Cyber Security

230,000 – This is the number of people affected by a single successful SCADA attack. Attackers successfully intruded Ukraine’s power grid using BlackEnergy 3 malware in 2015. The attack left 230,000 people and more stranded without power for over 6 hours. The SCADA systems were left non-functional, forcing the workforce to restore the power manually. This attack on the SCADA system set alarm bells ringing across the globe, exposing the weak cybersecurity posture of critical infrastructure. But what are SCADA systems in the first place? The acronym SCADA stands for Supervisory Control and Data Acquisition. Ranging from power plants to railways and water treatment plants to air traffic controls, applications of the SCADA system are vast and deep. Using SCADA systems (software), one can control processes in real-time and obtain data from sensors, devices, and other associate equipment. In short, SCADA systems help an organization manage and operate an industrial plant efficiently. Also read: How to get started with OT security SCADA systems find uses across industries, infrastructure, facility processes, and others. Computers, GUI, networked data communications, and proprietary software make up a typical SCADA system. Thanks to SCADA systems, one can quickly identify a non-functioning part in an industrial plant with over 10,000 functioning parts and numerous connections. SCADA Structure: SCADA system works on collecting data and then relaying commands through the architecture to control a process or a machine. A typical SCADA system involves various collection points, administrative computers, field controllers, communication infrastructure, software, a human-machine interface, and many more. Administrative Computers: These form the core structure of a SCADA system. The administrative/supervisory computers send all the control commands to the respective machines and devices. The administrative computers harvest all the data collected in a SCADA-enabled system. Depending on the complexity of the SCADA system, the administrative computer(s) can be one or multiple, often forming a master station. Exclusive Human-Machine interface systems propel the interactions between these computers and the workforce. Field Controllers:  These come in two forms: Communication Infrastructure: This deals with establishing a secure connection between the SCADA system, RTUs, and PLCs. Communication connection comes in two forms: Most of the infrastructure is modular, and the data passing through them is often unencrypted in both Field and IT communication infrastructure. The primary design objective of these systems is easy troubleshooting and ease of implementation, emphasizing reliability over security. A manufacturer-specific or industry-defined protocol is adopted while establishing the communication infrastructure. The PLCs and RTUs can operate autonomously based on the latest command received from the administrative system. Human Machine Interface (HMI) System: The administrative system can comprise a single computer to a master station comprising over ten computers. The data ranges from simple flow diagrams of processes to complex schematic diagrams of the entire plant. An operator can access graphics, data charts, and other graphical data displayed on the system using a mouse, keyboard, or touch. The HMI system presents the status of every process, component, and plant-related aspect in an interpretable manner. Evolution of SCADA Systems SCADA systems have come a long way since beginning in the early 1960s. Over the 60 years, SCADA systems have transformed from monolithic to IIoT-based systems. As per the industry standards, the Fourth Generation of SCADA Systems is in use. Shortly, the fifth generation of SCADA systems will enter industrial spaces. SCADA Generation Category Features First Generation (1960s to mid-1970s) Monolithic RTUs incorporated at industrial sites directly connected to minicomputer systems.Low RiskIndependent system Second Generation (Mid 1970’s to late 1980s) Distributed Security risk elevated from low to moderate Availability of proprietary LAN  networks Smaller computers and greater computing power Multiple systems connected via LANLack of interoperability due to vendor lock-in practice Third Generation (Late 1980s – 1990s) Networked The emergence of Ethernet and fiber optic.Improved interoperability  Scalability of SCADA systemSecurity risk heightened Less operating costs Fourth Generation 2000s SCADA and IoT integrated system Equipped with IoT, Cloud computing, and big dataSSL and TLS have improved security posture while exchanging data between the SCADA systems and external networks.Better interfaces on handheld devices Greater interoperability SQL database support Web-deployable The next generation of SCADA systems will have cloud computing at their core. Researchers expect the new SCADA systems to optimize resource management (at peak surges