Understanding top threats on the critical infrastructure of the SCADA & ICS networks?

Picute of attack SCADA

TL;DR

This blog highlights the most common attack techniques used by State-Sponsored groups in the modern Cyber-warfare era. It will help us understand the top most common attacks? How do they work? What are the possibilities of exploitation? What could be an impact in our environment?

( Please note in this article ‘our‘ refers to your environment as applicable )

Cyber attacks are the newest form of risk to the nation and the technology. Hence its become more important to secure manage and operate critical infrastructures. The below image is a generic image of a typical network architecture diagram of any critical network.

Network Architecture Diagram of an ICS / SCADA Infrastructure

Generally the OT (Operational Technology) assets are present in an isolated network. As per the above image we can understand the network segregation done for HMI, Field Controllers, Field Devices, etc are being kept in an isolated environment. Due to complex nature of inter system dependency for managing, monitoring and maintaining those systems appropriate barricade are being through software and hadware firewalls. Hence, attackers use indirect ways to reach these systems.

Understanding from the attacks happened in past and learning from those attacks is the right way to safe guard any critical infrastructure.

The below details will help us understand different kind of attacks, the possibility and the impact level that can happen.

We will break down each attack type into 2 risk category:

Level of Sophistication — To understand what would be the ease of exploitation in our environment.

Level of Consequences — To understand what are the potential risk involved and accordingly plan a defense strategy.

Insider Threats — Technicians

A disappointed technician steals credentials by “Shoulder Surfing” other technicians and reuses the same into equipment controlling the physical process using the stolen credentials, and issues reboot or shutdown instructions to nodes connected to the physical process, automatically triggering a partial plant downtime.

• Level of Sophistication: This is a moderately sophisticated attack. ICS technicians tend to have good knowledge of how to operate control system components to bring about specific goals, such as a shutdown, but less knowledge of fundamental engineering concepts or safety systems designed into industrial processes.
• Level of Consequences: This class of incident is most often able to cause partial or complete plant shutdowns. More physical severe consequences may be possible, depending on the insider threat, and details of the industrial process.

Generic Malware Threats — Ransomware Attacks

An engineer searching for technical information from an ICS connected engineering workstation accidentally downloads malware. The malware exploits known vulnerabilities that have not yet been patched on the industrial network encrypts the engineering workstation and spreads to most of the Windows hosts on the industrial control system. Most Windows hosts in the industrial network are encrypted, shutting down the control system. The impaired control system is unable to bring about an orderly shutdown. Within a small number of minutes, the plant operator triggers an emergency safety shutdown. The emergency shutdown procedure damages important equipment at the plant, impairing production for months, even after the ransomware has been cleaned out of the control system and the plant is restarted. A variation of this attack: ransomware infects an IT workstation and spreads via AUTORUN files on network shares, USB drives, and known network vulnerabilities for several days, before triggering the encryption. Several machines on both IT and ICS networks are thus infected, with the same consequences as above.

• Level of Sophistication: Authors of autonomous ransomware can be very sophisticated cyber-wise, producing malware that can spread quickly and automatically through a network, and even malware that can evade common anti-virus systems and other security measures. Such authors though, tend to have no understanding of physical industrial processes or industrial control systems.
• Level of Consequences: Most often, the minimum damage caused by this kind of incident is an unplanned shutdown lasting for as many days as it takes to restore the control system from backups, and restart the industrial process — typically 5–10 days of lost production. In the worst case though, important equipment can be irreparably damaged by an uncontrolled shutdown. In this case replacements for the damaged equipment need to be purchased and installed, and where replacements are not readily available, replacements for damaged equipment must themselves be manufactured, so they can be installed and activated. In the worst-case scenario plant downtime in these cases can be up to 12 months.

Insider Threat — IT Engineer

A disappointed IT engineer shoulder-surfs remote access credentials entered by an ICS support technician visiting a remote office. The disappointed engineer later uses the credentials to log into the same distant ICS engineering workstation that the technician logged into. The insider looks around the workstation and eventually finds and starts a development copy of the plant HMI. The engineer has less knowledge of the workaround of the systems. He brings up the screens more or less at random and presses whatever buttons that seem to be harmful. These actions trigger a partial plant shut-down.

• Level of Sophistication: This is an unsophisticated attack. IT engineer generally have little knowledge of cyber tool, tactics, control systems, or physical processes, but often have social engineering opportunities that can yield credentials able to log into control system networks.
• Level of Consequences: This class of incident might cause a shut-down, or might confuse. At best, each such incident triggers an engineering review of settings at the plant, to ensure that no physical equipment has been left misconfigured and able to cause a malfunction in the future.

