SEATTLE—Industrial control systems (ICS), including supervisory control and data acquisition (SCADA) systems, are increasingly at risk of cyber-attack, recent security reports have revealed. Both the capabilities to attack such systems and the number of attacks recorded are on the rise. And the rise of the Industrial Internet of Things (IIoT) will only make things worse.
The recent report Up and to the Right from threat intelligence company Recorded Future, shows the number of reported security vulnerabilities for ICS systems has grown steadily since 2011 (post STUXNET) and shows no sign of slowing. At the same time, as reported by researchers and industry watchers, the number of “exploits” available for those vulnerabilities has also grown, the report said.
In its annual Threat Report for 2015, Dell Security reported that the number of reported attacks on SCADA systems worldwide had doubled last year, from 163,228 in 2013 to 675,186 in 2014. Nearly a quarter of these exploited buffer overflow vulnerabilities. The actual number may be much higher, however, as many SCADA attacks go unreported, the report adds, noting that companies are only required to report data breaches that involve personal or payment information.
Despite the risks, however, industry seems to be slow in responding. “The industry has made improvements,” said Recorded Future CEO Christopher Ahlberg in an interview with EE Times, “but it has not been improving. Some vendors are working on it but some still have a lot of work to do. And with this whole wave of IoT things are going to get worse as the attack surface of systems expands.”
Ahlberg acknowledged that with a large installed base of systems the task of beefing up their security is difficult, but he doesn’t see that as the main problem. “The industry really hasn’t had its “Microsoft security moment,” referring to the time Microsoft systems encountered the Code Red worm, prompting the company to initiate a regular program of issuing security patches to its OS.
One thing that Ahlberg indicates may be contributing to the industry’s inertia is a lack of truly damaging attacks. “It’s not been like on the banking side or healthcare,” Ahlberg said, “we haven’t really seen serious attacks on these systems.” His concern, however, is that the attacks that are happening are simply a preliminary probing of these systems to identify exploits, steal credentials, quietly insert malware, and the like. “There is a lot of preparation being done,” he said, “and there will be a day.”
Similar sentiments have come from James R. Clapper, US Director of National Intelligence. Speaking to the US Congressearlier this month, Clapper said “Foreign actors are reconnoitering and developing access to US critical infrastructure systems, which might be quickly exploited for disruption if an adversary’s intent became hostile.” He pointed out an example of Russian cyber actors developing the means to remotely access the ICS used to manage critical infrastructure, by compromising the product supply chain of several ICS vendors. The cyber actors were able to insert malware designed to facilitate exploitation directly into the vendors’ downloadable files so that customers acquired the malware along with legitimate software updates directly from the vendors’ websites. While he doesn’t see any immediate threat of a “catastrophic attack” – it would be seen as an act of war – he foresees “… an ongoing series of low-to-moderate level cyber-attacks from a variety of sources over time, which will impose cumulative costs on US economic competitiveness and national security.”
View the original content and more from this author here: http://ift.tt/1LPuvNR
from critical infrastructure alliance http://ift.tt/1gQtwUU
via IFTTT
No comments:
Post a Comment