December 26, 2024

Security Sessions | Combating ICS Threats

by Joe Slowik

Introduction

2017 featured a number of concerning discoveries in industrial control systems (ICS) network security: targeted, disruptive attacks; ICS-focused threat activity groups, and increasing permeability between IT and ICS networks. Underlying these developments is an increase in ICS security visibility and awareness, allowing asset owners and defenders to finally glimpse the full scale of the ICS threat landscape. As adversaries continue to refine their tactics and threats evolve into new and potentially more harmful forms, defenders should not take events as a sign of defensive weakness. Rather, with increased visibility comes the possibility to improve and refine knowledge and defensive methodology. By studying and reviewing the threats facing ICS environments, network defenders can formulate plans and procedures against entire methods of operation — instead of specific examples of ICS intrusions — to build more robust protections. By adopting this threat-centric, iterative approach, defenders can keep pace with malicious actors and work to ensure ICS network security.

ICS Threats: A Growing Concern

2017 saw an increased identified ICS security activity — from targeted attacks displaying significant skill and expertise — to IT-focused malware that resulted in substantial ICS impacts. While the amount of recorded activity increased, this more than likely represents an increase in visibility and effort on the part of defenders as attacks are actually caught and observed. Outside of truly destructive attacks – from STUXNET[1] to the German steel mill event[2] to CRASHOVERRIDE[3] — ICS intrusions will typically not register in traditional security metrics if they are even caught at all. For reference, ICS-CERT’s Year in Review indicates that organizations struggle to determine the origin and impact of potential intrusion events, as shown in the predominance of “unknown” for various metrics surrounding ICS security events and impacts[4]. With greater attention and effort comes enhanced visibility and awareness, shedding light on the true scope of the ICS threat landscape.

This increased attention in 2017 yielded surprising results: two targeted, destructive attacks identified; at least five activity groups targeting ICS networks; and multiple low-level, commodity infection events indicative of increasing interconnectedness between IT and ICS resources. Throughout 2017, the predominant reaction to events was not, “why are there so few events?” but rather “why are there so many?” Moreover, we believe with high confidence that the brief overview of activity above only scratches the surface of what actually occurred throughout the year.

As ICS defense matures and visibility increases, many of these presently “hidden” items will come into view. But, we must learn from what we can see to identify how threats operate, so we can best approach how to defeat them. A truly threat-focused approach to ICS network defense will take the specific examples learned through, in this case, a year’s experience and extrapolate to capture entire classes or categories of potential adversary behaviors. The ICS community will meet the increasing challenge of motivated adversaries only through rigorous analysis and understanding of the threat environment, combined with a dedication to root-cause analysis to eliminate “unknowns.”

Targeted Attacks

The headline-grabbing ICS security items for 2017 were two targeted, disruptive attacks: the CRASHOVERRIDE event in Ukraine (launched in December 2016, but not fully understood until mid-2017); and the TRISIS attack on safety instrumented systems (SIS) in August 2017[5]. Both events pushed the boundaries of ICS threats in their own unique ways: CRASHOVERRIDE by demonstrating the ability to impact electric grid operations directly through malware; and TRISIS by expanding ICS targeting to SIS devices. In the case of the former, the adversary created a “playbook” for how to create and deploy a flexible malware framework leading to an ICS impact (in this case, a power outage). For the latter, the attacker pushed the boundaries of ICS targeting beyond standard operational elements to the equipment tasked with safeguarding equipment and human lives.

The impacts of both events on the wider ICS community are clear and disturbing. First, adversaries are moving beyond the direct, manual manipulation of ICS controls (as seen in the 2015 Ukraine attack[6]) to more automated and potentially autonomous means of delivering an ICS effect. Second, adversaries clearly demonstrated that no part of the ICS network — or its supporting functions and equipment — is safe from potential malicious activ¬ity. To further this last point, the TRISIS event implicit¬ly includes the adversary’s acceptance of risk that the event could result in potential harm to human life.