Targeted Malware Threats — Ransomware

An attacker with good computer knowledge targets IT, engineers, with phishing attacks and malicious attachments, gaining a foothold on the IT network with Remote Access Tool (RAT) malware. The attacker uses the RAT to steal additional credentials, eventually gaining remote access to an industrial control system. The attacker seeds ransomware throughout the ICS and demands a ransom. The site quickly disables all electronic connections between the affected plant and outside networks and tries to pay the ransom. The payment mechanism fails and the ransomware automatically activates, having received no signal from the attacker that the ransom was paid. The ransomware erases hard drives and BIOS firmware in all infected equipment. The plant suffers an emergency shutdown, damaging equipment. It takes a month to replace and reprogram damaged control system computers, and more months before damaged physical equipment is replaced.

• Level of Sophistication: The attacker is cyber-sophisticated. Increasingly, we see organized crime organizations becoming involved with ransomware. These organizations have access to professional-grade malware tool kits and developers, and professional-grade RAT operators.
• Level of Consequences: Computer, network, and other equipment with erased firmware generally must be replaced — the equipment has been “bricked” in the parlance of cyber attacks. Again, an emergency shutdown may damage physical equipment.

Sophisticated Attacks Threats — Levrages Zero-Day in Malware ( Ransomware )

An intelligence agency mistakenly leaves a list of zero-day vulnerabilities in operating systems, applications, and firewall sandboxes on an Internet-based command and control center. An attack group, similar to the “Shadow Brokers” who discovered the NSA zero-days, discovers the list and sells it to an organized crime group. This latter group creates autonomous ransomware that propagates by exploiting the zero-day vulnerabilities in file sharing software in the Windows operating system. The malware is released simultaneously on dozens of compromised websites worldwide and immediately starts to spread. At industrial sites able to share files directly or indirectly with IT networks, the malware jumps through firewalls to infect and encrypt the industrial site, causing an emergency shutdown and damaging physical equipment.

• Level of Sophistication: Cyber attacks only become more sophisticated over time. Security researchers and others discover zero-day vulnerabilities, and intelligence agencies have been known to “lose track” of the zero days they have discovered or purchased. This attack was very sophisticated cyber-wise and unsophisticated engineering-wise.
• Level of Consequences: Again, the minimum damage caused by this kind of incident is an unplanned shutdown lasting for as many days as it takes to restore the control system from backups, and restart the industrial process — typically 5–10 days of lost production. In the worst case, though, important equipment can be irreparably damaged, necessitating costly replacement, which takes additional weeks or months.

CyberWarfare Threats —Russia & Ukrainian War

A large group of hacktivist-class attackers steals IT remote access passwords through phishing attacks. These attackers eventually compromise the IT Windows Domain Controller, create new accounts for themselves, and give the new accounts universal administrative privileges, including access to ICS equipment. The attackers log in to the ICS equipment and observe the operation of the ICS HMI until they have learned what many of the screens and controls do. At that time, the group takes over the HMI and uses it to mis-operate the physical process. At the same time, co-attackers use the administrative credentials to log into ICS equipment, erase the hard drives, and where practical, erase the equipment firmware. Variations: When targeting other kinds of industries, similar attacks are possible, erasing control system equipment, and triggering unplanned shutdowns.

• Level of Sophistication: This is a summary of the attack techniques used in the 2016 attack on a number of Ukraine electric distribution companies. The attackers had good knowledge of cyber systems, but limited knowledge of electric distribution processes and control systems.
• Level of Consequences: In the case of the attacks on Ukraine, power was shut off to over 200,000 people, for up to 8 hours. Power was only restored when technicians traveled to each of the affected substations, disconnected control system computers, and manually turned on power flows again. More generally, unplanned shutdowns are a consequence of this class of attack, and possibly emergency, uncontrolled shutdowns with the possible equipment damage that accompanies such shutdowns.

A more sophisticated group of attackers used the techniques of the Ukraine attack, and are more sophisticated concerning cyber-attack tools and the engineering details of electric systems. In addition to the actions of attackers in the UKRAINE ATTACK scenario, the more sophisticated group uses compromised IT domain controllers to defeat two-factor authentication, connects to protective relays, and reconfigures them, effectively disabling the relays. The group now very quickly connects and disconnects power flows to the affected consumers, damaging refrigerators, sump pumps, and other motors in consumers’ homes and businesses. The attackers also redirect power flows in the small number of high-voltage transmission substations managed by the distribution utilities, destroying high-voltage transformers by overloading and overheating them.

• Level of Sophistication: This group of attackers is moderately sophisticated, both cyber-wise and engineering-wise.
• Level of Consequences: Consequences of this attack are more serious. Many large refrigerators in stores have been rendered inoperable, large water pumps in water distribution systems are similarly damaged, and a large number of smaller pieces of equipment in consumers’ homes are rendered inoperable. High voltage transformers must be replaced on an emergency basis, which takes over a week. There is no worldwide inventory of such transformers, so while replacement transformers are manufactured, emergency replacements are acquired by reducing redundancy and capacity in other parts of the electric grid.

