The attack on the Siemens Simatic S7 controller was presented last week on Aug. 8, ’19 at the prestigious Black Hat Hacking Conference. Researchers from the Technion and Tel Aviv University succeeded in gaining control of one of the world’s most secure industrial programmable logic controller (PLC). As part of the attack, the researchers managed to turn the controller on and off, download rogue command logic, and change the operating and source codes. Moreover, they succeeded in creating a situation in which the engineer operating the controller did not recognize their “hostile intervention.”
Siga’s solutions for ICS/SCADA Cybersecurity may yet be the best way to detect malfunctions in OT systems even in the face of a highly sophisticated attack as described above.
When we think about OT (Operations Technology) or ICS (Industrial Control Systems) cyber security we need to start by defining 2 factors:
1) The most critical assets
2) The best way to detect anomalies and to protect your defined critical assets
The Critical Assets
Like in any security design, it is important to define, first and foremost; “What are your most critical assets”. Trying to secure an entity without mapping out the hierarchy of the most important assets, will generate an inadequate and unsatisfactory security solution.
Unlike IT (Information Technology) systems where critical assets consist of data, records, protocols and servers in OT (Operation Technology) systems, the main critical assets are the machinery or electro-mechanical devices, their operation and the processes they produce. For example, if you are a power generation company, the main and critical assets will likely be your turbines, boilers or reactors.
“Programmable Logic Controllers” (PLCs) are commonly used in Industrial Control Systems (ICSs) to provide process critical logic. They are the core of ICSs using equipment such as thermostats, barometers, valves, engines and generators”.
The Best Way To Detect Anomalies
The real manifestation of the most critical assets will most likely be embodied in the electrical signals that tell the real status of the sensors and the actuators. Electro-mechanical equipment and machinery communicate using electrical signals and not by data communication. Electrical signals are physics, cannot be hacked and cannot “lie”. Therefore, if an ICS or OT system needs cyber security, we recommend to provide such based on the electrical signals level (Purdue Model Level 0).
Current ICS cyber security solutions are crucial yet insufficient
Increasing awareness of ICS cyber security threats has led many IT software companies to develop and offer security solutions specifically designed for OT networks. The National Institute of Standards and Technology (NIST) identified 5 cyber security framework functions – Identify, Detect, Protect, Respond and Recover. Currently, ALL available ICS cyber security solutions are based on securing the IP-based network (Data packets), starting from the PLCs (Purdue Model Level 1) and moving upward through levels 2, 3, 4 of the network to supervisory controls, operations management, and finally business management. Of course, securing the data-network is crucial, however, it can be hacked despite the layers of protection installed and the operators don’t even know it. Something is missing!
During the recent exercise conducted by Researchers from the Technion–Israel Institute of Technology and Tel Aviv University, in collaboration with Israel National Cyber Directorate presented at The Black Hat Conference on August 8,2019 in which as part of the attack, the researchers analyzed and identified the code elements of the Siemens proprietary cryptographic protocol, and on the basis of their analysis, created a fake engineering station, an alternative to Siemens’ official station. The fake engineering station was able to command the controller according to the will of the attackers. They were able to turn the controller on and off, download rogue command logic according to their wishes, and change the operation and source codes. They also succeeded in creating a situation in which the engineer operating the controller did not recognize their “hostile intervention.”
It would probably be very hard for users or traditional cyber security systems to detect this “intervention” however, SIGA’s technology is based on anomaly detection of the unhackable electrical signals, completely out-of-band and does not rely on the logic of the PLC nor the data packet layers.
In fact, SIGA will detect any anomaly in the electrical signals between the PLC and the device within the first second and delivers alerts to enable operators and engineers to react. Contact us to learn more.