Critical infrastructures have become reliant on advancing supervisory control and data acquisition networks (SCADA) to maintain operations. With the growing prominence of these systems, cybercriminals have seized the opportunity to make profit off hacking these networks. Organizations who implement SCADA for critical infrastructure must become more diligent in their management of systems to prevent availability problems.
Vulnerabilities
Critical infrastructure has never been more vulnerable, “[l]ast year [2022], ransomware incidents were observed in 14 out of 16 US critical infrastructure sectors” (Acronis, 2020). Modernization of workstations and automation has increased dramatically over the last several years, “[t]oday services such as healthcare systems, power grids, transportation and other critical industries are increasingly integrating their operational technology with traditional IT systems in order to modernize their infrastructure, and this has opened up a new wave of cyberattacks” (Labus, 2022). However, despite the advancements in systems security has lagged. Security considerations for supervisory control and data acquisition networks (SCADA) has, “… largely been siloed, reactive, and lack business context. Lack of visibility across the estate is a huge problem for this sector” (Labus, 2022). End users of SCADA based systems, “erroneous[ly] believe that SCADA networks are safe enough because they are secured physically. It is also wrongly believed that SCADA networks are safe enough because they are disconnected from the Internet” (SCADA Systems). Without proper oversight and considerations these systems can be compromised, wreaking havoc from critical systems.
Stuxnet, discovered in 2010, was one of the first examples of a SCADA system being sabotaged. The US/ Israeli worm targeted at an Iranian nuclear powerplant with the intention of slowing down/ eliminating Iran’s nuclear program was able to take several centrifuges offline; “…show[ing] that taking advantage of a minor flaw in a system could cause major damage” (Fick, 2023). In 2017, the UK’s National Health Services (NHS) “… was brought to a standstill for several days due to the WannaCry outbreak…” (Acronis, 2020). According to Acronis, at least 80 out of 230 Trusts were impacted by this virus. The WannaCry worm itself was introduced not through email, or internal malice but through a vulnerability within Windows 7. “Most NHS devices infected with the ransomware, were found to have been running the supported, but unpatched, Microsoft Windows 7 operating system…” (Acronis, 2020). Despite the UK’s Department of Health being warned of the vulnerability in advance of the attack, the NHS had not yet patched their systems. Neglecting to apply the available patches to their systems allowed left the NHS vulnerable to any EternalBlue exploit. As a result, hundreds of patients were unable to receive medical treatments as doctors had to turn patients away, sending them to other uninfected parts of the National Trust Services.
More recently the US has seen a slew of infrastructure cyber-attacks, ranging from a water treatment plant in Florida, to the New York City Metro system. Perhaps the most know though was the Colonial Pipeline hack in 2021. Exposing the fragility of the pipeline’s infrastructure; and how the East Coast relied on it maintaining functionality. While Colonial Pipeline was not forced to shut down all its servers, but it opted to do so to prevent further spread of the virus. The shutdown cost Colonial Pipeline “…a nearly $5 million ransom…. [and] caused a fuel shortage on the East Coast that was worsened by consumers panic-buying gas” (Fick, 2023). The hackers were able to gain access the Pipelines network by, “…using an employee’s password that had been reused on other networks” (Fick, 2023). Cyber criminals are aware of the damaging effects of causing disruption of critical infrastructure using this to their advantage for monetary gain.
Mitigation
As critical infrastructures as migrated to SCADA systems, IT system operators will have to place an emphasis on ensuring the system’s availability and avoid breaches. The maintenance on these systems will become increasingly vital as operating system updates and patches are crucial in continuing systems integrity. When discussing critical infrastructure, the approach needed is pro-active. If, in the NHS breach, systems owners implemented the patched NHS system’s devices when they were released services would not have been interrupted. Similarly, implementing a formal training for end users and enforcing basic security protocols around requiring unique, complex passwords and multi-factor authentication for systems could have helped reduce the impact of the Colonial Pipeline hack.
Conclusion
SCADA systems have made advancements in the capabilities over the years, growing in usage and capabilities. However, despite the developments there are still concerns about how to securely implement SCADAs to prevent failures of critical systems. As these systems continue to mature and evolve over time, the security posturing of these infrastructure will change. Similar to other data networks, critical infrastructures should be secured using the CIA triad, and regulations within the industry.
References
Fick, A. (2023, January 12). Critical infrastructure is more vulnerable than ever-your industry could be a prime target. Lacework Posts. Retrieved March 26, 2023, from https://www.lacework.com/blog/critical-infrastructure-is-more-vulnerable-than-ever-your-industry-could-be-a-prime-target/
Labus, H. (2022, March 11). The massive impact of vulnerabilities in critical infrastructure. Help Net Security. Retrieved March 26, 2023, from https://www.helpnetsecurity.com/2022/03/15/critical-infrastructure-security/
The NHS Cyber Attack: How and why it happened, and who did it. Acronis. (2020, February 6). Retrieved March 26, 2023, from https://www.acronis.com/en-us/blog/posts/nhs-cyber-attack/
SCADA systems. SCADA Systems. (n.d.). Retrieved March 26, 2023, from http://www.scadasystems.net/