The Infiltration of U.S. Control Systems

CERT Alert TA18-074A removed any doubts that hostile nation-states are actively targeting U.S. industrial control systems.

On March 15, 2018, we all learned that the long-discussed cyber-attack on industrial control systems (ICS) had actually happened. Of course, many attacks on ICSs have happened before. But this one—with the backing of a nation-state—is the one that has been most feared.

This incursion, conducted by Russia, is not of the kind that can be classified alongside hacks by disgruntled employees, rogue hackers looking to extort funds, or corporate espionage attempts. The Russian hacking of U.S. critical infrastructure and manufacturing is different. It is an act of modern warfare with industry in its crosshairs.

Nick Bilogorskiy, cybersecurity strategist at Juniper Networks, said, “The nature of armed conflicts has changed dramatically…in the modern world, cyberwarfare can be used by a foreign entity to launch a devastating attack against the United States without a single bomb or missile. Cyber-attacks have been used in a broader strategy of information warfare. Some examples are denial of service attacks, espionage malware, dissemination of disinformation and propaganda, social media election manipulation, and website or Twitter defacements.”

He added that cyber-attacks are difficult to attribute to a source, since proxies, third parties and fake artifacts in malware code are used to obfuscate their true origin. Therefore, “It is easier to understand who attacked you than it is to be able to prove it. In this case, [however], the Department of Homeland Security and the FBI publicly condemned Russian government cyber actors, which to me means they found significant evidence of Russian involvement.”

In its TA18-074A Alert on the attack, the U.S. Computer Emergency Readiness Team (CERT), noted that the Russian government has targeted “U.S. government entities as well as organizations in the energy, nuclear, commercial facilities, water, aviation and critical manufacturing sectors.” The U.S. government considers critical manufacturing sectors to be those focused on producing primary metal, machinery, electrical equipment and transportation equipment.

To better understand what this means for the Automation World audience of manufacturers and processors, we reached out to industry experts to help explain how this attack happened, how it affects you and what you should be doing about it.

How it happened
“The US-CERT alert characterizes these attacks as a multi-stage intrusion campaign to gain remote access into targeted industrial networks,” said Thomas Nuth, director of products and solutions at cybersecurity technology supplier Nozomi Networks. “After obtaining access, the threat actors [i.e., Russian government cyber actors] conducted network reconnaissance to collect information pertaining to ICS. Such behavior is typical of APTs [advanced persistent threats].”

Three specific methods of obtaining information that enabled access to company networks were cited in the alert:

  • Watering holes. The US-CERT alert notes that the “threat actors compromised the infrastructure of trusted organizations to reach intended targets. Approximately half of the known watering holes are trade publications and informational websites related to process control, ICS or critical infrastructure. Although these watering holes may host legitimate content developed by reputable organizations, the threat actors altered websites to contain and reference malicious content.
    See related article detailing the steps Automation World employs to avoid being used as a watering hole.
  • Phishing emails. “Threat actors used email attachments to leverage legitimate Microsoft Office functions for retrieving a document from a remote server using the Server Message Block (SMB) protocol…this request authenticates the client with the server, sending the user’s credential hash to the remote server before retrieving the requested file…the threat actors can [then] use password-cracking techniques to obtain the plaintext password. With valid credentials, the threat actors are able to masquerade as authorized users in environments that use single-factor authentication,” the US-CERT alert states.
  • Analyzing publically available information, such as pictures, where ICS devices are visible. The alert noted that some means of access were gained via publicly posted corporate images in which SCADA screens were visible. The attackers were able to glean information from those pictures to determine information about the systems used by the targeted companies.

Once access to the company network is gained, Nuth noted that ICS reconnaissance, which begins by using the kinds of methods detailed above, extends to such tactics as:

  • The use of batch scripts to enumerate the industrial control network;
  • Using scheduled tasks and a screenshot utility to capture the screens of systems across the network; and
  • Accessing computers on the corporate network to gather data output about control and SCADA systems, including ICS vendor names and reference documents as well as gathering profile and configuration information.

