Spear phishing poses threat to industrial control systems

Hackers don't need Stuxnet or Flame to turn off a city's lights, say security experts

While the energy industry may fear the appearance of another Stuxnet on the systems they use to keep oil and gas flowing and the electric grid powered, an equally devastating attack could come from a much more mundane source: phishing.

Rather than worry about exotic cyber weapons like Stuxnet and its big brother, Flame, companies that have Supervisory Control and Data Acquisition (SCADA) systems -- computer systems that monitor and control industrial processes -- should make sure that their anti-phishing programs are in order, say security experts.

"The way malware is getting into these internal networks is by social engineering people via email," Rohyt Belani, CEO and co-founder of the anti-phishing training firm PhishMe, said in an interview.

"You send them something that's targeted, that contains a believable story, not high-volume spam, and people will act on it by clicking a link or opening a file attached to it," he said. "Then, boom, the attackers get that initial foothold they're looking for."

In a case study cited by Belani, he recalled a very narrow attack on a single employee working the night shift monitoring his company's SCADA systems.

The attacker researched the worker's background on the Internet and used the fact he had four children to craft a bogus email from the company's human resources department with a special health insurance offer for families with three or more kids.

The employee clicked a malicious link in the message and infected his company's network with malware. "Engineers are pretty vulnerable to phishing attacks," Tyler Klinger, a researcher with Critical Intelligence, said in an interview.

He recalled an experiment he conducted with several companies on engineers and others with access to SCADA systems in which 26 percent of the spear phishing attacks on them were successful.

Success means that the target clicked on a malicious link in the phishing mail. Klinger's experiment ended with those clicks. In real life, those clicks would just be the beginning of the story and would not necessarily end in success for the attacker.

[Podcast: Stuxnet and SCADA systems: The 'wow' factor]

"If it's a common Joe or script kiddie, a company's [Intrusion Detection Systems systems will probably catch the attack," Klinger said. "If they're using a Java zero-day or something like that, there would be no defense against it."

In addition, phishing attacks are aimed at a target's email, which are usually located on a company's IT network. Companies with SCADA systems typically segregate them from their IT networks with an "air gap."

That air gap is designed to insulate the SCADA systems from the kinds of infections perpetrated by spear phishing attacks. "Air gaps are a mess these days," Klinger said. "Stuxnet taught us that."

"Once you're in an engineer's email, it's just a matter of cross-contamination," he added. "Eventually an engineer is going to have to access the Internet to update something on the SCADA and that's when you get cross-contamination."

Phishing attacks on SCADA systems are likely rare, said Raj Samani, vice president and CTO of McAfee's EMEA.

"I would anticipate that the majority of spear phishing attacks against employees would be focused against the IT network," Samani said in an interview. "The espionage attacks on IT systems would dwarf those against SCADA equipment."

Still, the attacks are happening. "These are very targeted attacks and not something widely publicized," said Dave Jevans chairman and CTO of Marble Security and chairman of the Anti-Phishing Work Group.

Jevans acknowledged, though, that most SCADA attacks involve surveillance of the systems and not infection of them. "They're looking for how it works, can a backdoor be maintained into the system so they can use it in the future," he said.

"Most of those SCADA systems have no real security," Jevans said. "They rely on not being directly connected to the Internet, but there's always some Internet connection somewhere."

Some companies even still have dial-in numbers for connection to their systems with a modem. "Their security on that system is, 'Don't tell anybody the phone number,'" he said. 

Insider: How a good CSO confronts inevitable bad news
Join the discussion
Be the first to comment on this article. Our Commenting Policies