Have you noticed that over the last several years, cybersecurity seems to be “trending?”
Companies of all sizes are starting to learn how to prevent, or at least minimize, these attacks. They hire third-party experts and attend trainings to learn more about the human and system weaknesses that are common because competency is lacking.
For example, the mechanisms of attack listed below are only successful with the existence of human and system weaknesses:
- Users accidentally click on link in phishing email.
- Program passes user input directly into SQL query.
- Program doesn’t check size of data buffer and overwrites buffer when a larger-than-expected message is received.
- Controller accepts messages from any source without authenticating the source.
- System allows six-character passwords and does not lock out users after unsuccessful passwords are attempted.
- System sends data over untrusted network without encryption, allowing an attacker to easily view messages and potentially mimic them later.
- User’s credentials are not removed from system when leaving the company.
Successful ICS cyberattacks normally use a chain of attack mechanisms to achieve the ultimate goal. For example, one attack might yield a password into one system, another attack might yield the location in memory of key data, and then the third attack might overwrite the data to force the control system into a dangerous state.
Although the details of the attack methods for some events are not known with certainty, expert forensic cyber engineers have made conclusions. For example, here are the conclusions from the Stuxnet cyberattack:
- Human mistakes: A staff member carried the malware into the system via a USB stick.
- Knowledge of the control system: Public cyber vulnerabilities, reverse engineering of the system, and testing using a real system are all postulated given the sophistication of the attack.
- System reconnaissance: The malware code scanned targeted systems looking for specific control configurations.
- Exploitation of known vulnerabilities: Four “Zero-Day” vulnerabilities were used in the attack.
- Exploitation of weak security measures: The attack took advantage of the hardcoded password for the database code and the read/write I/O image design of the controller.
For those looking to learn more about preventing or minimizing cyberattacks, check out the webinar, Preventing Cyberattacks by Following Practical Guidance in IEC 62443.
- exida CSP (IEC 62443 Cybersecurity Practitioner) Program
- exida IACS Cybersecurity Services
- exSILentia Cyber - Industrial Control System Cybersecurity Risk Assessment Tool