and low demand) and enhance security protocols. Even without in-depth knowledge of software, one can design complex applications using RAD (Rapid Application Development) and the upcoming new-age SCADA systems toolkit. What makes SCADA so effective? The vast industrial expanses make it very difficult for physical monitoring. We need a reliable and efficient system to automate recurrence processes and constantly get the status of everything in an industrial expanse. SCADA has been rightly serving this purpose since its inception. From data collection to setting up alarms, SCADA plays a crucial role in improving an industrial expanse’s productivity, maintenance, and functionality. SCADA Architecture: SCADA systems run through 5 levels from Level 0 to Level 4. They form five of the six levels described in the Purdue Enterprise Reference Architecture, followed by enterprise integration. The dissemination of levels helps us understand SCADA systems better and define each security policy for each level. SCADA System Levels Description Level 4 Planning and Logistics Scheduling of production processes Managing ongoing processes Level 3 Production Control Level Made up of administrative systemsData aggregation from Level 2 systemsReporting to ongoing production is produced Executing alerts and other region-wide functions Level 2 Plant Administrative Level Data aggregation from level controllersIssuing commands to respective level controllers It consists of supervisory and administrative systems Level 1 Direct Control Level Comprises local controllers – RTUs and PLCs Accepts data inputs from sensors Actuator receive commandsDirect interaction with field devices Level 0 Field Device Level Includes sensors that forward data Includes actuators that control processes SCADA Security Framework: We can confidently say SCADA systems have opted for a reliable and straightforward framework for smooth functioning. SCADA systems were relatively safe, given that they were greatly restricted to on-site locations before the internet exploded. Every security framework of SCADA should be able to meet specific objectives. These help build a strong posture contributing toward a

When LockBit 3.0 was launched in June, the group touted it as the most powerful encryptor ever built. The launch also led to a 17 percent rise in cyber incidents directly linked to the encryptor. The new variant brought in new features such as more payment options across cryptocurrencies, new monetization options, and more means to recover or destroy data as per the outcome of negotiations with the victim. The files were not just encrypted but exfiltrated as well to put additional pressure on the victim. A typical attack begins with the victim’s device being infected and the files being encrypted with a jumbled extension. The process of data encryption is done at a rapid speed with multiple tasks being done in parallel. The infection becomes apparent with the wallpaper of the victim’s machine being changed to a ransom note. In case the ransom is not paid on time, the victim’s data is then put up for sale on the Dark Web and other forums. Sample of LockBit 3.0 Ransome Note At the time of writing this blog post, we did come across an APAC enterprise that was successfully targeted by the LockBit 3.0 group. The ransom note asked the victim to pay $10000 to extend the deadline by 24 hours, $500000 to destroy all information, and a similar amount to download the data at any time.  LockBit 3.0 was much in demand in Ransomware as a Service market. Which explains the sudden and steep rise in LockBit 3.0-linked attacks.    The group even ran a bounty program to incentivize the detection of bugs in its code. LockBit operators were keen on preventing non-group members from obtaining the decryption tool. Since it was first detected in the wild in mid-June, LockBit 3.0 has been reported consistently from over 33 honeypot locations of Sectrio indicating its prevalence and global presence. It even outcompeted rivals such Hiveleaks and Blackbasta in infecting maximum victims since launch as documented by Sectrio’s threat researchers.  For a while, everything seemed to be going the way of LockBit 3.0 developers until an alleged disgruntled developer threw a spanner in the works by releasing the code of the encryptor which subsequently made its appearance on Twitter at least a couple of times. This will enable other ransomware groups to build on the encryptor (or modify it) and launch new and more stealthy variants. What’s next for LockBit 3.0 and other ransomware groups? New ransomware groups could theoretically launch their operations with these modified variants. Such variants could also be re-engineered in academic or research labs and in case these variants are accidentally or deliberately released into the web in the future, then the chain of attacks linked to LockBit 3.0 will continue to worry cyber defenders for months or even years.