Industrial Control Systems (ICS) are used in almost all infrastructures handling physical processes. Applications range from energy production and distribution, gas and water supply to industrial automation, traffic control systems and facility management.
Many attacks on OT systems seem to target older devices running unpatched software, indicating that OT networks are increasingly being targeted by IT-based legacy attacks that are no longer effective against IT networks. However, the industry as a whole is also tracking a disturbing rise in purpose-built OT attacks designed to target SCADA and ICS.
Malware targeted specifically at ICS and SCADA systems has been developed and deployed for over a decade. Attacks specifically designed for OT systems seem to be on the rise, with safety systems increasingly being a target. A handful of OT-based attacks over the past decade have managed to make headlines, including Stuxnet, Havex, BlackEnergy, and Industroyer.
For those OT organisations responsible for critical infrastructure, any sort of compromise needs to be taken extremely seriously.
OT security challenges
In light of the increasing frequency of incidents and newly discovered vulnerabilities for ICS, asset owners need to address these issues urgently. Hence, they have to consider the risk and damage potential of untargeted malware as well as targeted, high quality attacks against ICS infrastructures.
This applies to infrastructures directly connected to the internet as well as those that can be compromised by cyber attacks indirectly. Cybercriminals also target devices by focusing on the wide variety of OT protocols in place. While IT systems have been standardized TCP/IP, OT systems use a wide array of protocols—many of which are specific to functions, industries, and geographies. This can create a challenge as security managers have to create disparate systems to secure their environment, creating complexity from different vendor offerings and products. As with legacy IT-based malware attacks, these structural problems are exacerbated by poor security hygiene practices within many OT environments; often as a result of digital transformation efforts.
The following top five OT security threats provide an overview of the most critical and the most common threats to Operational Technology.
1. Malware infiltration via external hardware and removable media
Used in the office and at ICS networks, removable media such as external hardware and USB flash drives are frequently used at home as well. Notebooks for example, carrying external data and maintenance software, are likely to be used at different (public) locations and organisations. Traditionally, ICS security awareness is mainly focused on availability and physical security, such as access restrictions, safety and protection from external influences. This is why cyber security awareness training about the effects of malware and techniques used by cybercriminals to infiltrate systems, is often low among employees.
There are multiple examples of malware (and ransomware) that have caused financial, operational and reputational damage to industries. Potential threat scenarios can be executable files and applications containing malicious code, resulting in data leakage and malware infection. When accessing office networks or infrastructure, an infected notebook computer could quickly infect systems and components with malicious code, once the notebook is being operated in the ICS network.
Having strong organisational policies in place, offering virus protection and running security awareness campaigns on the use of external devices such as USB flash drives and notebooks is not enough. To prevent malware infections from causing extensive damage, OT security solutions should at least provide IT teams with user access management tools, policy enforcement and Endpoint Security controls, as well as full encryption capabilities.
2. Human error
Employees and external personnel such as maintenance or construction workers, working in an ICS environment, often pose challenges for security.
Systems can be compromised by unauthorised or incorrectly configured software and hardware. Employees can (unwillingly) install malware through emails, games, or by inserting USB devices to their notebook for example. Often they are unaware of the risks that are being posed by such actions.
IT teams are also regularly being challenged by the amount of next-generation firewalls that have to be managed and updated or that have to be configured regularly. Having an unverified update or patch installed on networking or security components could cause them to run into functional and even critical problems. Allowing unauthorised access via mobile endpoints for example, is a common result of someone who has added incorrect rules to the firewalls.
Of course security can never be guaranteed by technical controls alone. Organisational regulations are required, as well as running qualifications and cyber security awareness training programmes. Organisations should introduce policies for critical processes in the ICS network such as standards concerning security and configuration management, regulating the involvement of security experts and other relevant roles. This ensures that changes or updates are implemented only after they have been consulted. In this context, it is important to document all agreements backed up by additional arrangements such as using the four-eyes principle.
The majority of OT attacks tend to target the weakest parts of OT networks. Many of these attacks often take advantage of the complexities caused by a lack of protocol standardisation, and a sort of implicit trust strategy that seems to permeate many OT environments. This trend is not limited to specific locales or sectors. Exploits are increasing in volume and prevalence for almost every ICS/SCADA vendor.
3. DDoS attacks and IoT-botnets
Firms increasingly have different kinds of IoT technologies connected to their network, including passive RFID, real-time location tracking (active RFID, ultra-wide band, ultrasound, etc.), GPS tracking, security sensors, grid sensors, and condition sensors. These devices also use a wide range of communications protocols, including Wi-Fi, cellular systems such as CDMA/GPRS/4G, mesh networks, telematics, and near-field communications (NFC). Each of these technologies not only introduces its own unique security challenges, but they are compounded by many of the security issues inherent in IoT devices that have been built using poor code, that have backdoors and passwords built directly into their firmware, or that operate as headless devices, preventing even basic updating and patching.
