Securing SCADA and Process Systems from Advanced Persistent Threats

Recently a complex computer worm called Flame was discovered attacking energy companies in the Middle East. This worm is an excellent example of what experts call an Advanced Persistent Threat (APT). This article examines APTs and what they mean for the companies operating in the oil and gas sectors.

What is an APT?

Until recently, ATPs were rare. They also seemed to be focused on companies in the financial sector. But in the last two years, previously unknown APTs like Flame, Stuxnet, Nitro, Night Dragon and Duqu have been exposed. All but Stuxnet have had a direct impact on the energy sector. And many, like Stuxnet, appear to be directly targeting critical industrial control systems.

What these attacks have in common is that they are all are carefully crafted against a specific target – typically a company, industry or government. Unlike traditional cyber attacks, APTs are designed to be effective over an extended period of time and thus are very stealthy.

Ricard Bejtlich, author of the TaoSecurity blog, provides a good definition of APTs:

  • Advanced means the adversary can operate in the full spectrum of computer intrusion. They can use the most pedestrian exploit against a well-known vulnerability, or they can elevate their game to research and develop custom exploits.
  • Persistent means the adversary is formally tasked to accomplish a mission. They are not opportunistic intruders. Like an intelligence unit, they receive directives and work to satisfy their masters.
  • Threat means the adversary is not a piece of mindless code. This point is crucial. Some people throw around the term “threat” with reference to malware. If malware had no human attached to it (someone to control the victim, read the stolen data, etc.), then most malware would be of little worry.

What is important to understand is that the adversary is no longer a lone teenager looking for thrills. With the advent of the APT, the adversary has become organized, well-funded and motivated.

Energy Companies: Under APT Attack

As we noted earlier, in May 2012, Flame was discovered attacking a variety of organizations in the Middle East, including several energy companies. It is a cleverly crafted toolkit designed for industrial and political espionage that used many methods to gather intelligence and could be modified to change its functionality at any time.

Flame, Night Dragon, Duqu and Nitro all target companies to steal critical information. Examples are oil field bids, SCADA operations data, design documents; information that could cause harm in the wrong hands. In contrast, Stuxnet was designed to destroy industrial processes. All of these ATPs were active in their victim’s networks for years before being discovered.

Now that you are aware of APTs, how do you defend against them?

To answer this question, we looked at research conducted by Professor Paul Dorey of the University of London. Dorey uncovered seven best practices that leading companies use to defend against APTs, three of which we will discuss in the remainder of this article. If you are interested in the other four best practices, you can download Dorey’s presentation from

Focused Defense for Industrial Assets

When assessing what is critical, it is important to look beyond the usual financial servers at corporate headquarters. For example, every oil and gas company has industrial control systems that would seriously impact production, safety or the environment if successfully attacked. These might be Safety Integrated Systems (SIS) in a refinery, Programmable Logic Controllers (PLC) controlling pressures on a pipeline, or Remote Terminal Units (RTU) on wellheads. The engineers in your facility know what really matters to the survival of your particular operation. It’s important to open up this conversation to your engineering team to aggressively protect these assets and the chance of a truly serious cyber incident is significantly reduced.

Consider the case of Stuxnet. Symantec reports that the worm infected over 100,000 computers. But its ultimate target was the PLCs in Iran’s uranium enrichment facility, reprogramming these to destroy centrifuges. It wouldn’t have mattered if Stuxnet had infected one billion computers; if it could not infect the PLCs, it would have failed in its mission. Had Iran’s strategy focused on protecting those PLCs, their processes would never had been impacted. Instead, Stuxnet destroyed at least 1000 centrifuges.

Defense Strategy #1: Focus on the Crown Jewels

The first and most critical point in developing an effective defense strategy is to focus your protection efforts on your most important assets. While it would be ideal to protect everything perfectly and do it all the time, unfortunately, modern systems, whether they are IT systems or industrial control systems, have become too complex to achieve perfect and uniform security.

The smart IT teams focus their resources on securing those assets that are critical to the survival of the company. They do not rely solely on a perimeter firewall to keep all malware out of the company. Instead, they install layered defenses directly protecting key assets, such as servers containing sensitive financial information.

There are good reasons for using this approach. Most notably, this defense allows for an in-depth strategy. It also aligns the company to focus effort and diligence on vital assets. For example, it is much easier to carefully review the audit logs for two servers every day, rather than 200 servers.

The third reason is that these assets are the same ones the attackers will focus on. Of course, hackers will go after any undefended computer, but in most cases these machines are just a stepping stone to the real target. Focusing your security teams defensive efforts on the same assets that your adversary is likely focusing on makes good security sense.

Just to be clear, Dorey is not advocating giving up all security for less critical assets. What is needed (and is missing) is a focused approach to security. When APTs attack your company, defending every desktop computer won’t seem so important if the pipeline is shut down or your well production data has been stolen.

Defense Strategy #2: Focus on Detection, Not Protection

If you are going to spend money on security, what types of controls are the most effective? I believe, like Dorey, that detective controls (i.e. those technologies and processes that detect attacks) are more effective against APTs compared to preventative controls like data diodes and anti-virus software.

After reviewing numerous attacks against both IT and control systems, I know that the average company ranks poorly when it comes to detecting anything unusual on their network. Their ability to detect issues on SCADA and control networks is even worse. Few companies even know when a contractor has attached an unauthorized laptop to their control system. Detecting a sophisticated, stealthy attack like Stuxnet is beyond most company’s capabilities.

Defense Strategy #3: Change Your Perspective from Perimeter-Based to Data-Centric

The third strategy is to change your security focus from controlling the perimeter to controlling specific “assets,” regardless of where they are in space and time. Often these assets are data related. For example, if a financial company can ensure that customer credit card records are encrypted at all times (and the keys to decrypt the records are not leaked), then the loss of a laptop with these records is of limited importance.

Take the case of Bradley Manning, the young U.S. Army private that leaked thousands of classified documents to WikiLeaks. If these sensitive documents had been always encrypted and Bradley had only been able to view them with a controlled application at his desk, then his ability to share so many documents would have been limited. Obviously, the U.S. Army’s “perimeter-focused” strategy failed badly.

For ICS/SCADA systems, the assets that matter are different, since data confidentiality is of less importance to the pipeline or refinery. Instead, specific processes or hard assets are what matter. Here the approach to managing security means making sure that high value processes continue to function reliably regardless of what else is happening around them.

Bottom Line

APTs are now a class of cyber threats that oil and gas companies must defend against. Your company should be considering threats against key IT assets and critical production processes. The latter may be the most important, as they can allow a safety or environmental disaster. As well, APTs could be stealing important production data that will affect competitiveness.

If your security and operations personnel report that your facility has never been infiltrated; it would be prudent to have them check again, with APTs in mind. If they detect any unusual behaviour on either the IT or automation networks, a thorough analysis should be conducted. The evaluation ought to consider the possibility of cyber intelligence “beacons” that could lead to larger attacks.

To prevent and mitigate damage from APTs, employ the defense strategies discussed:

  • focus security efforts on the most important assets
  • focus on detection rather than prevention
  • change the security perspective from perimeter-based to data and process centric

Industry, especially the energy industry, is now a key target in a rapidly growing world of sophisticated, Advanced Persistent Threats. Make sure your facility’s cyber security defenses are ready to meet this challenge.