EDITOR’S NOTE: This is the second in a series of condensed white papers from security provider Dragos that discusses issues focused on industrial control system (ICS) security. Click here to view the complete white paper.
By Joe Slowik
Prior to 2017 only three families of ICS-specific malware were known: Stuxnet, Blackenergy 2, and Havex. In 2017 the world learned of two new ICS-specific malware samples: Trisis and Crashoverride. Both of these samples led to industry firsts.
Crashoverride was the first malware to ever specifically target and disrupt electric grid operations and led to operational outages in Kiev, Ukraine in 2016 (although it was not definitively discovered until 2017).
Trisis is the first malware to ever specifically target and disrupt safety instrumented systems (SIS), and is the first malware to ever specifically target, or accept as a potential consequence, the loss of human life. The impact of these events cannot be understated.
The number of adversaries targeting control systems and their investment in ICS-specific capabilities is only growing. There are now five current, active groups targeting ICS systems – far more than our current biases with respect to the skill, dedication, and resources required for ICS operations would have us believe possible. These events and continued activity will only drive a hidden arms race for other state and non-state actors to mature equivalent weapons to affect industrial infrastructure and ensure parity against possible adversaries.
We expect ICS operational losses and likely safety events to continue into 2018 and the foreseeable future.
Last year featured multiple, concerning developments within the ICS security space. On a general level, wormable ransomware such as WannaCry and NotPetya provided notice to ICS owners and operators that industrial networks are far more connected to the IT environment than many realized. While significant and – for some organizations – costly, 2017 also featured some targeted events led by activity groups focused exclusively on the ICS environment.
Previously, defenders perceived ICS threat actors as rare with significant technical limitations or hurdles to overcome. But 2017 demonstrated – either because ICS is an increasingly enticing target, or because researchers and defenders are merely “looking harder” – that these groups are more common than previously thought. Toward that end, Dragos identified five active, ICS-focused groups that displayed various levels of activity throughout 2017. While only one has demonstrated an apparent capability to impact ICS networks through ICS-specific malware directly, all have engaged in at least reconnaissance and intelligence gathering surrounding the ICS environment.
Overall, the scope and extent of malicious activity either directly targeting or gathering information on ICS networks increased significantly throughout 2017.
2017 witnessed a dramatic expansion in ICS security activity and awareness. During the year, Dragos identified and analyzed Crashoverride, responsible for the Ukraine power outage event that occurred in December of 2016, and then discovered and analyzed Trisis, the first ICS malware designed to target industrial safety systems in November. Considering that defenders knew of only three ICS-focused malware samples before 2017 – Stuxnet (pre-2010), Blackenergy 2 (2012), and Havex (2013), the emergence and discovery of two more this year indicates adversaries are focusing more effort and resources on ICS targeting, and those capabilities are expanding.
Early in 2017, the industry saw the release of the EternalBlue vulnerability (MS17-010) and the subsequent WannaCry ransomware worm. The infection of operational networks with this ransomware and operational disruption illustrated the symbiotic relationship between the two networks. While engineers and operations staff have long held the separation between “business” and “operational” environments as the ICS model, the border is increasingly permeable and therefore operational ICS networks are facing traditional business threats.
Closely following the WannaCry ransomware adversaries launched NotPetya. What was unique is this was a wiper masquerading as ransomware appearing to initially target Ukraine business and financial sectors. In addition to weaponizing the EternalBlue exploit, NotPetya leveraged credential capture and replay to provide multiple means of propagation, resulting in rapid spreading to organizations well-removed from Ukrainian business sectors. Perhaps the most sobering example is Maersk, which is estimated to have lost up to $300 million USD while also having to rebuild and replace most of its IT and operations network.
To combat malware infection events such as the above examples, Dragos pursues “commodity,” non- ICS-focused malware through the MIMICS project: Malware In Modern ICS Environments. By aggressively hunting for standard IT threats that can pose a specific danger to ICS environments, Dragos works to provide early warning and defensive guidance on potentially overlooked threats.
Tracking Attack Groups
We are currently tracking five activity groups targeting ICS environments: Either with an ICS-specific capability, such as Crashoverride or with an intention to gather information and intelligence on ICS-related networks and organizations. These groups have remained relatively constant regarding overall activity throughout the year, and Dragos is confident that additional unknown events have occurred.
An ICS intelligence-driven approach to threat intelligence is not universal. Indicators of compromise are not intelligence and will not save any organization. Organizations must understand and consume ICS-specific threat intelligence to monitor for adversary behaviors and tradecraft instead of simply detecting changes, anomalies, or after-the-fact indicators of compromise.
Detection-in-depth: Just as defense-in-depth is a necessary component of modern cybersecurity, detection-in-depth must become a necessary component across all industrial control levels. Enhanced monitoring must especially include any permeable “barriers” such as the IT-OT network gap. ICS networks are increasingly connected not only to the IT network but also directly to vendor networks and external communication sources leaving monitoring of the IT environments alone entirely inefficient.
ICS-specific investigations: In the event of a breach or disruption there must be ICS-specific investigation capabilities and ICS-specific incident response plans. This is the only effective way of identifying root cause analysis and reducing mean time to recovery in the operations environments when facing industrial specific threats.
Assume breach: Disruptive ICS-specific malware is real, traditional IT threats now regularly cross the “IT-OT” divide, and ICS knowledgeable activity groups are targeting industrial infrastructure directly instead of just the IT networks of industrial companies. Gone are the days of protection via a segmented network – detection is the first component of an assume-breach model – you can only respond to what you can see.
Resilience against cyber attack: Resiliency analysis and engineering surrounding industrial processes must include cyber-attacks. For example, safety systems must be designed and operated with the understanding that they may now be purposefully attacked and undermined.
Joe Slowik is an adversary hunter for Dragos, Inc.