There are extensive treatments of the similarities and differences between information technology (IT) systems and industrial control systems (ICS), but these differences are more than just academic concerns. Many IT hacks as reported in the media seem to be opportunistic in the sense that the hackerverse exerts constant pressure on IT systems searching for targets of opportunity or weak links in the defense. In contrast, deploying effective cyber weapons intent on sabotage of critical infrastructure is not simply a matter of finding the latest vulnerability in an OPC server or a hard coded password in a PLC.
For the purpose of discussion, a cyber-weapon is a software artifact designed to cause physical harm to objects, people, or the environment. Turning machines into weapons is not a new idea and the notion has been made apparent by entities such as the Chinese PLA, “The new concept of weapons will cause ordinary people and military men alike to be greatly astonished at the fact that commonplace things that are close to them can also become weapons with which to engage in war.”
The reason why cyber-physical systems are the likely targets of cyber weapons is intuitive: this is the point where software meets the physical world and the results include physical effects, some of which could be disastrous. This is where a knowledgeable attacker is not just asking what they can do to an actuator, but what can they do with an actuator. Some ICS are so fragile that a simple Nmap scan will make them fall over dead. A sophisticated attacker doesn’t necessarily restrict himself to process disruptions, he will want to achieve and maintain malicious process control. But control cannot be exerted with failed controllers, and it also requires a level of process knowledge not taught in any hacker class.
The sophisticated or state-sponsored attacker will leverage any IT vulnerability as a pivot point to get where they need to be to then take advantage of emergent plant-level vulnerabilities. This strategy was detailed in Ralph Langner’s analysis of Stuxnet: the cyber-physical weapon was cloaked in various IT vulnerabilities, some known and some unknown (i.e., 0Day). Although for any given plant design, there are only a limited number of ways to cause serious trouble with a cyber-physical attack, it’s this nexus between the physical and cyber world where the sophisticated attacker intends to exert their influence and achieve their ends.
An overactive imagination is not required. Multiple malicious scenarios easily come to mind when contemplating high energy or toxic substances, safety systems, expensive or hard-to-replace equipment, contamination of sensitive products, as well as opportunities for scalability. Even the more mundane support systems such as water, steam, pressurized air, lubrication, HVAC, as well as transportation systems are not immune and may present prime targets because of all the production systems that depend on them. In these systems, serious consequences can easily result from trivial manipulations such as maliciously issued trip signals or disabled protection systems. Furthermore, considering that the same, or at least very similar, cyber-physical systems cross multiple industries such as energy, chemical, oil & natural gas, critical manufacturing, and are serviced by a relatively small number of vendors, the supply chain and the need for remote access provide ample opportunities for infiltration, compromise, and scaling of effects. Some of these opportunities have been taken advantage of by real-world attackers already, others will follow.
Least one imagines that extensive process knowledge is a barrier to the proliferation of advanced cyber weapons, think again. The development of cyber-weapons does not require special material (unlike nuclear weapons), and the specialized process knowledge may be common among engineers (as in the case of the Aurora vulnerability) or the knowledge may be commoditized with exploits packaged into simple point-and-click tools. Motivation and money seem to be the only barrier to developing even the most sophisticated cyber-weapons as everything else (including detailed process knowledge) are available on the open market.
The outlook is bleak only if we insist on applying IT solutions to the ICS environment. We are way past the point of asking ‘why would anybody do that?’ The answer can range from ‘because they can’ to extreme ideologies. Regardless of the motivation of the attacker, the defender of cyber-physical systems embedded in critical infrastructure needs an approach that works in an ICS context. At The Langner Group, this is our base proposition.