Everyone in the manufacturing automation sector knows the industrial control systems (ICS) are the heart of all manufacturing and process control systems.
These systems connect to other electronic systems that are part of the control process, creating a highly-connected ecosystem of vulnerable devices that a wide range of attackers are becoming more eager to compromise, according to the Cisco 2018 Annual Cybersecurity Report.
Bad guys who want to target ICS to cripple critical infrastructure are actively engaged in research and creating backdoor pivot points to facilitate future attacks, according to TrapX Security, a Cisco partner that develops deception-based cybersecurity defenses. Among the potential cyber attackers are experts with advanced knowledge of IT systems, ICS architectures, and the processes they support. Some also know how to program product lifecycle management (PLM) controllers and subsystems.
Threat researchers with TrapX conducted investigations into several cyber attacks that targeted users’ ICS to help highlight unexpected problems with cyber defense. Two of the incidents took place in 2017 and remain under investigation.
First victim: Large international water treatment and waste processing company
Attackers used the company’s demilitarized zone (DMZ) server as a pivot point to compromise the internal network.
The security operations team received alerts from deception security technology embedded in the network DMZ. This physical or logical subnetwork bridges internal networks from untrusted networks, such as the Internet, protecting other internal infrastructure.
The investigation found:
• The DMZ server ended up breached due to a misconfiguration that allowed remote desktop protocol (RDP) connections.
• The server was breached and controlled from several IPs, which were connected to political hacktivists hostile to the plant.
• The attackers launched multiple major attacks against several of the company’s other plants from the compromised internal network.
Second victim: Power plant
This power plant’s critical assets include a very large ICS infrastructure and the necessary supervisory control and data acquisition (SCADA) components that manage and run their processes.
The plant is considered critical national infrastructure and subject to scrutiny and oversight by the responsible national security agency. It is therefore considered a high-security installation.
The CISO involved decided to implement deception technology to protect the plant’s standard IT resources from ransomware attacks. The technology was also distributed within the ICS infrastructure. Soon after, the security operations team received several alerts that indicated a breach to the systems within the critical infrastructure plant operations.
Their immediate investigation concluded:
• A device in the process control network was attempting to interact with the deception traps, which were camouflaged as PLM controllers. This was an active attempt to map and understand the exact nature of each PLM controller within the network.
• The compromised device would normally have been closed, but a vendor performing maintenance failed to close the connection when finished. That oversight left the process control network vulnerable to attackers.
• The information adversaries were collecting is exactly the type needed to disrupt plant activity and potentially cause great damage to ongoing plant operations.
In most cases, ICS breaches begin with the compromise of vulnerable servers and computing resources within the corporate IT network.
Threat researchers with TrapX recommend organizations take the following actions to reduce risk and help ensure the integrity of operations within their facilities:
• Review vendors and systems, and see that all patches and updates are applied promptly. (If patches are not available, consider migrating to new technology.)
• Reduce the use of USB memory sticks and DVD drives.
• Isolate ICS systems from IT networks. Don’t allow any direct connections between the two. That includes network connections, laptops, and memory sticks.
• Implement policies that severely limit the use of the ICS networks for anything other than essential operations. Reduce accessibility to ICS workstations and monitors with external Internet browser access. Assume these policies will fail and plan accordingly.
• Research and eliminate all embedded passwords or default passwords in your production network. And wherever possible, implement two-factor authentication.
• Review plans for disaster recovery following a major cyber attack.
Click here for more information on the Cisco 2018 Annual Cybersecurity Report.