Quantifying Malware in Industrial Control Systems

April 2, 2017
Aiming for a more empirical understanding of the cybersecurity attacks actually being seen in the wild, Dragos sifted through and analyzed mountains of public data. Though attacks are common, there’s no need for panic.

Cybersecurity is an important concern in industrial and utility settings, but it has a tendency to swing to the extremes in attention—too often, it’s either hugely overhyped or it’s ignored as an insignificant risk. Truly, the very real threats to industrial security lie somewhere in the middle of that spectrum, but a quantifiable metric has been elusive.

Dragos, an industrial cybersecurity software and service provider, set out recently to cull through reams of mostly publicly available data to develop a more empirical picture. And what the researchers found is that non-targeted IT infections are very prevalent, with a conservative estimate of about 3,000 unique industrial sites a year being affected. They also found that—though they do tend to get overhyped—targeted intrusions into industrial control systems (ICSs) are not as rare as you might think.

In both cases, though, the solution is: Keep calm and monitor your network security.

“Security in the ICS is very important to safety and reliability, but the power grid isn’t going to just fall over and gas pipelines aren’t going to start exploding over random infections or non-nation-state actors deciding to target them,” writes Robert Lee, Dragos CEO, in a blog explaining the findings of the study, “MIMICS (Malware in Modern ICS).” Even the targeted attacks are not earth-shattering, he continues, adding that “the threats are real, but not life changing, and should be taken seriously with a sound approach to the priorities in industrial environments.”

Targeted vs. non-targeted

Although high-profile stories around Iran’s nuclear industry, the Ukraine’s power utilities or other energy sectors tend to grab clicks and reader attention, they don’t create the necessary changes in behavior that will keep industrial operations safe. This is largely because these stories don’t seem to relate to the day-to-day running of a typical plant.

“There’s a disconnect between a lot of what the hype is and what the folks are seeing. People have heard of Stuxnet or BlackEnergy or Havex, but nobody’s actually seen those in their environments,” says Ben Miller, director of threat operations for Dragos, who undertook the project of identifying, analyzing and extracting lessons learned from the data. “An engineer would read a report on Stuxnet and disregard that as hype because he’s not seeing that.”

All three of the computer attacks Miller mentions were designed to attack industrial control systems. Stuxnet was used to compromise Iran’s uranium enrichment facilities; BlackEnergy is best known for taking out power in parts of the Ukraine by disconnecting substations from the power grid; and Havex, originally targeting the energy sector, moved on to focus on attacks of ICS/SCADA users.

For those industrial manufacturers who think they don’t need to be concerned about these attacks because they are unlikely to be a target, that’s in large part true. But that doesn’t mean they need not be concerned about cybersecurity at all. The dangers still lurk, but are lesser known, much more common malware attacks.

“What are in these environments are traditional opportunistic viruses that are spreading unbeknownst to automation folks,” Miller says. “That’s what they should be concerned about. And it’s actually pretty easy to defend with good practices and cyber hygiene.”

Miller and Lee gave a keynote presentation last week at the SANS ICS Security Summit in Orlando to discuss for the first time some key findings from the MIMICS study. The report was based on public data found at VirusTotal, and was geared toward understanding malware as it relates to ICS.

“We wanted to quantify what is out in the wild,” Miller says. Over the course of just 90 days, the study identified thousands of real-world infections caused by opportunistic viruses and removable media across many ICS vendor programs.

“A lot of what we did see was opportunistic, and likely wouldn’t create an impact,” Miller explains. “But you’d only need to change a variable to have an industrial impact.”

Attacks like BlackEnergy or Stuxnet are still within the realm of possibility, Miller says, but are more of a targeted attack rather than the opportunistic attacks that are happening on a regular basis.

VirusTotal searches

Owned by Google, VirusTotal is a free online service that enables anyone to upload a file to be scanned for viruses, worms, trojans and other malware. “By itself, it’s a good service, but it serves as a malware repository as well,” Miller explains. “I as a researcher can search for a file and see when it was first uploaded or last uploaded.”

And that’s exactly what Miller did, analyzing about 30,000 samples of infected ICS files and installers dating back to 2003. Although Dragos had a premium account with VirusTotal to get access to some of the data Miller analyzed, a lot of information is exposed publicly, he says.

Some of the malware that Miller saw included automated viruses that were spreading to legitimate ICS files. This creates a program path for any ICS vendor, Miller explains, where legitimate files are infected with malware. “This led to 15,000 files being discovered over the last 128 days being infected.”

