We are all users of energy and water and very much take for granted that they are almost always there when we need them. Working away in the background to make this so are a myriad of safety and mission critical industrial control and automation systems. For many years the organisations using such systems have been moving away from the use of bespoke software to using off-the-shelf products, the prime drivers for this being the market’s demand for cheaper and more easily maintained systems. Primarily this has meant using operating systems such as Microsoft Windows and TCP/IP based networks. The use of standard technologies such as these, the thirst for management information and the need to have access to the mission-critical data in real time has led to these systems being connected more and more to corporate networks. This increased connectivity has now expanded even more to include the facilitation of remote access to industrial automation systems for support teams, including external parties such as vendors.
Being able to utilise remote support for these systems provides many benefits both to the site where they are installed and to the vendor, enabling troubleshooting to occur immediately without requiring attendance at the affected site. This remote access, however, provides an external link to these safety and mission critical systems, which can be exploited by those with malicious intent. Being able to manipulate the vendor system allows hackers to access these critical systems of an organisation without needing to attack the organisation directly through its corporate network, which often has good perimeter security controls in place.
Industries where these systems are used (e.g. energy, manufacturing and utilities) were recently targeted by criminal groups such as the Energetic Bear APT group. Such attacks are increasingly being expanded beyond corporate systems to include industrial control and automation systems. Traditionally these attacks were aimed directly at the industry organisations, however recently the attack strategy has changed with attacks being targeted on vendors supporting these industries as these often have lower levels of perimeter security in place and give the hackers the opportunity of attacking multiple industry organisations at once.
One recent example of this is Havex, it is currently believed that there are 2,800 victims of the Havex attack. This malware is known to have been around since September 2011 but in Spring 2014 it was adapted to look for OPC information associated with industrial control systems.
The Havex malware uses a Remote Access Trojan (RAT) and a Command and Control (C&C) server to work. The RAT is installed on the destination device and communicates to C&C servers around the world on compromised web servers. Researchers estimate that there over 200 compromised web servers located across the world. Whilst the Havex malware does have the capability to make changes to the compromised systems, as of July 2014 no evidence of this being used had been found.
1 OPC is the interoperability standard for the secure and reliable exchange of data in the industrial automation space and in other industries. It is platform independent and ensures the seamless flow of information among devices from multiple vendors.
There are three vendor websites that are known to be compromised at this time:
• MESA Imaging – infection of a SwissRanger camera dll
• eWON – infection of a software installer
• MBConnect - infection of a software installer.
The malware was found to be transmitted through three main channels: spam email, exploit kits and compromised vendor websites. None of these methods are unique or new and rely on the systems and vendor websites being inadequately protected. Organisations generally use a defence in depth methodology to protect their safety and mission critcial systems, but allowing an infected vendor system to remotely connect can often lead to many of these protections being by-passed. Once inside the organisation it is then easier to find other systems that if infiltrated could have a much larger impact.
As these critical systems are the heart and soul of the organisations using them, it is vital that they are resilient against such attacks in order to maintain safety and business continuity (and in some cases, to keep our lights on!).
As with most issues, there are things that organisations can do to protect themselves against malware such as Havex.
Due to their ever-increasing reliance on third party vendors for their industrial control and automation systems, organisations must ensure that these vendors are treated as part of their defence in depth and that they are addressing security in a way that meets the requirements of the client organisation.
Companies could also protect themselves by simply using good practice security measures they use in their corporate networks in their industrial systems. These include implementing and enforcing strict access control lists and good user account controls. Additionally there are some standard controls that should be in place, including: keeping patch levels up to date, maintaining AV signature files, using hardened builds, network segregation with firewalling from the corporate environment and controlling the use of removable media.
One of the best methods to evaluate and strengthen the security of these systems is to undertake regular penetration tests to identify any vulnerabilities that can then be closed off. Thinking like the attacker is the only real way to see just how secure you really are.
For more information on penetration testing, get in touch with us on 0870 600 1667 or email firstname.lastname@example.org.
2 MESA Imaging is a manufacturer of high-performance 3D cameras and sensors based on time-of-flight technology. Provide industrial grade cameras for use in robotics & automation, healthcare, security and transportation.
eWON is a manufacturer of products that offer secure industrial connectivity across the Internet.
The MB Connect Line GmbH offers universal solutions for worldwide remote maintenance of machinery and equipment.