There have been several incidents recently where a critical infrastructure organization’s IT systems were breached or became infected with malware. SecurityWeek has reached out to several ICS security experts to find out if these types of attacks are an indicator of a weak security posture, which could lead to control systems also getting hacked.
Security incidents involving critical infrastructure organizations
There are only a few publicly known examples of cyberattacks targeting an organization’s industrial control systems (ICS), including the recent Ukraine energy sector incidents and the 2010 Stuxnet attacks. However, there are several known incidents involving the IT networks of critical infrastructure organizations.
One recent report comes from Japan, where attackers last year stole the details (report in Japanese) of more than 10,000 employees of Taiyo Nippon, the country’s largest industrial gas producer and one of the world’s top gas suppliers. The breach, which took place in March 2016, did not affect any control systems, the company said.
In April, we learned that two widely used pieces of malware, namely Conficker and Ramnit, had been found on systems belonging to a German nuclear energy plant in Gundremmingen. Experts believe these systems were likely infected by accident rather than as a result of targeted attacks.
Also in April, the Board of Water and Light (BWL) in Lansing, Michigan, was hit by a piece of ransomware, but the organization said the malware only affected the corporate network, with no disruption to water or energy supplies.
The Grizzly Steppe report published recently by the U.S. government in an effort to help organizations detect attacks launched by Russia-linked threat actors has led to the discovery of suspicious traffic at two organizations: the Burlington Electric Department in Vermont, and the Hydro One electricity distributor in Canada. Both organizations said the electric grid was never at risk.
Experts comment on the risks posed by such incidents
SecurityWeek has reached out to several industrial cybersecurity companies to find out if more damaging attacks may be possible given the holes in these organizations’ security.
Robert M. Lee, CEO and founder of Dragos, Inc., believes poor security practices and poor network segmentation can lead to a number of control system issues.
“Often if the pathways into the IT side of the network are easily taken advantage of, you will find that pathways into the ICS are also easily taken advantage of; however this is not the case in every site and we have seen a significant increase in security by many organizations out there,” Lee said.
Lane Thames, software development engineer and security researcher at Tripwire, also believes that a weak security posture on the IT side can lead to breaches on the OT side, particularly in the case of organizations that have started migrating OT systems to communication technologies (e.g. Ethernet, IP networking, Wi-Fi).
“For example, I have seen a single advanced manufacturing system with over 50 Ethernet ports, each one assigned its own IP address, that was controlled through a web based interface. If an attacker can penetrate the web server hosting the interface, then it is possible to penetrate the physical manufacturing device,” Thames said.
However, Lee and Thames agree that a security incident does not necessarily imply a poor security posture – even organizations with good security practices can get breached.
Opportunistic vs. targeted attacks
While critical infrastructure organizations may be breached by opportunistic threat actors that launch attacks indiscriminately for financial gain, experts believe some of these incidents could represent the reconnaissance phase of a targeted operation; although they have pointed out that targeting ICS is not the same as targeting IT networks.
“The sophistication of some of the attacks on certain industrial facilities points to actors far more capable than your opportunistic hacker,” said Eddie Habibi, CEO of PAS. “If cybersecurity is going to be the new WMD (weapons of mass destruction) in the future, which we believe it has the proclivity to be, you have to also believe that every nation is right now trying to build both their offensive and defensive cyber capabilities. That includes reconnaissance, spyware, Trojan horse and more.”
Thames explained, “Reconnaissance is really always in the picture. Further, mainstream attacks are also always in the mix. However, on the industrial side you will also see attacks that are more tailored to the target industry with very specific objectives driving the attack. For example, manufacturing organizations will often be targeted with a goal of stealing sensitive information and intellectual property.”
Despite the differences, experts believe industrial networks are not necessarily more difficult to attack.
“Cyber attacks on industrial control networks are very different from attacks on IT networks because the infrastructures are inherently different. ICS networks contain specialized technologies that operate the different processes. Therefore reconnaissance is always an important phase in which the attacker carefully learns which technologies are in place and how they are operated,” explained Barak Perelman, CEO of Indegy. “This doesn’t make industrial networks more difficult to attack. On the contrary - it is quite easy to attack them.”
Lee has pointed out that the only targeted attacks covered by the mainstream media in 2016 were the ones aimed at Thyssenkrupp and Ukraine’s energy sector. However, the expert said there were a number of targeted threat incidents last year that were not made public.
Securing ICS systems vs. securing corporate networks
SecurityWeek has asked experts about the differences between an organization’s approach when securing their business network versus securing their OT network.
Stephen Ward, Claroty: “The OT domain was not purposely built with security in mind - it was built with reliability, safety and up-time at the core. It is a very complex environment that is sensitive to any potential disruption. When looking at security solutions for the OT domain, organizations have to ensure that no potential harm is introduced into the OT network - they're incredibly concerned with this and in the past this has resulted in IT security people introducing potential controls but OT network personnel disqualifying those approaches. OT security solutions need to be just that - purpose built with an understanding of the complexities of these networks. Passive security solutions - such as real-time monitoring and detection - are on the top of the list for OT security improvements as a result.”
Lane Thames, Tripwire: “Often, there are differences within the organizations themselves (at least that has been the case historically). OT focuses on “mission assurance” whereas IT focuses on “information assurance”. These two objectives are vastly different, and, based on my discussions with practitioners in the industry, it creates communication breakdowns and barriers when an organization with IT and OT approaches security operations. For example, a control engineer could care less about data loss whereas an IT system administrator could care less about air-gapping the battery backup units (UPSs).”
Eddie Habibi, PAS: “The difference is stark. Folks who are focused on protecting business networks concern themselves with protecting information. OT cybersecurity personnel are singularly focused on protecting the physical process plant and safety. These approaches lead to very different cybersecurity decisions. An OT system, for instance, may never have a patch applied if there is a perceived risk it will disrupt production. Instead, they will add security controls in front of that system to mitigate risk. A zero day vulnerability can become a forever day vulnerability. In an IT approach, the patch is applied in real-time. Policies are in fact in place to make sure patches are kept up to date.”
Robert Lee, Dragos: “There must be largely different approaches and processes for securing the OT networks than the IT networks. Simply put, these networks have more serious consequences that can occur from bad practices and they often cannot be secured in the same way. As an example, simply deploying antivirus to the ICS would not significantly contribute to security, and may actually detract from it, whereas that is a common practice in IT security. There need to be tailored methodologies, processes for authorization and ownership of problems, and a different view of the risk management.”
Barak Perelman, Indegy: “There is a huge difference in approaches. OT networks involve different technologies and have different security gaps that should be addressed. Even the network activity is different and uses different protocols. In addition, process stability, safety and continuity is a top priority in these environments. Therefore, any modifications that could impact operations are indefinitely postponed. This means that patches, upgrades and other changes are rarely made.
[...] Implementing network security in ICS environments poses unique challenges since it requires in-depth understanding of the intricacies of OT network activity.”