vulnerable spot
According to a notice from the Federal Service for Technical and Export Control of the Russian Federation (FSTEC), developers of software and equipment for automatic control systems used in production and technological processes within critical information infrastructure facilities in Russia face the threat of large-scale cyberattacks. The agency published the notice on its official site.
FSTEC does not disclose specifics of the incidents, but it notes that analysis of threat data shows foreign cybercriminals are planning new attacks against these organizations.
The focus is on control systems for objects of critical information infrastructure (CII). Elements of this infrastructure exist at enterprises across sectors such as the fuel and energy complex, nuclear power, chemical, mining and metallurgical industries. Healthcare, finance, transportation and communications are also included in this category.
The FSTEC brief also concerns developers of systems that regulate the operation of nuclear reactors, turbines in hydroelectric plants, blast furnaces in steelworks, chemical reagent production facilities and railway operations.
Pavel Korostelev, head of the product demonstration division at the security code company, reports that attacks against CII facilities and the developers of their control systems have been recorded. He notes that after February 24, the number of incidents in this niche rose markedly.
He identifies three to five sectors as the most frequently targeted: finance, communications, industry, defense and energy.
By contrast, Cisco Systems security consultant Alexey Lukatsky observes that CII facilities are attacked more often than the developers of industrial control systems. He cites confidential information from Russia’s FSTEC. Evgeny Goncharov, head of the industrial systems security research center at Kaspersky Lab, shares a similar view.
Experts remark that many owners of automated control systems have not fully appreciated the need for robust protection, despite warnings from government and security researchers. This lax attitude makes supply chain attack scenarios more likely, and it is challenging for novice cybercriminals who currently account for a significant portion of attempts against Russian facilities.
Responses to inquiries about the issue were sought from FSTEC for additional comment.
The Little Bang Theory
Experts emphasize that the high importance of businesses controlled by ICS means a successful hacker intrusion into the tools used by developers can have catastrophic outcomes.
One expert warns that a successful breach of a developer of automated process control systems could trigger environmental disasters, pose risks to human life, and disrupt essential operations. For example, a conveyor line manufacturing spare parts for military equipment might halt unexpectedly, or an unauthorized adjustment to a food formula could lead to poisoning. Oil production lines or refining processes might stop as well.
Another specialist from Kaspersky Lab notes that the impact could be severe even if attackers possess only modest skills. An attack could still disrupt the operation of an automated control system in some cases.
Nikolai Yurchenko, head of project implementation and sales support at R-Vision, adds that the attackers’ likely aim could be to plant backdoors in the products of developers. Once the control system begins operating at a facility, backdoors could be used to inflict significant damage on the business.
He stresses that successful attacks pose major risks not just of financial loss or reputational damage, but also the potential for emergencies that may lead to production shutdowns, interruptions in transportation, and even large-scale man-made or humanitarian disasters and fatalities.
Alexei Novikov, director of the PT Center for Expert Security, notes that attacks on ICS developers may target information intelligence in more mundane ways. For instance, intruders who gain access to a manufacturer’s infrastructure could compromise an employee’s email and pose as the company, increasing the chances of a convincing phishing attack.
What should be done
Alongside the warning, FSTEC offers a long list of recommendations for developers to reduce the success of cyber intrusions. These include inventorying public web services, disabling unused resources, strengthening password policies for administrators and users, enabling two-factor authentication for remote access to information infrastructure, and more.
Alexey Lukatsky of Cisco Systems describes these recommendations as appropriate. He says that an effective information security service within an institution will provide priority protection measures.
Nikolai Yurchenko of R-Vision expresses a similar view. He says FSTEC’s guidance contains a fundamental set of measures that can rapidly detect cyberattacks in most scenarios, help bring them under control, and buy time to implement additional protections for the organization.