IMAGE 1: Steam and chilled water production facilities, Texas Medical Center, Houston (Images courtesy of Vigilant Cyber Systems)
The past decade has seen a dramatic increase in cyberattacks focused beyond traditional desktops and servers. The security industry refers to this sector as operational technology (OT), internet of things (IoT), or industrial internet of things (IIoT), and it includes systems such as heating, ventilation and air conditioning (HVAC), embedded devices, and systems typically controlled by programmable logic controllers (PLCs) including pumps, turbines, pressure regulating valves, and tanks. These devices are typically outside the traditional scope of a normal information technology (IT) department.
In 2010, the world was alerted to the threat of malware over industrial systems as Stuxnet attacked Iranian nuclear enrichment facilities. The past 10 years have shown an increase in cyberattack tools developed specifically for industrial control systems (ICS), not just from single actors, but from nation-state offensive cyber groups from countries like the U.S., Israel, China, Russia, Iran and North Korea. These groups are classified by security specialists as advanced persistent threat (APT) groups. After Stuxnet, the security industry found Havex, a piece of ICS malware attributed to a Russian APT group in 2014 used to scan industrial networks.
Since 2014, ICS malware has been seen at an increasing rate around the world, with notable attacks in Ukraine on Dec. 23, 2015 when malware named BlackEnergy successfully compromised supervisory control and data acquisition (SCADA) systems remotely switching substations off, disabling IT infrastructure, and disabling the call center for customer support during the outage.
Ukraine suffered another power grid attack on Dec. 17, 2016 when malware named Industroyer was used to cut off power to the capital city of Kiev for an hour.
In November 2017, the TRISIS malware was discovered in a Saudi Arabian petrochemical plant. This disabled the safety instrumentation systems and
security controls.
The National Vulnerability Database (NVD), which is a repository of security-related information maintained by the National Institute of Standards and Technology (NIST), has a separate category for ICS attacks. These types of attacks have exploded in the last year. Between the first quarter of 2019 and Q1 2020, the water and wastewater industry has seen an increase of 122 percent of common vulnerabilities and exposures (CVEs). Critical manufacturing is up 87.3 percent in CVEs, and energy is up 58.92 percent.3 While cyberattacks on OT systems are still flying below the radar of more common IT hacks, the momentum in this space is quickly building.
It is a perfect storm, as many OT system owners want to take advantage of new technologies for automation and monitoring that require internet connectivity, without recognizing the cyber risk that comes with that connection.
Why It Can Happen to Users & Their Assets
An adversarial group decides to target a user’s facilities. The attacker and their reasons could be anything from a disgruntled employee, an international criminal organization, or a nation-state sponsored APT. Financial gain motivates criminal organizations who are using ransomware to hold systems hostage and extract a ransom to return it to operation. Recent years have witnessed several high-profile examples of ransomware on OT systems, including the EKANS ransomware that specifically targets ICS. This was recently used against Honda and the global clean energy provider Enel, resulting in disruption to production.4 Critical infrastructure systems such as public utilities are targets for a nation or state looking to disrupt the stability of an adversary.
Regardless of the specific threat, any adversary will look for an opportunity to exploit user systems. Most commonly, this means stealing credentials or cracking a weak password (78 percent according to a Verizon 2020 Security Report).5 However, in the case of IoT and OT, there are many vulnerable endpoints available that can be found easily using public tools such as Shodan and Censys.io. These search engines crawl the entire internet approximately once per month and update their databases with information about exposed devices.
A current search of Shodan (the search engine for internet connected devices) for a specific industrial protocol shows that there are approximately 5,000 industrial control devices exposed to anyone with an internet connection.
Once the adversary has accessed the system through stolen credentials or by simply connecting into it through an unsecured device that someone left on the internet, they will look to pivot through an engineering workstation, historian or similar system that is on both the IT network, and also on an OT network. Once on an OT network, an experienced adversary will be able to manipulate vulnerable devices, such as PLCs, to accomplish their goals. Stuxnet demonstrated how malware can cause catastrophic physical damage to equipment without triggering any alarms. The TRISIS malware in Saudi Arabia showed how an adversary can disable safety controls and endanger personnel. Adversaries can use these tactics to hold users ransom, damage their systems, or potentially harm employees working on the systems.
Available Resources
Cyberthreats are impacting OT at an alarming rate and the security industry is responding. Comprehensive best practices are being established and communicated for specific industries, and cybersecurity companies are developing OT security tools and services to combat the rising threats.
A comprehensive risk management process has four components: framing, assessing, responding and monitoring. These activities should be interdependent processes that occur simultaneously and continuously. Framing is the process of building a model or framework which can be used to assess risk and make risk management decisions. Assessing is the process of identifying the threats to, vulnerabilities in, and consequences of an attack for the entity under risk management.
Responding is the process of accepting, avoiding, mitigating, and transferring risk. Risk monitoring is the process of implementing and assessing controls and compliance, as well as identifying changes.
The practical steps that an ICS security team can take when developing a risk management framework are summarized in the following steps. For framing, the security team should consult with a broad spectrum of the leadership to identify the assumptions and risk tolerance of the enterprise. For companies that do not have in-house OT security expertise, we recommend conducting a walk-through with experts. Once the initial framework for risk assessment is complete, the best practice for implementing an ICS Security Risk Management Framework is to perform the following four distinct steps. First, define the OT systems and conduct an inventory of the OT assets. This inventory should include basic information for each asset including manufacturer, operating system and applications installed, and the latest patch date.
All interfaces to other systems should also be defined. Second, a security plan should be developed. This plan should document the security controls that are selected. NIST SP 800-18 Rev 1, Guide for Developing Security Plans for Federal Information Systems is a good reference for developing a security plan. The third step is to perform a risk assessment. This detail of the risk assessment should be commensurate with the risk framework.
Most risk averse organizations will conduct multiple risk assessments for the entire enterprise. Others may perform a detailed risk assessment for the highest impact systems and less detailed assessments for other systems.
Risk assessments are often conducted multiple times during a system’s life cycle, and organizations with multiple locations may alternate assessments among sites. The final step in establishing a risk management framework is to implement the security controls based upon the security plan and the analysis of the risk assessment. Review the references noted at the end of the article to understand which policies will need to be implemented. There is also one example of a robust patch management policy.
The world of cybersecurity is a cat and mouse game between security firms and attackers, with the attackers constantly evolving and creating new tools to find loopholes in existing security systems, and the cybersecurity companies plugging those holes through patches.
If a system cannot receive regular patches, it is extremely vulnerable, as it lacks the ability to adapt to the evolving threat landscape. Robust cybersecurity is not static.
After implementing an ICS cyber risk framework, many organizations conduct cooperative vulnerability assessments and red team assessments. This testing is like the final exam for the entire process outlined above, validating and ensuring that the risk framework processes are working correctly and have not missed anything. Usually this testing is performed by an outside firm so it can independently validate the security posture without creator or maintainer bias.
References
NIST 800-82–https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf
NIST SP 800-18–https://csrc.nist.gov/publications/detail/sp/800-18/rev-1/final
No More Ransomware–https://www.nomoreransom.org/en/index.html
ATT&CK for Industrial Control Systems–https://collaborate.mitre.org/attackics/index.php/Main_Page
Cybersecurity and Infrastructure Security Agency (CISA)–https://www.cisa.gov/publications-library/Cybersecurity