Critical National Infrastructure (or CNI) is increasingly a target for nation-state cyber threat actors. Recently, we have seen the Sandworm threat group target electrical substations in Ukraine with the Industroyer2 malware
, and new tools
designed specifically to target multiple Industrial Control Systems (ICS) for disruptive or espionage means.
Industrial Control Systems (ICS) control physical processes in many CNI environments, including energy, water and water utilities, and manufacturing.
As the lead for Technology-Focused Threat Intelligence (TFTI), I am involved in researching cyber threats to technologies and functions relevant to our business and clients in the Defence, Aerospace and Maritime sectors. Areas which I particularly focus on at the moment are the Internet of Things (IoT), the global Supply Chain and ICS.
The Human Machine Interface
Found in almost every factory floor, ship's engine room and power plant in the world, a Human Machine Interface (HMI) is a system which allows an operator or engineer to interact with equipment which enables industrial processes to happen.
It is usually the primary means through which the operator is able to control processes in an ICS. A typical HMI displays a view of the process or processes it controls, allowing the user to monitor the ICS environment.
With this in mind, the HMI presents an attractive target for a cyber actor wishing to conduct either industrial espionage, or to achieve disruption. An attacker may employ one or more of the following techniques in order to achieve these goals:
- Manipulation – the attacker may remotely take over an HMI and adjust its inputs such as safety conditions, alerts or commands. This was seen in the 2015 attack on electrical substations in Ukraine, when operators reported watching their mouse cursor moving across the screen, outside of their control.
- Enumeration – a HMI often consists of a graphical depiction of the automatic control points for a process, which an attacker can use to harvest critical architecture information which might be useful to enable a planned future disruptive attack.
- Connection – where a HMI within an industrial environment is remotely accessible, an attacker may target the system to gain a foothold in the network, which could provide them with the opportunity to pivot to other systems within the ICS for disruption or further enumeration.
- Deception – attackers may decide to deceive the operator by ensuring that the HMI shows a process operating as usual when this is not the case. This was observed in the Stuxnet campaign, when malware targeting Siemens S7 PLCs modified the data sent from the PLC so that the HMI displayed incorrect information to the operator.