Another interesting development that Dragos documented was malware that was not tailored to ICS-specific systems, but was themed around it. In a period spanning from 2013 to as recently as last month, Dragos analyzed a spate of files known as a downloader—not necessarily malicious in itself, but opening a backdoor to download additional malicious software—made to look like Siemens control software.

Data on the file makes it look like it’s related to a Siemens programmable logic controller (PLC). “If you’re on your Windows machines and you hover over the icon, it would give you the information—in this case, it’s going to say ‘Siemens Automation, Siemens PLC.’ That’s the kind of theming I describe,” Miller explains. “It will look like nothing happened. But what did happen is it went to a website and got an encrypted file, and was set to download another set of malicious software onto the computer.”

In other words, a bad actor has been attempting to compromise industrial environments by theming its malware to look like Siemens control software, Lee explains. But he also reiterates the contention that there is no reason for alarm, but rather a sound approach to cybersecurity. “As an example, simple supply chain awareness of software would eliminate this attack vector,” he writes. “Identify the digital hash of the software from the vendor, download the software, and check the hash against the known-good before installing it in the industrial environment.”

Upload concerns

What might create a bigger cause for concern, actually, is the uploading of files to public databases like VirusTotal.

Some of the information Miller was able to analyze on VirusTotal provided perhaps a bit more insight into the uploading organizations than they might like the public to see. He found a couple PDFs, for example, that were Nuclear Regulatory Commission finding reports that appear to be non-public information. One in particular had facility names, equipment names and findings from the investigation, Miller says.

“Another one was a zip file of a substation maintenance report,” Miller says. “There were AutoCAD drawings, spreadsheets with inspections, sign-offs, names and that kind of thing.”

Miller continues, “I was a bit surprised at how much industrial security folks seem to be using VirusTotal. There are probably safer ways to use VirusTotal.”

Miller recommends using VirusTotal as a data source to perform searches, but not to upload files that might be corrupted. “It’s very safe to search for a file. You can see if anyone has submitted it before and what the report says. You’re not saying you have that file; you’re just searching for it,” Miller explains. “When you start uploading to it, that’s when things can become more interesting. There are some dos and don’ts that haven’t been communicated.”

But if everybody took that advice, I argue, there wouldn’t be anything left in VirusTotal to search for and the site would become useless. “It does make the general security researcher’s job harder,” Miller comments, “but it strengthens the hand of the actual asset owners.”

Electrical defense

With close to two decades of experience in cybersecurity, Miller has particular expertise in the electricity sector, having served as associate director of the Electricity Information Sharing and Analysis Center (E-ISAC), which is operated by North American Electric Reliability Corp. (NERC).

The Ukraine power attack grabbed a lot of attention for cybersecurity in the electricity sector. But in fact the sector has been highly engaged for several years, Miller says, with a group of electric company CEOs (the Electricity Subsector Coordinating Council) meeting quarterly with the U.S. Department of Energy (DOE) and White House officials to discuss cybersecurity concerns.

What helps the communication is that those CEOs are generally not competitors, and are used to offering each other assistance as needed. “That has helped the cybersecurity aspect of how things are handled,” Miller says. This is in contrast, for example, to oil majors, which are in a more competitive position. “In that regard, the electricity sector has a leg up. They come to the table much more openly because they don’t have that baggage of competition hanging over them.”

The next phase

Now that Dragos has better empirical data around malware infecting industrial environments, it will continue to cull through findings and report back to industry.

“This was a research project, so we weren’t sure what we would find,” Miller says. “We’re happy with a lot of the results we found, and there are additional findings that we’re working through.”

Dragos plans to operationalize the research, Miller adds, to automate reports back to customers on a regular basis.

“We’re trying to add more nuance to the discussion, to better frame the problem with an understanding of what is being seen in the wild—with numbers behind it,” Miller says.

Sponsored Recommendations

MSD-SLC16G

CLICK industrial memory card, 16GB microSD. For use with all products with microSD memory card slot.

C0-12DRE-D

CLICK Ethernet Analog PLC, 24 VDC required, Ethernet and serial ports, Discrete Input: 4-point, DC, Analog Input: 2-channel, current/voltage, Discrete Output: 4-point, relay, ...

C2-FILL

CLICK PLUS option slot cover.

USB-CBL-AMICB6

AutomationDirect programming cable, USB A to microB-USB, 6ft cable length. For use with Productivity1000 and Productivity2000 CPUs and most USB devices.