A Step by Step Analysis of How Your ICS is Compromised through an Externally Generated Cyber Attack
Author: Daniel Ehrenreich, Consultant and Lecturer, SCCE
Industrial Control Systems (ICS) also known as Operation Technology (OT) systems are deployed to control water, oil and gas, electric power, manufacturing, communication backbones, siren networks, etc., some considered as a critical infrastructure. In the past, these control systems were primarily built for operation Safety and Reliability, and according to what was believed about a decade ago as secured operation, these ICS were absolutely disconnected (air gap) from the IT network operated by the organization.
In spite the fact that experts considered the air-gap isolation as a “silver bullet”, the Stuxnet attack (05-2010) proved that isolating the ICS from the business network does not provide absolute cyber defense. Consequently, the management decided that achieving improved productivity calls for connecting the ICS with the IT network for obtaining real time data. In systems, where you could deploy a Unidirectional Gateway (Data diode), that solution works. However, in systems utilizing periodic bidirectional IT-ICS data flow the zoning segregation must be done with a firewall. We all know that all software-based cyber-defense measures can be compromised.
While the well-known Lockheed Martin Cyber Kill Chain -CKL, (attack analyzing process) provides details through simple seven steps, this paper guides you through a more detailed, twelve steps explanation, especially tailored to architectures combining IT and ICS.
Figure 1: Cyber Kill Chain
Compromising an ICS
Cyber security vulnerabilities in the control architecture are considered as a flaw contributed by negligent software coding, irresponsible employees neglecting the organization policies and undetected software bugs. These flaws reduce the system’s resiliency and allow operation outages and attacks capable to destroy machinery.
The vulnerability management deals with identifying, classifying, remediating and mitigating risks. When a new vulnerability is announced (after being detected and reported), it is called “zero-day vulnerability”. On that day, the affected systems remain unprotected until a new defense measure (antivirus version) becomes available.
The following questions may be asked during the forensics investigation upon an attack:
a) What was driving the selection of a specific victim?
b) Which damaging goals were targeted by the attack?
c) When the attack started, detected and completed?
d) What was the consolidated impact on the victim?
e) What could prevent it or at least reduce the damage?
f) Do we foresee that the attack might be reactivated?
g) …. more
These are critical questions and preparing proper answers is by itself a significant effort for the victim, especially after the painful incident. The outcome leads to defining the CKL process (see above), which started from targeting the victim’s network up to attack capable damaging the operation.
Figure 2 below illustrates a process of an externally generated Advanced Persistence Threat (APT) attack. It outlines all 12 steps from selecting the victim, penetrating to the corporate IT network and finally attacking the targeted Programmable Logic Controller (PLC), which controls the critical process.
Twelve steps description of cyber-attack through the Internet
Figure 2: Description of Cyber Attack over the Internet
- Selecting the target for attack: The attacker selects the victim (organization, network, PC) based on his predefined goals expected rewards or according to instructions from whoever is directing that action. A cyber-attack can be initiated also by an insider having a reason, a disgruntled employee or an expert hacker who is driven by a foreign country, a crime organization or a hostile commercial organization.
- Learn the victim behavior: The attacker may start with a phishing process targeting someone who corresponds with people working at the victim’s organization. He is sending emails from a spoofed identity along with a malware hidden in an attached file (Word, JPG file, etc.). This action leads to launching a Trojan code in the victim’s computer (1st one approached) and later in the IT network. (CKL-Reconnaissance).
- Initial attempt to access the IT network: Upon activation of the injected code to collect network details, that malware will start scanning the victim’s IT network and all the accessible computers. Using this tool, the attacker steadily receives detailed information and build a clear picture on victim’s network, user names, passwords, IP addresses, connection to wireless devices, privilege accounts, etc.
- Open a user account – gain a position: This is the “moment of dream” for every attacker. Once he gains access to victim’s network, he can spoof the identity of a network administrator, open his own account and start using his new email. It is like keeping the door unlocked for a person you do not know, and letting him behaving in your house in like a “family member”.
- Create a privileged account: Using an authorized account (like an ordinary employee) and after learning the administrator’s account’s credentials, the attacker can now upgrade his own “user account” and request additional privileges, which a regular user (employee) does not have. This may allow him to comply with security procedures like “least privilege” and “role-based access”.
