For the past few years there has been a rise of cyber criminals attacking systems for profit. Many of the financially motivated attacks, like the TJX breach, have been well published. It appears that as attackers learn how to profit from their exploits, their illegal activities tend to increase as well. An attacker may first start simply by compromising a system but then may move to stealing personal information from the user, information can be sold. Once the attacker has compromised enough systems to create a bot net, he can rent them out.
We have not seen, as far as I am aware of, any financially motivated attacks on control systems yet. An interesting example of a financial based cyber attack on energy companies may use data from the control network without actually effecting the control network. Traders within a company may use data from a historian, such as PI, to assist in the decision making process regarding when to buy energy from other energy producers and when to sell excess energy. A historian that is shared with the trade group is typically setup in a DMZ between the corporate network and the control network. If an attacker gained access to the historian, he could view the same data the traders use to make their trade decisions.
A patient attacker could watch what occurs on the historian and look for trades occurring. The attacker could then use the information to make their own purchases or he could begin manipulating the data the traders see in order to alter the choices the traders will make. The attacker could manipulate the data so traders purchase power and the wrong time or purchase from a particular energy producer. Two motivations for an attacker to target the energy trading are corporate sabotage and profit. A competing corporation could influence the target company’s decision making ability forcing them to make bad choices, hurting the company financially. The second, and more likely reason, would be to make a profit off of the companies purchases and sales, either by buying stock in certain companies or shorting a company.
This attack require a great deal of knowledge of a companies trading habits. An attacker would have to spend a lot of time on the network or possibly have insider knowledge. While I think it would be an interesting attack, the amount of time necessary to learn the system would prevent it from being common. It may be awhile before we see anything like this in the SCADA sector as there are so many other places for an attacker to look in order to make quick money.
Side note: The group at C4 released a vulnerability advisory on the authentication scheme in OSISoft’s PI.