THE INDUSTRIAL SECURITY INSTITUTE
OT / industrial / ICS cybersecurity concepts from the perspective of the world’s most secure industrial sites. Truly secure sites ask different questions, and so get different answers. Subscribe to never miss an episode

EPS. 14 – Compromised Vendor Website
Most sites trust their ICS vendors, but should those vendors’ websites be trusted? Hacktivists
find a poorly defended ICS vendor website and compromise it. They download the latest copies of the vendor software and study it. They learn where in the system the name or some other identifier for the industrial site is stored. These attackers are unhappy with a number of industrial enterprises for imagined environmental or other offences and search the public media to determine which of these enterprises use the compromised vendor’s software. The attackers use the compromised website to unpack the latest security update for the ICS software and insert a small script. The attackers repack the security update, sign the modified
update with the private key on the web server, and post the hacked update as well as a new MD5 hash for the update. Over time, many sites download and install the compromised update. At each target, the script activates. If the script fails to find the name of the targeted enterprise in the control system being updated, the script does nothing. When the script finds the name, it installs another small script to active one week later, erasing the hard drive and triggering an unplanned and possibly uncontrolled shutdown. The one week delay in consequences makes tracing the attack back to the software update somewhat more difficult.

THE TOP 20 CYBERATTACKS ON INDUSTRIAL CONTROL SYSTEMS
These Top 20 attacks have been selected to represent cyber threats to industrial sites across a wide range of circumstances, consequences and sophistication. No industrial operation is free of risk, and different industrial enterprises may legitimately have different “appetites” for certain types of risks. In this series we show how to use the Top 20 Cyberattacks to compare the strength of two security postures at a hypothetical water treatment plant: Defence in depth 2013 (software based security) vs. that same security posture plus a unidirectional security gateway device providing hardware enfonced security). We ask the question, does either defensive posture reliably defeat each attack? Over the course of 20 episodes we build a score card that can be used to easily communicate risk reduction benefits to business decision makers who are not familiar with cyber security.

ABOUT ANDERW GINTER
At Waterfall, Andrew leads a team of experts who work with the world’s most secure industrial sites. He is author of two books on industrial security, a co-author of the Industrial Internet Consortium’s Security Framework, and the co-host of the Industrial Security Podcast. Andrew spent 35 years designing SCADA system products for Hewlett Packard, IT/OT connectivity products for Agilent Technologies, and OT/ICS security products for Industrial Defender and Waterfall Security Solutions.