- Compromising the firewall between the IT and the internet: Through this “authorized membership”, the attacker has now the needed privileges to compromise the firewall isolating between the IT network and the external internet. This will allow him to transfer command codes between the attacking computer (operated by hacker) connected through the internet to the IT network of the victim.
- Expand horizontally across the network (lateral movement): The attacker can now continue with the process, obtain detailed information about the PLCs, Remote Terminal Units (RTU), used data protocols and IP addresses of the control devices (PLC, RTU) as accessible in the corporate IT network. Having “authorized presence”, the attacker may start planning the next-steps of the attack process.
- Maintaining “stealth-mode” presence: At this stage, the attacker may slowly collect more data on the system architecture, processes considered as a normal, as seen through the corporate IT network. Furthermore, to hide his activity, the attacker may prevent the detection of his actions within the victim’s network. He will also try hiding his own identity and delete all “traceable details”.
- Obtaining higher level of privilege: Once the attacker has adequate details on the IT network and obtained needed credentials, he can create a high-privilege (“admin”) account. This will allow him to access the segregating firewall between the IT and ICS networks and also compromise additional security measures which might prevent accessing the ICS network.
- Compromise the firewall to the ICS network: The attacker is ready to start with the final stage and compromise the segregating firewall between the corporate IT and the ICS networks. Once that barrier is removed, the attacker may directly communicate with ICS network and “export” data (through the corporate network and the Internet) as needed for detailed planning of the attack process.
- Study the ICS-OT operation: The attacker may directly access all RTUs or PLCs and study the details of the control process; temperature, speed, pressure, vibration, flow, etc., and also analyze the data sent to the ICS Automation Servers and the HMI computer. This information will help the attacker to “create a false picture” of normal operation and transmit this “picture” to the operator HMI during the attack (Stuxnet).
- Manipulating the control process: The attacker will modify the operation parameters of the RTUs or PLCs, change the control limits, modify control loops, compromise software-based protection and generate the damage. While transmitting false picture to the operator HMI (earlier recorded and stored) and showing normal conditions, the attacker is completing the task and destroying the critical machinery. (CKL-Action)
The above described twelve steps process may also help you learning what happened during the Stuxnet attack. However, the main difference is, it did not start through the internet (the nuclear plant was disconnected), but through directly injecting a well-designed code to one of the ICS computers. Due to the same reason, there was no “remote guidance“ of the attack and it progressed without control.
We are learning on new AdvancedPersistent Threat (APT) and “Zero-day” attacks on ICS managing critical processes and on new variants of viruses, worms and trojans, which are bypassing traditional signature-based defenses and recently also the Safety Instrument System (SIS), as happened related the Triton event (12-2017).
As the world is gearing up toward deployment Industrial Internet of Things (IIoT) ecosystems, the computer security turns to a severe problem for industrial operations. To mitigate these risks, (we were not aware of just few years ago), important to identify the root causes and not just deal with patching and isolating the problems. Cyber protection for any IT and ICS architecture consists of three essential and achievable elements a) the use of cyber secured technologies, b) strict adherence to policies, and c) careful user behavior achieved through awareness training.
Already mentioned above, that there are no silver bullets which may absolutely prevent cyber-attacks on the ICS. Adherence to the People-Policies and Technologies (PPT) triad, is essential in order to deploy effective, cost-effective and well-tailored cyber defense. The Certified Information Security Officer (CISO) in charge of the ICS operation must be allocated with the needed manpower and resources for achieving these goals. Even if absolute cyber defense is out of reach, deployment of adapted ICS cyber defense measures will put your system in a safer condition.
Daniel Ehrenreich, BSc. is a Consultant and Lecturer acting at Secure Communications and Control Experts, teaching at cyber security colleges and presenting at ICS cyber defense conferences; Daniel has over 25 years’ engineering experience with electricity, water, gas and power plants systems as part of his activities at Tadiran, Motorola, Siemens and Waterfall Security. Selected as Chairman for the ICS Cybersec 2018, taking place on 11-10-2018 in Israel. Linkedin