Photo by Yovko Lambrev under a Creative Commons license
Written by Insecurity of Everything: A Cybersecurity & Business Column, Kate Fazzini and John Shegerian
Several U.S. government agencies, including the FBI, have released a warning that certain types of industrial devices may be vulnerable to damaging cyberattacks using a newly discovered tool developed by criminals. These attacks target vulnerabilities in popular systems used in industries like manufacturing, medicine, oil and gas, maritime and waste management.
The tool in question, called an Advanced Persistent Threat or “APT” by government agencies, allows an attacker to access these control systems and change the commands they give, as well as conduct denial-of-service attacks or other activities that effectively “crash” the systems or prevent them from operating.
The alert only applies to certain types of systems. So how do you know if you are affected? Here we break down what these systems are, what they control and how you can be more confident that your security is in place. And even if your company doesn’t have these types of systems, it’s important to understand why attackers are choosing them now, and what it could mean for you in the future.
What are industrial control systems and what do they control?
Industrial control systems are often abbreviated as ICS or SCADA. The latter stands for Supervisory Control And Data Acquisition, which is a complicated way of saying these systems oversee the function of large machines as well as the collating of vast amounts of data from a company’s environment. This is maybe most easily illustrated in the oil and gas sector. In oil fields, SCADA systems help process vast amounts of data from possible drilling sites, and they take in a vast amount of drilling data from sensitive instruments in the field for research and development.
SCADA systems also are widely used in infrastructure, including by dams, trains, transportation authorities, medical researchers and nuclear facilities, as well as in industries prominent in California, including docks, maritime, boat building and car manufacturing. We also use industrial systems in ERI’s own industry — recycling.
Why would criminals target industrial machines?
One of the primary motivations of cybercrime is money, and companies that use industrial systems have been plagued by cyberattacks in recent years. Shutting down production can mean an enormous loss of revenue for a business, and many attacks use ransomware to force corporations to pay a bribe to get their workflow running again.
But for this APT, the intent of criminals may be more in line with the national interests of certain rogue countries or political organizations. In these cases, criminals may use an attack on critical machinery to frighten the public or bring attention to their specific cause. Stopping industrial production — as was the case with last year’s incident against Colonial Pipeline — can bring a great deal more attention to any cyber activity than merely attacking the computer and technology operations of a company. These attacks can also provide a strategic advantage during wartime or in any type of international conflict.
How do I know if I am affected?
The Critical Infrastructure and Security Agency, a division of the Department of Homeland Security; the Department of Energy; the National Security Agency and the Federal Bureau of Investigation released full technical details of the suspected custom-made tools that have been used in these attacks.
These include operating systems and devices popular in the SCADA world, including Schneider Electric, OMRON and OPC Unified Architecture. Companies that aren’t sure if they are using these devices should consult with their IT teams or IT service providers.
For comprehensive information about this warning, visit the CISA information page on APT Tools targeting ICS and SCADA devices: https://www.cisa.gov/uscert/ncas/alerts/aa22-103a.
Kate Fazzini is CEO of Flore Albo LLC, an adjunct professor of cybersecurity at Georgetown University, author of Kingdom of Lies: Unnerving Adventures in the World of Cybercrime and has served as a cybersecurity reporter for The Wall Street Journal and CNBC.
John Shegerian is co-founder and Chairman/CEO of ERI, the nation’s leading fully integrated IT and electronics asset disposition provider and cybersecurity-focused hardware destruction company. Business Journal readers can visit eridirect.com/insecurity-of-everything-book/ to receive a free copy of John’s new book, The Insecurity of Everything.