IoT-botnets became a well-known cyber threat during the Mirai attack. Botnets are controlled by Command and Control (C&C) networks. The hacker runs these C&C networks, which can be used to launch Distributed Denial of Service (DDoS) attacks.
With IoT device usage rapidly increasing in today's connected world, so does the threat of botnet DDoS attacks. Because many IoT devices lack built-in security measures, they are being 'recruited' into botnets and used to initiate DDoS attacks.
If connections between ICS components.are interrupted, transmitting and measuring control data, for example, is not possible. A common tactic used to cause outages of components and systems is to overload a component with a very high number of queries making it impossible to deliver a timely answer. In some cases these DDoS attacks are distributed over several threat agents.
With more and more IoT devices out there, the new generation of botnet DDoS attacks means that the number of threats and their devastating potential for Operation Technology will grow in the coming years. That’s why mitigating massive traffic volumes using DDoS protection solutions is considered a major cyber security priority for the years to come, as also described in our top challenges for network security.
Threat scenarios include DDoS attacks being initiated by hacktivists or by buyers of rentable botnets, targeting internet connections of central or remote components. Interfaces of individual components, such as application servers or databases, can also crash when being targeted - by interrupting processing logic for example.
4. Malware infection via Internet and Intranet
Most recently, Triton/Trisis targeted safety instrumented system (SIS) controllers. This attack is especially concerning because in many respects it is the first true cyber-physical attack on OT systems. And given the fact that this malware targets a safety system, the outcome of such an attack could potentially be much worse; not only destroying machinery but threatening lives.
Closely related to Human Error, enterprise networks are often infected with malware due to human error, but also because of the use of standard components such as web servers and databases. Browsers or e-mail clients are typically connected to the Internet for example, with new vulnerabilities discovered almost every day. These vulnerabilities are being used to deploy malware, causing critical or sensitive information to be obtained by the threat agent.
Furthermore, maintaining IT security is hampered by the increasing prevalence of ethernet-based networks and protocols in ICS environments and their connection to enterprise computing (file servers, ERP and MES systems). If a threat agent manages to get into the office network, by exploiting zero-day exploits for example, he may infiltrate the ICS network directly or via a subsequent attack. Unfortunately many anti-virus and email security products are not able to detect these attacks, causing them to silently gather information and cause damage. A commonly used tactic carried out by perpetrators is the ‘drive-by download’ method. The malware infection happens when someone simply visits a website, or when systems that are part of the control room or operating controls browse the internet. Other common threat scenarios are SQL injection, untargeted malware such as worms and cross-site scripting.
Regular and timely patching of operating systems and applications in the office and back-end networks and, if applicable, in ICS networks is essential to preventing malware infiltration. Monitoring log files for unusual connections or connection attempts and ensuring optimal hardening of all IT components (services, computers) used in the office and ICS environments is also vital.
5. Compromising cloud components
Security specific components are occasionally offered as a cloud security solution. These solutions are also gaining traction in the ICS sector. Remote maintenance solution providers for example, place client systems for remote access in the cloud. Cloud-based solutions offer scalability, pay-per-use models and redundancy. However, asset owners have limited control over the security of these components while they are connected to local production. This poses OT Cloud Security threats such as disrupted communication between local production and outsourced (cloud) components due to DDoS attacks. Attacks on other cloud services may also lead to interference (collateral damage), when clients of a cloud provider are insufficiently separated.
What can you do?
- Consult with supplying parties on possible attack vectors via the management plane, aim to restrict the surface(s) via RBAC, two factor authentication and extend logging from the remote management/maintenance supplier into your SIEM.
- Isolate critical infrastructure from office automation, production networks, IT devices, and staff using segmentation and micro segmentation strategies.
- Implement two-factor authentication, including biometrics (e.g. fingerprint, voice, facial recognition, etc.), and establish role-based Identity and Access Management (IAM) for all employees, as well as privileged identity management (PIM) for administrators. Restrict access to "legacy management ports" (i.e. serial port) and implement logging of use.
- Invest in and build out SCADA/ICS, OT, and IoT-specific security expertise.
Ensure continuous logging and analysing of all network traffic (security analytics) with SIEM.
- Consult with government bodies such as the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) and implement common standards such as ISA/IEC-62443 or ISA-99.
- Implement critical network security controls, such as NGFW, IPS, and Sandboxing at the edge of the OT environment; increasing the centralisation of device management and decision making; encrypting data and traffic; and given the highly sensitive nature of the sensors and systems deployed in critical infrastructure environments, establishing passive monitoring and controls within the OT environment.
21 October 2019