# Cyber Threats to UK National Grid --- ## TODO https://ieeexplore.ieee.org/document/6579516 --- ## Background - Most **Operational Technology** (OT) running UK **Critial National Infrastructure** (CNI) uses a protocol called **SCADA** - Old (and very common) versions of **SCADA systems are very insecure** - SCADA systems were **not designed to be connected to the internet** hence not having security built in - They are **increasingly being connected to the internet** and corperate Information Technology (IT) networks - If you can get **access to an OT network**, you have complete **control of the infrastructure** --- ## Malware infecting IT network - **Trojans** are one of the most common types of malware to affect IT networks - The main way that Trojans gain access is by installation through specially crafted **email attachments, web-links and download packages** - After being installed trojans will be able to **conduct covert surveillance** --- ## OT Exposed to Internet - Use of search engines such as **shodan** can lead attackers to SCADA systems - SCADA systems are generally old and insecure - These systems should generally not be internet-facing --- ## Shodan Search  --- ## Shodan Search  --- ## Phishing - Phishing can be used to gain access to the OT network trough the IT network - Phishing attacks allow the attacker to gain access to the credentials for the OT network, by tricking staff of the orgnization to reveal the credentials. This makes the attack hard to detect until the attacker chooses to utilize said credentials --- ## Cyber Kill Chain  --- ## Cyber Kill Chain - It would be best to stop a trojan attack at the deliver step of the Cyber Kill Chain - This can be done with staff training on identifying suspicious emails. - A company's IT team could also filter incoming emails, remove some entirely, and add cautionary banners to suspicious emails - If a company adopts a zero trust model it would be harder for attackers to pivot --- ## Casestudy: Stuxnet --- ### Weaponization NSA and Unit 8200 used multiple attacks and exploits, including four Windows 0-days and one for the SCADA database software --- ### Delivery Stuxnet used multiple delivery methods to ensure it could infect the facility, including remote exploitation of Windows devices using RPC, and infecting USB drives to infect air gapped networks --- ## Exploitation The worm used spread so well that it infected many computers worldwide as well as the targetted facility. Once a computer is infected however it has multiple checks to ensure it does not cause harm to untargetted computers, such as checking if the computer is running Siemens software. --- ## Actions and objectives Disrupt and damage Iran's nuclear program --- ## Further Reading - Daneels, A. and Salter, W., 1999. What is SCADA?. - Igure, V.M., Laughter, S.A., Williams, R.D., 2006. Security issues in SCADA networks. Computers & Security. https://doi.org/10.1016/j.cose.2006.03.001 - Sayegh, N., Chehab, A., Elhajj, I.H., Kayssi, A., 2013. Internal security attacks on SCADA systems. 2013 Third International Conference on Communications and Information Technology (ICCIT). https://doi.org/10.1109/iccitechnology.2013.6579516 - Langner, R., 2011. Stuxnet: Dissecting a Cyberwarfare Weapon. IEEE Secur. Privacy Mag. https://doi.org/10.1109/msp.2011.67 ---