Market Manipulation of Commodity Prices (Oil or Gas)

An organized crime syndicate targets known vulnerabilities in Internet-exposed services and gains a foothold on IT networks. They seed RAT tools into the compromised system, eventually gaining Windows Domain Admin privileges. The attackers reach into ICS computers that trust the IT Windows domain and propagate RAT technology to those computers. Because the ICS computers are unable to route traffic to the Internet, the attackers route the traffic via peer-to-peer connections via compromised IT equipment. Once in the ICS network, attackers download and analyze control system configuration files. They then reprogram a single PLC, causing it to mis-operate a single, vital, piece of physical equipment, while reporting to the plant HMI that the equipment is operating normally. The equipment wears out prematurely, in a season of high demand for the plant’s commodity output — e.g.: Oil or Gas. The plant shuts down for emergency repairs, of this random equipment failure. The same attack occurs at two nearby plants. Once the equipment has failed, the perpetrators erase all evidence of their presence from the affected plants’ ICS networks. Prices of the affected commodity spike on commodities markets. When plant production at all plants returns to normal, commodity prices return to normal. This attack is repeated in the next season of high demand.

• Level of Sophistication: Cyber-sophistication of this attack and these attackers are moderate — no zero-days were used, and no code was written. The engineering sophistication of this attack is high. The attackers needed access to an engineer able to interpret the control system configurations, select physical equipment to target, identify the PLC controlling that equipment, download the existing program of that PLC, and design and upload a new program able to wear out the targeted physical equipment prematurely while reporting to the HMI that the equipment is operating normally.
• Level of Consequences: Lost plant production and emergency equipment repair costs.

Sophisticated Market Manipulation

More cyber-sophisticated attackers carry out the market manipulation attack, but in a way that is harder to defend against. They use known vulnerabilities in Internet-facing systems to compromise the IT network of a services company known to supply services to their real target. The attackers write their RAT malware and deploy it only at the services company so that anti-virus tools cannot detect the RAT. The attackers use the RAT to compromise the laptops of personnel who routinely visit the real target. When they detect that the compromised laptops are connected to the real target’s IT network, the attackers operate the RAT by remote control and propagate the RAT into the target’s IT network. Inside the target’s IT network, the attackers continue to operate the RAT. Intrusion detection systems have no visibility to the activities of the RAT, because the attack is low-volume, using command lines rather than remote desktop-style communications, and C2 command and control communications are encoded in innocent-seeming communications with compromised websites. The attack ultimately propagates to the ICS network, with the same consequences as the Market Manipulation attack.

• Level of Sophistication: Cyber-sophistication of this attack and these attackers are high. No zero-days were used, but the attackers developed custom malware with native language encoded communications. The engineering sophistication, like the Market Manipulation attack, is high.
• Level of Consequences: Lost plant production and emergency equipment repair costs.

Mobile Phone WIFI

Targeting a geographical-based location to inflict damage on geography they are unhappy with for some reason. The attackers create an attractive cell phone app — call it the world’s fanciest free app. The attackers use targeted social media attacks to persuade office workers at critical infrastructure sites in the offending geography to download the app, which requests more permissions compared to a normal app should request, but these employees are not cybersmart and don’t think more before approving. The app runs continuously in the background of the cell phone. While at their critical-infrastructure workplaces, the app instructs the phone to periodically scan for WIFI networks and report such networks to a command and control center. The attackers again, use social media, social engineering, and phishing attacks to impersonate insiders at the target organization, and extract passwords for the WIFI networks. Several of these password-protected networks are part of critical-infrastructure Industrial Control Systems. The attackers log in to these networks using the compromised cell phones and look around the networks by remote control until they find computer components vulnerable to simple denial of service attacks, such as erasing hard drives or SYN packet floods. The attackers compromise power plant operations triggering an unplanned shutdown, disconnecting from the WIFI networks, and repeating a few days later. Similar malware variants could also be planted on the laptops of office workers who work within a range of ICS WIFI networks.

• Level of Sophistication: This attack currently needs a high degree of cyber sophistication, because toolkit enabling this kind of hidden WIFI hacking from cell phones currently do not exist on the open Internet, and so attackers need to write this malware themselves or purchase it. Once such attack tools are widely and publicly available, this class of attack will come within the means of hacktivist groups annoyed with industrial enterprises. The attack needs only very low engineering sophistication.
• Level of Consequences: Repeated plant shutdowns from a source that is difficult to identify. Plant personnel should eventually determine that the source of the attack is a WIFI network and shut down all WIFI at the plant, or at least change all the passwords.

From Infosec Writeups: A lot is coming up in the Infosec every day that it’s hard to keep up with. Join our weekly newsletter to get all the latest Infosec trends in the form of 5 articles, 4 Threads, 3 videos, 2 Github Repos and tools, and 1 job alert for FREE!