“Reconnaissance is a crucial component of conducting an attack,” said Barak Perlman, co-founder and CEO of cybersecurity technology supplier Indegy. “Hackers are patient and often spend time collecting information which can include things like source code. That, in and of itself, may not reveal the keys to the ICS kingdom. But source code, along with other information gleaned along the way, can be amassed and used against the target organization.”

The impact on industry
Most media coverage of these attacks focused on U.S. energy facilities, which is understandable considering their role as the source of power for nearly everything we do. But the CERT alert made clear the threat from these attacks extends far beyond the energy sector.

“Really, any manufacturer and processor is fair game,” said Perelman. “Recently we have seen concerning trends and activity at water facilities and in the food and beverage, chemical and pharmaceutical industries.”

With regard to this specific adversary (i.e., Russia) and the threat these attacks have exposed via the US-CERT alert, Patrick McBride, chief marketing officer for cybersecurity technology supplier Claroty, said, “the most likely targets are manufacturers involved in developing defense-related systems and other critical infrastructure. This includes both the manufacturers of these systems as well as those in the supply chain that make key, limited supply, specialty components.”

But Perelman was quick to point out that highlighting the industries in which the most activity has been seen does not indicate that other organizations are immune. “These types of threats can be amorphous and quickly change based on opportunities,” he said. “ICS/SCADA systems share similar technologies across different verticals. For example, ransomware can attack and delete a Windows PC, regardless of its use. Similarly, malware can be designed to shut down any PLC/DCS controller across its path. As a result, every industrial company is vulnerable to such an attack as part of collateral damage.”

Underlying the need for manufacturers and processors of all types and sizes to take notice, Stefan Woronka, director and head of business development at Siemens Industrial Security Services, said, “With our customers over the past 12 months, we have seen that the size of the organization does not matter. A company can be a target independent of its size.”

He added that a common attack practice is to “look for the weakest link in the chain and try to crack it. In a modern and interconnected world, [this means] the focus may shift towards companies with a lower protection level.”

Looking at the threat to industry based on what this US-CERT alert has confirmed, Eddie Habibi, CEO of PAS (a supplier of process safety, cybersecurity and asset reliability software), says it illustrates that “the entire supply chain is exposed. If you think about how many different companies supply products and services to a single industrial facility and how many companies provide products and services to those companies, you begin to get a sense of how difficult it is to secure the supply chain.“

Even though attack specifics were not provided in the CERT alert, Habibi said it’s important for every company to realize that any supply chain is only as strong as its weakest link. In response to this alert, he expects to see industrial companies begin requiring “cybersecurity certifications similar to process improvement programs, such as Six Sigma, demanding suppliers implement and abide by cybersecurity best practices.”

See other predictions Habibi made for industrial cybersecurity in 2018.

What about remote access?
One of the biggest trends to hit both the process and discrete manufacturing industries over the past five years has been remote access. Though applied for decades in the oil and gas sector to maintain widely dispersed field equipment, remote access technologies have proliferated recently as a means for OEMs to develop new maintenance business models and for engineers to keep tabs on operations at any time, from anywhere.

Will news of the Russian incursion into U.S. control systems put a damper on this trend?

Habibi contends that the short answer to this question is: No. “Digitalization of the plant, which includes remote access, the Industrial Internet of Things [IIoT] and more, is inevitable. The benefits are too great and companies are committed to investing in digitalization,” he said.

Pointing out that remote access is just one means of potential access for a hacker, Woronka said that other avenues should be of equal concern. “Remote access may be one approach, another might exploit the company’s office IT environment,” he said. “All methods of connection to the external environment require special attention.”

“There is always a knee-jerk reaction when an alert like this is issued,” said Perelman. “So, in the short term, we will likely see a blip of organizations adjusting their remote access. The real question is what will happen four to six months from now when this alert becomes yesterday’s news. Changing remote access is not the silver bullet to holistically tackling the ICS issue. If it were, companies would have implemented it long ago.”

