Lessons learned from ICS cyber incidents

Despite modern automation, protection and control systems being highly specialised IT systems, many use commercial, off the shelf components along with standardised, IP-based communication protocols. In addition, they can be distributed and highly interconnected systems that use mobile devices and storage media. All of which leads to an increased attack surface in modern industrial control systems (ICS) compared to isolated or even legacy systems.

There is enough proof that the threats are real and have an actual safety, health, environmental and financial impact. As Marty Edwards, managing director of Automation Federation says: “You will be attacked or infected…it is only a matter of time – and only by acting now can you minimise the resulting damage and reduce the spread of infection.”

Dispelling the myths

Often small and medium sized enterprises believe that they are too small or not interesting enough for hackers to disrupt their business through cyber-attack. Yet hackers find value in data and often work on the premise that if it is worth having then it is worth stealing. What matters to hackers is that the targeted assets are valuable to their owners, their competitors or other third parties. Attackers’ own business models are often built on economies of scale. Many small targets make a profitable attack as observed with the impact of ransomware.

Furthermore, critical infrastructure is often a network of smaller entities. Many small entities failing can destabilise critical infrastructure, which is what happened in the Ukraine when its power blackout was discovered to be the result of a cyber-attack. Small entities may be the attack vector to larger entities.

Another myth is that investing in protection against cyber-attacks doesn’t pay off. The truth is that an ICS that has been compromised in some way is no longer reliable and trustworthy and can become a safety risk. A common mistake that leads to this perception is the imbalance between investment in security capabilities in technology and investment in security capabilities in processes and people. Furthermore, insuring an ICS to ensure business continuity may prove difficult, if not impossible to attain, if the system has been previously penetrated. Fines for non-compliance (NERC-CIP) can reach up to US$ 1 million per day.

Many companies believe that their systems are “air-gapped” so that there is simply no way in for attackers. Yet everyday data is imported into, as well as exported from, the control system, whether that be production schedules, engineering updates, production progress, equipment health or emission reports. Entirely isolated systems are extremely cumbersome and expensive to operate. If no communication is built-in, convenient workarounds are improvised, such as unapproved networks, temporary connections and portable media.

Finally, some believe that just because a control system does not have a direct connection to the Internet, there is no way in for attackers. However, many incidents are staged attacks such as phishing to compromise legitimate user accounts or compromising perimeter networks first. Then lateral movement often helps access far more interesting targets.

Biggest challenges

The table below shows the complexity of the challenges facing industry today.

Types of attack

Two distinct types of cyber-attack include generic or “white noise” and targeted or “advanced persistent threat”.

Both white noise and targeted attacks commonly manifest themselves through the Internet or Enterprise IT network or personal devices and affect the operational technology (OT). Attacks usually start with phishing or perimeter compromise. General attacks come in the form of generic malware from the IT world which exploit system vulnerabilities, usually at Level 5 to Level 3.  Targeted attacks come in the form of custom malware designed specifically to target a certain environment and can cut across the control infrastructure from Level 5 to Level 1.

While the consequences of a white noise attack can be limited to moderate damage and as such receive little or no public attention, targeted attacks can have a wider impact and attract much public attention. However, white noise attacks occur at much higher frequency, so the aggregated impact of these is considerable as well.

In March 2017, Microsoft released a patch to fix a vulnerability in one of the internet’s most ancient networking protocols, Server Message Block version 1 (SMBv1) which was reported to them by the NSA after detection of a leak. A month later, the hacker group called The Shadow Brokers released Eternalblue, an exploit for the SMBv1 vulnerability as part of a larger set of attack tools.

Then in May 2017 the WannaCry ransomware outbreak was reported and quickly spread over hundreds of thousands of computers. It targeted computers running the Microsoft operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency of $300 per computer.

The ransomware spread autonomously using the Eternalblue exploit and the SMBv1 vulnerability. A security researcher found a “kill switch” which slowed down the infection rate substantially. However, according to Europol, over 200,000 computers were infected across 150 countries. Nissan Motor Manufacturing in the UK and Renault in France both halted production in an attempt to stop the spread of the ransomware.

Those that were unprepared for an attack left themselves exposed as they were unaware of the status of patches. Many were unwilling to patch a live system or were intimidated by the patch process. The result was that those who fell a year behind were hundreds of patches adrift of a secure system. When the ransomware hit, questions ranged from “Shall we pay?” to “Do we have a backup?” Those organizations that had prepared were simply not affected in any way.

On June 27 2017 a ransomware campaign started in the Ukraine. Initial analyses conclude that it was a member of the Petya family of ransomware and that it is using a modified version of the Eternalblue exploit as well as by credential harvesting on infected hosts. Further analysis by Kaspersky concluded that the similarity to Petya is only superficial, introducing the name NotPetya.  A vaccine file is identified which, if found, reportedly causes the ransomware to exit before encrypting any files. The German e-mail provider used in the payment scheme shuts down the e-mail account used for violation of policy. Analyses of the malware and reports from victims indicate that there is no way to decrypt the files encrypted by NotPetya, concluding that it is in fact not a true ransomware but rather a wiper intended for sabotage, disguised as ransomware.

Attack objectives

An attack against an ICS usually results in the loss, denial or manipulation of the control system and/or the operator’s view, which in turn leads to a denial or manipulation of safety. The results can be equipment damage and infringement of safety limits. Production failure can lead to poor quality and higher operating and maintenance costs. And compliance violation can affect safety, pollution and even contractual agreements. But what are they after? Campaigns targeting private companies are stealing design documents, formulas, manufacturing processes and research materials.

It is important to consider cyber security across the complete life cycle of an ICS. One of ABB’s approaches is the defence-in-depth method. The approach comprises a series of eight steps that over time build to make the system secure. These include: cyber security consultation, hardening, monitoring, securing perimeters, white listing, host network detection, host intrusion detection and secure configuration and securing the interior.

The white noise attacks can be tackled using some basic countermeasures. Targeted attacks adapted to individual circumstances are difficult to counter. These attackers are always looking for weaknesses in the existing protective measures. These measures merely raise the bar but cannot stop adequately motivated and financed attackers.

In addition, it is necessary to recognise, analyse and counteract targeted attacks that are at an early stage in preparation using countermeasures tuned to the detected attack. This requires security monitoring (including anomaly detection) and incident response.

Introducing cyber security management into control system operations is a major change and can be overwhelming. Early steps must work towards a solid understanding of context-specific risks and prioritize these. In parallel, basic controls can be introduced which experience shows will be part of any security management system. Competent partners are available on the market to bridge transition periods or continuously provide services. Don‘t be the deer, caught in the headlights – get started with small steps and look for partners!