While CRASHOVERRIDE and TRISIS represent the “highlight” events for 2017, significant activity took place beneath the headlines. Most importantly, at least five dedicated ICS threat activity groups emerged over the course of the year. Some of these, such as the COVELLITE adversary, are linked to known IT intrusion behavior, while others, such as DYMALLOY, appear to be an evolution of past ICS activity[7]. While only a handful demonstrated the ability to migrate into the ICS network from initial IT beachheads with an ability to then navigate the ICS environment, all showed a clear intent of gathering information on and preparing for future operations in ICS networks.

Based on observed activity, multiple groups continue to probe ICS-related networks, and new methods of operation within ICS environments – particularly with respect to causing disruption – emerged for all current and potential threat vectors to emulate. Given the assumption that observed activity does not represent all that took place in 2017, the expectation for defenders should be continued efforts to build, develop, and refine operations targeting ICS environments as we move into 2018.

The Disappearing IT-ICS Divide

Less focused on ICS networks but of grave importance to ICS defense, several strains of wormable malware emerged over the course of 2017, which demonstrated unequivocally that IT and ICS networks are more tightly linked than many would care to believe. Beginning in Spring 2017 with WannaCry and moving through the Fall with BadRabbit, new, highly virulent malware strains proved capable of bridging the IT-ICS network divide with highly disruptive – and in some cases destructive – results.

The first piece of wormable malware, WannaCry, leveraged recently-disclosed vulnerabilities and their related exploits to produce a ransomware-like infection that quickly spanned the globe. While much attention focused on impacts to entities such as the UK’s National Health Service, WannaCry proved quite capable of impacting the ICS environment as various entities witnessed production-halting infections.

Fueling the WannaCry event were the vulnerabilities patched by Microsoft under MS17-010: various weaknesses in version 1 of the Server Message Block (SMBv1) protocol targeted by the released exploits. More significantly, SMBv1 features prominently in both intra-ICS and IT-ICS communication links, due to older systems, legacy protocols, and outdated methods of data transfer. The result was an infection event that spread from initial IT nodes to impact ICS networks. The mantra of just applying the patch proved of little value, given the various elements of ICS network operation that prevent quick application of software updates: long periods of time between maintenance windows, potential application incompatibility, and lack of vendor support. All of these factors combine to make the MS17-010 vulnerabilities lasting concerns within the ICS network.

After WannaCry, new wormable malware strains emerged, which added an operational wrinkle to propagation methods. These strains, NotPetya and BadRabbit, leveraged a combination of exploits with credential capture and replay to spread throughout target networks. In this case, even systems that either patched the underlying vulnerabilities or never exposed such services to exploitation to begin with, faced the possibility of compromise. More significantly for ICS networks, the method of propagation is uniquely suited to IT-ICS communication: an engineer’s IT workstation could be compromised, yielding credentials that would enable remote access to the ICS network. Follow-on propagation within the ICS network would be fueled by weak authentication schema and credential re-use. Overall, the result is a uniquely virulent infection and propagation method that has the potential to rapidly impact ICS networks.

verall, the conclusion from these events — none of them explicitly targeting ICS infrastructure — is that thoughts of strictly segmented and divided IT and ICS networks are unrealistic. With relatively unsophisticated malware worming its way into sensitive, supposedly isolated networks, the barriers to entry for launching truly disruptive attacks are significantly lowered.

Combining Skilled Adversaries with Asset Convergence

The previous two sections highlight two seemingly unrelated trends: an increase in skilled, targeted adversaries within ICS, and the increasing impact of IT-focused malware on ICS environments. While each is useful to consider in isolation, combined, they could present a truly worrying trend for the future threat landscape.

Just as CRASHOVERRIDE and TRISIS provide opera¬tional “playbooks” for adversaries on how to disrupt ICS operations, WannaCry and subsequent events demon¬strate the potency of wormable malware in penetrat¬ing sensitive networks. Considering that the first high-profile ICS malware, STUXNET, was a worm designed to compromise isolated network environments, this method of self-propagation to achieve access should not be surprising. Yet the simplicity of more recent network worms, and the efficacy of their propagation methods with respect to ICS, provide a unique and potent mechanism for harming these environments.