As you can infer from the comments above, everyone responding to my questions for this article concurred that they do not see these attacks as a deterrent to continued investment in remote access or other connected, digital industry trends.

“The very components—sensors, connectivity and smart applications—that enable digitalization have now exposed the industrial sector to greater security risks,” said Habibi. This means that “ongoing digitalization investments must include cyber risk mitigation plans."

He added that he expects to see cybersecurity programs in the future dovetail more closely with existing safety management programs, such as process hazards analysis.

“In the long term it’s obvious that technology advancement can’t be stopped, and things like remote access are a must to make our facilities and companies more efficient,” said Perelman. “The notion of anywhere connectivity will only increase in the future. For example, we’ve seen financial institutions being attacked again and again, but nobody is deleting their bank app from their smartphone. People responsible for ICS security need to take a more thoughtful approach that doesn’t just solve for something that already happened, but also addresses threats and vulnerabilities that are yet to come.”

So what should you do?
Considering that the US-CERT alert essentially outlines a typical APT, which occurs over an extended period of time, this means significant opportunity exists to detect and stop ICS attacks before damage can be done.

For detailed lists of specific actions you can take to assess and secure your ICS systems, see this companion article.

“With the right type of ICS monitoring and threat intelligence technology deployed within an ICS, APTs can be detected at their early stages,” said Nuth. “This is why ICS cybersecurity solutions that passively monitor, analyze and baseline normal operations using artificial intelligence methods are the most effective in extending the utility of typical protective cybersecurity technologies, such as industrial firewalls, SNMP network monitoring software and SIEM [security information and event management] products.”

When asked about the ability of anomaly detection—one of the more touted features of modern ICS cybersecurity software—to protect against such incursions before changes are made, all respondents agreed that anomaly detection would not be the feature that saves the day.

“Anomaly detection can only detect changes once they are made, and by then it can be too late,” said Perelman. Many attacks are “architected to be ‘low and slow’ so that the anomaly threshold is never reached.”

This “low and slow” approach often leave marks, however, that can be detected by anomaly detection software.

“All cyber-attacks take place in multiple steps, as defined in Lockheed Martin’s Cyber Kill Chain,” said McBride. “Attackers need to do recon, gain a foothold on the network and move laterally in the network toward the end target, such as a PLC or an engineering workstation. Only then can they make process-impacting changes.”

These steps put “anomalous” traffic on the network before making changes, according to McBride. “Anomaly detection systems are designed to notice and alert on the early steps in the kill chain so the good guys can stop the attack before process-impacting changes are made,” he said.

Perelman stressed that, because every system, architecture and operation is different, it is important to avoid a knee-jerk reaction in response to the US-CERT alert. “Making a change to one thing can often cover up another vulnerability that is bigger than the first,” he said.

Although maintaining a patched IT system and educating employees of best security practices will prevent 90 percent of common cyber intrusions, Perelman noted that, when it comes to the other 10 percent—specifically within ICS networks—patching and antiviruses are often not a valid option. In recognition of this ICS reality, Perelman recommends deploying a monitoring solution designed specifically to deal with the ICS environment. According to Perelman, the core requirements for such products include:

  • The ability to help build an asset inventory of industrial devices that are on the network, along with their associated risk level and vulnerability; and
  • The ability to detect malicious activity—whether reconnaissance or actual damage—in real time and in a deterministic fashion.

Beyond the cybersecurity recommendations in the US-CERT alert and those linked to from this article (see link above), Habibi noted another important facet of ICS cybersecurity all companies should heed—"having a backstop in case all other security controls prove insufficient in keeping the bad guys out. Companies need technology that monitors for unauthorized change and processes to investigate change based on asset risk profiles. But when all else fails, they must have good backups and tested business continuity plans in place because the stakes are too great.”

More in IIoT