Hacking of industrial plants for extortion is one of the biggest untold stories because such attacks are seldom reported, according to Marina Krotofil, a researcher at Hamburg University of Technology.

Hackers have been penetrating industrial control systems of utility companies on a large scale for extortion since at least 2006, she told visitors to BlackHat USA 2015 security conference in Las Vegas.

“Yet, almost 10 years later, we still know almost nothing about how the attackers are doing that because targeted companies are unwilling to make any information available,” she said.

Most of the attacks on operational technologies in the past 20 years have not been reported, which means exactly how attackers interact with industrial control systems remains unknown.

While the hacking of industrial control systems, including Scada systems, is commonly associated with causing physical damage, Krotofil said extortion is the most prevalent motivation.

“The most common goal is to be able to cause persistent economic damage,” she said, adding that targeted companies will be willing to pay large sums of money to stop it from happening.

Alternatively, attackers want to remain in the system undetected to cause as much economic damage as possible on behalf of competitors or any other hostile parties.

Most attackers do not aim to damage or destroy equipment because that raises alarms and does not allow for persistence in the system required for prolonged extortion or economic damage.

“Equipment damage cannot be undone by the cyber attacker and collateral damage is usually unclear and could cause compliance violations, which could lead to high-powered investigations and discovery if the attacker has not covered their tracks well enough,” said Krotofil.

The most common goal of attackers, therefore, is to impact the industrial production process so it affects the quality of the end product or raises operational and maintenance costs.

“However, most of these cases are not reported because if there is no compliance violation companies are not legally required to do so, and they are usually unwilling to risk damage to the reputation of the brand by going public,” said Krotofil.

Understanding attacks In an attempt to redress the lack of knowledge around attacks on industrial control systems, Krotofil has developed a model for an attack on a chemical production plant. “Only by understanding more about how attackers could access these systems, carry out reconnaissance, take control of systems, manipulate processes and cover their tracks can we attempt to formulate ways to defend against such attacks,” she said. According to Krotofil, the research revealed that while it is relatively easy for attackers to access industrial control systems by jumping for enterprise IT systems and using a ready-made exploit kit, the real challenge is in designing a payload that would bring the targeted process into the desired state, which requires in-depth knowledge of the process and the related physics and chemistry. “Once access is achieved, the attacker has to start thinking like a control engineer, a process engineer and a chemical engineer,” said Krotofil. The attackers have to find out how the plant is constructed, what equipment is used, how it is used, how control loops work and where they are located, which is likely to require input from subject matter experts. But in designing the attack, she said, a good place for attackers to start is to look at accident reports for inspiration by looking at where things have gone wrong in the past. There are a lot of things an attacker has to deal with, said Krotofil, including how to manipulate processes without triggering alarms and causing unintended knock-on effects. But if attackers wish to remain under the radar or hide that a cyber attack is responsible for changes in the production environment, she said there are several misdirection techniques at their disposal. For example, Krotofil said timing changes to industrial processes, which coincide with specific shifts or maintenance operations, could trigger an investigation of company workers on duty rather than look at the industrial control systems involved.