by Stephen Hilt, Numaan Huq, Vladimir Kropotov, Robert McArdle, Cedric Pernet, and Roel Reyes
In our research Exposed and Vulnerable Critical Infrastructure: Water and Energy Industries, we not only found exposed industrial control system (ICS) human machine interfaces (HMIs) but also pointed out how these systems were at risk. This risk is corroborated by the active interest in water and energy ICSs shown by different kinds of cybercriminal groups.
Looking at past incidents shows how real this interest was, enough to lead to attacks like the one on the Ukrainian Power grid in 2015. The reported cases imply that the water and energy sectors are indeed targets, whether of sophisticated criminal groups or state-sponsored actors. However, our exploration into underground forums revealed attention coming from other groups like lone actors as well.
We categorized underground forum posts on water and energy ICSs into groups based on the context of the discussion, specifically the reason and motivation behind the posting.
Knowledge about ICS/SCADA
Part of the chatter on the ICS/supervisory control and data acquisition systems (SCADA) of energy and water infrastructure stem from people who want to know more about these systems. The kind of information they discussed in the forums – like proofs of concept (POCs), vulnerabilities and exploits of ICS/SCADA – would be dangerous in the wrong hands. Interestingly, some people go to such forums to learn about SCADA for free, too, to avoid fees for professional training. Some of the other examples we found did not reveal why they needed new information.
Figure 1. Post asking about SCADA information to avoid expensive professional training
Opportunities for personal gain
Other conversations in the forums were more actionable, exploring ideas for possible opportunities and gains from ICS/SCADA systems. One of the more general discussions brought up Shodan and Censys within the larger conversation on industrial equipment being profitable IoT devices to exploit.
Some forums had more specific topics and were outright discussions on access and credentials for certain ICS/SCADA systems. An example of such discussions involved a hacker who apparently had success in getting into a system and is looking to sell acquired information. Other such discussions involved groups who are in the reconnaissance phase of a campaign; employees willing to use illicit means to get ahead; and organizations requesting attacks on competitors.
Figure 2. Hacker selling acquired information on a forum
On the other hand, bug bounty programs of legitimate organizations hoping to test the security of their equipment in the wild are reposted by forum users. Bug bounties are a valid means to earn from vulnerability discoveries; however, they could also attract malicious actors seeking to gain more than the rewards offered.
Whether these discussions have already turned or will turn into active campaigns is still to be determined. The fact that they exist already puts greater urgency on improving security for organizations in the water and energy sectors. Given that our research uncovered exposed systems in small and medium businesses (SMBs), these findings drive the point that no organization in any sector, of any size, is immune to attack.
Organizations need to keep in mind that cybercriminals will not stop at simply observing exposed systems they discover. As organizations in critical sectors (CI) like water and energy continue to incorporate the industrial internet of things (IIoT) in their operations, they should start with security in mind. Awareness of the different vulnerabilities that might exist in ICS can help pinpoint necessary improvements, not just at the beginning but throughout operations. They should also assess for possible areas of exposure and vulnerability and start improvements from there. After all, a strong security posture can ensure that IIoT systems are used as tools in enhancing CIs instead of the opposite — as avenues for malicious campaigns.
For more insights on exposed CI HMIs, in-depth descriptions of threat actors, and defensive strategies, read our research Exposed and Vulnerable Critical Infrastructure: Water and Energy Industries.