Defenders should expect adversaries to embrace this lesson and apply these “less sophisticated” techniques as a means to achieve initial ICS network access. While ICS disruptive effects will still require significant investments of time, energy, and resources to both develop and then deploy impacts to the ICS environment, one significant barrier to entry is reduced: the need to penetrate and compromise multiple nodes en route from the IT to target hosts within the ICS realm.

As a hypothetical, an adversary could repurpose one of these wormable samples to specifically target ICS resources — for example, by seeding the malware with sets of known ICS vendor-hardcoded credentials — and utilize this to gain initial access throughout the ICS network. After these compromised endpoints are identified and researched, the adversary then need only move required malicious impact software, such as a TRISIS or CRASHOVERRIDE, along these compromised pathways to create a disruptive ICS effect.

Conclusion

2017 featured a number of interesting and potentially alarming developments in ICS security: the discovery of two highly-targeted ICS attacks, the emergence of at least five specific groups working to compromise ICS networks, and several widespread IT infection events that produced significant ICS disruption. While this represents a concerning development in ICS network defense, ICS operators and defenders must view this as a point on a rising trendline, rather than a high-water mark in ICS malicious activity.

As visibility and awareness of ICS security issues continue to develop, ICS defenders should expect to uncover more malicious actors — and potentially more targeted attacks than were disclosed in 2017. While this may represent a worrying set of circumstances, greater visibility and transparency means that defenders will also be better positioned to respond to events. Rather than simply wait to be surprised by intrusions, defenders can work to build knowledge and experience off of disclosed attacks to build better defenses and operational resilience.

To this end, ICS asset owners and defenders should look at the substantial increase in identified, disclosed ICS events and malicious activity groups as an opportunity — a chance to learn what tradecraft, techniques, and methods are employed by malicious actors to build better defenses against these threat vectors. By abstracting from specific events to highlight operational commonalities and dependencies across all attacks, defenders can begin to focus and prioritize resources in an effort to confront and deny adversaries their likely objectives. Adopting this threat-centric model ensures network defenders remain poised to respond to actual, likely attack scenarios, and when adopted in a sufficiently ‘general’ manner, counter entire classes of malicious activity, rather than simply repetitions of previously observed events.

Examples of the above approach applied to activity observed in 2017 can take multiple forms. One of the most obvious and pressing is limiting and defending IT-ICS connections. These vital links bridging the more accessible IT network with the critical and potentially vulnerable ICS network provide a crucial first-line of defense against both targeted attacks and self-propagating malware. Hardening these links by applying strong authentication mechanisms, reducing the number of links to the minimum necessary for operations, and applying robust monitoring of IT-ICS network communication can all be used to shore up this vital node for any potential ICS intrusion.

Overall, defenders should be concerned with recent developments, but avoid panic. With greater awareness and visibility, we should expect to identify more adversaries operating in ICS networks. Instead of treating this as cause for unproductive alarm, defenders can utilize this new corpus of knowledge to bolster and strengthen defenses to meet these adversaries head-on. By adopting this aggressive, threat-centric approach, ICS networks can be protected against all types of malicious activity — from highly specific targeted attacks to opportunistic infections, to hybrids of these two approaches.
 

Joe Slowik is an adversary hunter for Dragos, pursuing threat activity groups through their malware, their communications, and any other observables available. Prior to his time at Dragos, Slowik ran the Incident Response team at Los Alamos National Laboratory, and served as an Information Warfare Officer in the US Navy. Throughout his career in network defense, Slowik has consistently worked to “take the fight to the adversary” by applying forwardlooking, active defense measures to constantly keep threat actors off balance.

 


References

1 To Kill a Centrifuge - Langner
2 German Steel Mill Cyber Attack – SANS ICS
3 CRASHOVERRIDE: Analysis of the Threat to Electric Grid Operations - Dragos
4 ICS-CERT IR Pie Chart FY2016 – ICS-CERT
5 TRISIS Malware: Analysis of Safety System Targeted Malware - Dragos
6 Analysis of the Cyber Attack on the Ukrainian Power Grid – SANS ICS and E-ISAC
7 Further details on activity groups COVELLITE, DYMALLOY, and others can be found in Dragos’ 2017 Review of Industrial Control System Threats