BY DMITRIY AYRAPETOV, DELL SONICWALL
It is a common headline: Prominent website brought down by attackers. The backstory to this growing threat to business is a distributed denial-of-service (DDoS). Whether you’re a Fortune 500 global enterprise, government agency or small- to mid-size business, you’re on the target list of today’s cyberthugs. Even security-savvy businesses with plenty of financial resources and experts to protect themselves have fallen victim to this threat.
Recently, the number of DDoS incidents has increased significantly. Attacks also have grown in scale, exceeding traffic volumes of 100 gigabits per second. One prolonged attack on an e-commerce site in Asia involved a botnet of more than 250,000 zombie computers, many reportedly based in China. Criminals use DDoS because it is cheap, hard to detect and highly effective. DDoS attacks are cheap because they can leverage distributed networks of thousands of zombie computers taken over by worms or other automated methods. For instance, the DDoS attack MyDoom used a worm to distribute flood attacks. Because these botnets are globally sold and available on the black market, an attacker might buy the use of a botnet for less than $100 for a flood attack or contract specific attacks for as little as $5 an hour.
Financially driven DDoS attacks typically are based either on extortion or competition. Extortion schemes often profit by demanding significant ransoms from victim organizations to prevent DoS. Ideological attacks can be launched by government entities or grassroots hacktivists. Hacktivists tend to seek publicity by obstructing high-profile organizations or sites that symbolize conflicting political views or practices. One of the most notorious examples of a hacktivist is the loosely affiliated group Anonymous, who have claimed responsibility (and publicity) for bringing down sites of such high-profile organizations as the FBI and the CIA and have targeted websites in more than 25 countries across six continents.
Because hacktivist agendas can be volatile and unpredictable, business or industry might be targeted as a symbol of the latest cause du jour. In the case of government-launched cyberwar DDoS attacks, not only .gov targets are vulnerable. Such attacks also can target affiliated vendors that supply key infrastructure, communications or transportation services or seek to cripple key business or financial transaction servers.
Who is next? It is unreasonable to think it might not be you. The danger to utilities is not simply DDoS; it is the bigger threat of viruses designed not to steal but to delete data and undermine management and monitoring systems. This is a new form of security guerrilla warfare that is being launched by governments or activist groups using information technology (IT) viruses to target and attack specific industries for political reasons. This is a new form of attack of which all utilities can be at risk and vulnerable.
Many industrial network infrastructures employ supervisory control and data acquisition (SCADA) and distributed control systems (DCSs) to automate, monitor and control crucial physical processes in their IT infrastructures. Their crucial importance and prominence in the field place them high on a list of prospective targets. SCADA systems increasingly have been targets of criminal and terrorist activities intended to disrupt and deny services.
Following is a basic checklist utilities should use to avoid and plan for attack and prepare for fast recovery.
1 Know your SCADA systems. Document the network infrastructure, components, applications, data stores and connections that are critical to your SCADA system. Perform a baseline analysis for ongoing risk management and set corresponding security requirements. Establish and communicate security roles, responsibilities and authorisation levels for IT, management, staff and third-party stakeholders.
2 Lock down your perimeter. Disconnect any unnecessary or unauthorised network paths to your SCADA systems, including unsecured disk drives, USB ports, wireless connections or links to third-party extranets (e.g., suppliers, contractors, outsourcers, etc.) and implement firewalls.
3 Update your defenses. Implement defense security solutions such as unified threat management and next-generation firewalls, which protect against single-point-of-failure breaches. Effective solutions feature multiprong defenses, including intrusion prevention, antimalware, content filtering and application-intelligent firewalling.
4 Enforce access controls. Criminals cannot damage or take control of your SCADA systems unless they can reach them. You must design and implement rules for access control and sharing of data, applications and resources. You also must define, implement and monitor all external secure access connections needed for business users, remote maintenance, third parties and others. Establish policy-based access criteria, limiting access privileges to a minimum. Keep an up-to-date list of access accounts, periodically check logs, and renew all access credentials with enhanced access control where necessary.
5 Secure your remote access. The exponential growth of mobile, wireless and widely distributed networks presents a vastly greater potential for unauthorized remote access. Secure all remote access over virtual private networks (VPNs) using technologies such as SSL VPN.
6 Harden SCADA features. Certain automated SCADA features (e.g., remote maintenance) potentially can undermine security by creating vulnerabilities for unauthorized access or intrusion attacks. Work with your SCADA vendors to find out which of these can be disabled without violating support agreements, interrupting service or causing downtime.
7 Monitor and log incidents. Implement monitoring and logging systems for all SCADA-critical applications and infrastructure. By recording incidents and assessing alerts on the status of the system, you can take proactive measures to prevent attacks and avoid interruptions in service. Solutions are available that can display all network traffic (including SCADA applications) in real time, enabling a faster response to emerging threats.
8 Establish change control and configuration management. Network configurations and system, firewalls, access, applications and procedures can change. Any change can affect other components and connections. Manage the configuration with all changes documented and back-up date to limit disruption and delays in case of restarts. Applications are available to control even complex networked systems.
9 Conduct routine audits. Perform a complete system check every six to 12 months. Periodically check the event log for incidents to confirm technological safeguards (firewalls, network components and systems), documentation, procedures and appropriate access are maintained. Regularly assess audit results and apply them to strategically correct and improve your security.
10. Prepare for recovery. As a high-profile target, SCADA systems must be backed up and prepared for rapid recovery should an attack take them offline. Develop contingency procedures to ensure business continuity and disaster recovery for SCADA-critical systems. Comprehensive solutions include automatic off-site backup, continuous data protection and bare metal recovery to alternate equipment.
Dmitriy Ayrapetov is product manager of network security at Dell SonicWALL.More PowerGrid International Issue Articles
PowerGrid International Articles Archives
View Power Generation Articles on PennEnergy.com