• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Targeted Attacks   »   Protecting Your ICS/SCADA Environment

Protecting Your ICS/SCADA Environment

  • Posted on:July 2, 2013 at 12:41 pm
  • Posted in:Targeted Attacks
  • Author:
    Kyle Wilhoit (Senior Threat Researcher)
0

Recently, I spoke at the Forum of Incident Response and Security Teams (FIRST) in Bangkok, Thailand on threat intelligence and incident response. The mantra throughout FIRST was “sharing to win”, the concept of which echoes throughout security got me to thinking about information sharing in the ICS/SCADA security arena. This idea of sharing thoughts and experiences led me to contribute an article in the US Department of Homeland Security’s ICS-CERT April-June 2013 Monthly Monitor.

This piece is related to the paper I wrote last March about Internet-facing SCADA systems. The issue gained prominence due to high-profile attacks such as FLAME and Stuxnet. Nonetheless, ICS/SCADA systems security remains an important topic as they are commonly used to operate important industries e.g. vehicle manufacturing, transportation, energy and water treatment plants. Attempts to attack these systems may lead to significant damages.

For this research, I developed a honeypot architecture that emulated several types of SCADA and ICS devices. These honeypots include vulnerabilities found in across similar or same systems to showcase a realistic environment.

During the research, we found some interesting information on how these attacks were conducted and where these attacks are coming from. Some of the most prominent of these attacks were attempts to bypass authentication mechanisms. An attacker also attempted to used spear-phising by sending an email to the “administrator” of the system. We noticed that the attackers demonstrated knowledge of Modbus communications protocol. However, the most worrisome part is that out of these attacks, 17 can be considered “catastrophic”.

Fortunately, there are some basic configurations considerations that can improve ICS/SCADA systems security which includes the following:

  • Disable Internet access to your trusted resources, if possible.
  • Ensure that your trusted resources have the latest updates and that new patches/fixes are monitored.
  • Use real-time anti-malware protection and real-time network scanning locally on trusted hosts and where applicable.
  • Require user name/password combinations for all systems, even those deemed “trustworthy.”
  • Set secure login credentials and do not rely on defaults.
  • Implement two-factor authentication on all trusted systems for any user account.
  • Disable remote protocols that are insecure.
  • Disable all protocols that communicate inbound to your trusted resources but are not critical to business functionality.
  • Utilize network segmentation to secure resources like VES systems, ICS, and SCADA devices. See a great write-up on network segmentation here.
  • Develop a threat modeling system for your organization. Understand who’s attacking you and why.

For more security measures you can implement for ICS/SCADA systems and information about my research, you can read the paper here.

In addition to my contribution, Reid Wightman of IO Active published an article that also warrants a read for those interested in ICS security.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: FlameICSSCADAStuxnet

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.