Attacks Targeting Industrial Control Systems (ICS) Up 110 Percent

Since IBM X-Force published its report, “Security Attacks on Industrial Control Systems,” last year, we have observed a startling increase in the number of attacks against these systems.

Attacks Against Industrial Control Systems Increasing

According to IBM Managed Security Services (MSS) data, attacks targeting industrial control systems (ICS) increased over 110 percent in 2016 over last year’s numbers, as of Nov. 30.

ICS attacks over the past four years.

Specifically, the spike in ICS traffic was related to SCADA brute-force attacks, which use automation to guess default or weak passwords. Once broken, attackers can remotely monitor or control connected SCADA devices.

In January 2016, GitHub released a penetration testing solution that contained a brute-force tool that can be used against Modbus, a serial communication protocol. The public release and subsequent use of this tool by various unknown actors likely led to the rise in malicious activity against ICS in the past 12 months.

U.S.-based actors accounted for the majority of ICS attacks in 2016. This was not surprising, since the U.S. has the largest presence of internet-connected ICS systems in the world.

Top five countries originating ICS attacks.

The U.S. was also the largest target of ICS-based attacks in 2016, primarily because, once again, it has a larger ICS presence than any other country at this time.

Top five countries attacked

Notable Recent ICS Attacks

ICS attacks, like other types of cyberthreats, have been increasing in scale and sophistication over the past few years. The rise is linked with the growing connectivity of industrial systems. Let’s review a few high-profile cases reported over the last year from different parts of the world:

ICS Malware Targets European Energy Company

The SFG malware, discovered in June 2016 on the networks of a European energy company, created a backdoor on targeted industrial control systems. The backdoor delivered a payload that was “used to extract data from or potentially shut down the energy grid,” according to security researchers at SentinelOne Labs, as reported by The Register.

The Windows-based SFG malware is designed to bypass traditional antivirus software and firewalls. It contains all the hallmarks of a nation-state attack, likely of Eastern European origin.

New York Dam Attack

In March 2016, the U.S. Justice Department claimed that Iran had attacked U.S. infrastructure by infiltrating the industrial controls of a dam in Rye Brook, New York. The attackers compromised the dam’s command-and-control (C&C) system in 2013 using a cellular modem.

This is troubling because it represents one of the first major efforts of a foreign government entity to commandeer U.S. infrastructure. Although the attack happened in 2013, it wasn’t reported or attributed until 2016.

Ukrainian Power Outage

In December 2015, a power company located in western Ukraine suffered a power outage that impacted a large area that included the regional capital of Ivano-Frankivsk, Reuters reported. Investigatiors discovered that cybercriminals had faciliated the outage by using BlackEnergy malware to exploit the macros in Microsoft Excel documents. The bug was planted into the company’s network using spear phishing emails.

These three attacks succeeded primarily due to the lack of situational awareness by both the employees and management of the firms in question. This is not surprising, given the increase of automation and internet connectivity within the industrial world.

Mitigating Risk to ICS

Government and private institutions around the world are starting to focus on mitigating risk to ICS. Cybercriminals are developing new threats on a daily basis that can, and eventually will, result in catastrophic utility outages.

The threat to ICS permeates across a nation’s entire economy and infrastructure. Organizations across all verticals must take full responsibility for protecting their own assets and consumers. There should be no exceptions, since the best way to keep adversaries out of an ICS is to implement simple safeguards, best practices and risk management solutions. You can download ICS-specific resources from government entities like the National Institute of Standards and Technology (NIST), which also offers network protection advice for connected things in the industrial realms.

For more information on protecting ICS from rising threats while continuing to enable technological advancements, read IBM X-Force’s research report, “Security Attacks on Industrial Control Systems.” The report looks at the history of ICS, the susceptibility of these systems to certain attacks and ways to defend those systems.

Share this Article:
Dave McMillen

Senior Threat Researcher, IBM Managed Security Services

Dave brings over 25 years of network security knowledge to IBM. Dave began his career in IBM over 15 years ago where he was part of a core team of six IBMers that created the IBM Emergency Response Service which eventually grew and evolved into Internet Security Systems. As an industry-recognized security expert and thought leader, Dave's background in security is full featured. Dave thrives on identifying threats and developing methods to solve complex problems. His specialties are intrusion detection/prevention, ethical hacking, forensics and analysis of malware and advanced threats. As a member of the IBM MSS Threat Research Team, Dave takes the intelligence he has gathered and turns out immediate tangible remedies that can be implemented within a customer’s network or on IBM MSS's own proprietary detection engines. Dave became interested in security back in the late 1980's and owned and operated a company that provided penetration and vulnerability testing service, one of the first of its kind. As the internet's footprint began to grow, it became clear to him there was a new problem on the horizon; protecting data. Dave worked with WheelGroup (later acquired by Cisco) where he helped develop NetRanger IDS and NetSonar. Dave also assisted with development of the very first IBM intrusion detection system, BillyGoat. Dave also has developed several other security based methods and systems which were patented for IBM.