Critical National Infrastructure (or CNI) is increasingly a target for nation-state cyber threat actors. Recently, we have seen the Sandworm threat group target electrical substations in Ukraine with the Industroyer2 malware, and new tools designed specifically to target multiple Industrial Control Systems (ICS) for disruptive or espionage means.
Industrial Control Systems (ICS) control physical processes in many CNI environments, including energy, water and water utilities, and manufacturing.
As the lead for Technology-Focused Threat Intelligence (TFTI), I am involved in researching cyber threats to technologies and functions relevant to our business and clients in the Defence, Aerospace and Maritime sectors. Areas which I particularly focus on at the moment are the Internet of Things (IoT), the global Supply Chain and ICS.
The Human Machine Interface
Found in almost every factory floor, ship's engine room and power plant in the world, a Human Machine Interface (HMI) is a system which allows an operator or engineer to interact with equipment which enables industrial processes to happen.
It is usually the primary means through which the operator is able to control processes in an ICS. A typical HMI displays a view of the process or processes it controls, allowing the user to monitor the ICS environment.
With this in mind, the HMI presents an attractive target for a cyber actor wishing to conduct either industrial espionage, or to achieve disruption. An attacker may employ one or more of the following techniques in order to achieve these goals:
- Manipulation – the attacker may remotely take over an HMI and adjust its inputs such as safety conditions, alerts or commands. This was seen in the 2015 attack on electrical substations in Ukraine, when operators reported watching their mouse cursor moving across the screen, outside of their control.
- Enumeration – a HMI often consists of a graphical depiction of the automatic control points for a process, which an attacker can use to harvest critical architecture information which might be useful to enable a planned future disruptive attack.
- Connection – where a HMI within an industrial environment is remotely accessible, an attacker may target the system to gain a foothold in the network, which could provide them with the opportunity to pivot to other systems within the ICS for disruption or further enumeration.
- Deception – attackers may decide to deceive the operator by ensuring that the HMI shows a process operating as usual when this is not the case. This was observed in the Stuxnet campaign, when malware targeting Siemens S7 PLCs modified the data sent from the PLC so that the HMI displayed incorrect information to the operator.
A Human Machine Interface (HMI) allows an operators to interact with equipment which enables industrial processes to happen. It is also a valuable target forcyber threat actors. What can be done to help?
Furthermore, HMI systems can be exposed to the internet and, or poorly configured with remote access software in place – making initial access relatively trivial.
We therefore recommend that industrial environments are physically and logically segregated from IT networks, with DMZ and firewalls in place, and that HMIs are only accessible from within the industrial environment.
Where remote access is unavoidable, regularly review remote access implementations and ensure they're configured securely.
It's also important to employ a risk-balanced approach to patching. It's not always possible to patch operational systems as soon as updates are released, and factors such as safety should also be considered alongside security.
You can also subscribe to relevant threat intelligence feeds to inform your strategic risk management processes and security operations.
Register to receive our Threat Intelligence Insights. A summary of recent activity and emerging trends, giving your organisation the information it needs to keep pace with the evolving cyber threat landscape.
Subscribe to Threat Intelligence Insights
About the author
Thomas Padden is a Cyber Security Consultant with BAE Systems Digital Intelligence
