Many ICS operators have argued that cyberattacks are unlikely due to the fact that SCADA systems and PLCs are usually cut off from the Internet, but this “air gap” strategy is fraught with risk. To effectively protect ICSs from hackers, operators need to recognize that all control systems are connected to the outside world in some fashion. It might be a network connection, a mobile laptop, a serial line and a modem, an RF connection, or a USB flash drive—all these are pathways that can be exploited. In fact, according to the CIA, as far back as 2008, malicious activities against IT systems and networks had already been able to cause disruptions of electric power capabilities in multiple regions around the world, “including a case that resulted in a multicity power outage.”
Hacking Isn’t Hard
Today’s hackers have it easy compared to just a few years past. A typical hacker would formerly have had to write custom code to use in an exploit, and he or she may have had to spend days trying different password combinations to break into a system. Now, “exploit kits,” complete with instructions and help desk support, are readily available and quite affordable. Hacker-friendly sites list thousands of scripts, tips, and tutorials.
Automated hacking tools exist for performing denial-of-service, code injections, and phishing attacks. Open source hacking frameworks, containing hundreds of free and frequently updated hacking tools, can be downloaded. Hackers can leverage cloud infrastructures to amass multiple virtual machines that work in parallel to crack complex passwords or crash systems and applications. In addition, hacking organizations are able to use the Internet to coordinate hacking activities; they have been known to successfully release exploit code to massive numbers of amateur hackers in order to attack a common target from multiple locations around the world.
Today’s hackers also have a multitude of attack vectors at their disposal, from social engineering to open wireless access points to texting and Bluetooth. And, as noted, hackers are already directing their attention to targets beyond PCs and Web sites to SCADA systems and PLCs.