s a lot of decades-old ICS hardware out there that are not up to the task of handling the threats presented by modern networks. Remote terminal units, PLCs, variable frequency drives, protective relays, flow computers, and gateway communicators are all in the crosshairs here.

If companies are unwilling to update old hardware, they should consider firewall rules that minimise the potential for devices to connect with any outdated hardware over the network.

Weak user authentication

Weaknesses in legacy control systems often include hard-coded passwords, easily cracked passwords, passwords stored in easily recoverable formats, and passwords sent in clear text.

An attacker who obtains these passwords can then interact with the controlled process at will. The 2009 Stuxnet event is one example of an attack that took advantage of a hard-coded password inside a database to gain access.

Weak file integrity checks

Industrial enterprises must also be able to verify the integrity and origin of data or code. This is usually done using cryptographic verification. However, ICS integrity checking is often deficient.

Software signing verifies it is from an authorised source. Without it – or with weak signing – attackers can mislead users into installing software that doesn’t come from the vendor.

Undocumented third-party relationships

Surprisingly, ICS asset owners seldom document and track third-party dependencies in ICS software they operate. Many ICS vendors may not immediately know the third-party components they use, making it difficult for them to inform their customers of the vulnerabilities.

Adversaries who understand these dependencies can target software the industrial firm may not even know it has. At the very least, industrial enterprises should make sure they request ICS vendors submit a list of third-party software and versions used in their products.

For energy companies, high levels of vigilance and cyber-awareness are particularly important, due to the massive economic and environmental cost that ICS malfunctions can cause.

It’s impossible to avoid cyber attacks, but it is possible to minimise the fall-out by making sure everyone from the CEO down knows what to look out for in this ever-evolving threat landscape.