Understanding threat actors’ steps into OT and ICS environments – Technologist

“To know your enemy, you must become your enemy.” Sun Tzu, regarded as one of the greatest military strategists of all time, certainly did not live in the hyper-connected and cyberthreat-laden times of today, but we would all benefit from some of his more profound teachings. And it seems some of his teachings have made their way into the planning of cybersecurity strategies.

The increasing frequency of OT/ICS cyberattacks is serving as a wake-up call to organisations. Cybercriminals are using a range of techniques to launch a tsunami of attacks against OT and ICS systems.

The impact of these attacks can affect the masses by causing civic unrest, and governments in some countries are taking pre-emptive measures to stop these attacks.

For instance, the Cyber Security Agency of Singapore (CSA) created the OT Cybersecurity Masterplan in 2019 to enhance the security and resilience of the nation’s Critical Information Infrastructure (CII) sectors in delivering essential services.

Its goal was to improve cross-sector response to mitigate cyber threats in the OT environment and to strengthen partnerships with industry and stakeholders, proving that the threat of OT/ICS attacks is imposing enough for governments to act before they happen.

 In today’s manufacturing and utility networks, feeble defences across assets, managed and unmanaged devices give adversaries the advantage to launch attacks.

Without direct action to harden OT networks and control systems against vulnerabilities introduced through IT and business network intrusions, OT system owners and operators will remain at indefensible levels of risk.

An example is Iran suffering a major attack on its fuel stations nationwide in 2021, which disabled a system that allowed millions of Iranians to use government-issued cards for fuel at a subsidised price.

In total, 4,300 fuel stations were victims of the attack with traffic in cities being widely affected in an attempt to get “people angry by creating disorder and disruption”, according to Iranian president Ebrahim Raisi.

Similarly, petroleum powerhouse Oil India suffered a cyberattack disrupting the company’s operations in Assam earlier in 2022. In the attack, they received a ransom demand of USD 7,500,000, disrupting business through its IT systems.

The company reported huge financial losses due to the attack. When securing against today’s cyber threats, it is important to understand the game plans of threat actors and proactively counteract them with solutions.

Let’s start with Sun Tzu to understand our enemy’s 5 steps into our ICS and OT environments:

1. Effects and targets: 

APT actors, or state-sponsored actors, are looking to create chaos, sow discord, or destabilisation of leadership. To do so, they typically vet out critical assets within critical infrastructure like controllers in marine ports, energy generation/distribution points, and highly visible targets where disruption may cause harm, distrust, or may psychologically or socially impact a community.

Conversely, cybercriminals are looking for a payoff and are more than happy to find high-value targets anywhere within an organisation to extort their owners. While there may have been a wide gap in the past, the skills, backing, and training between the two are narrowing.

WHAT TO DO: Define your critical protection surfaces. Not all systems and components are created equal. Begin by identifying the most critical surfaces and grow to incorporate additional surfaces over time.

Within OT, this may be a bank of Windows machines that allow for remote access into a PLC segment where third-party lateral connections are established for maintenance and support. Within IT, these may be north-south assets that allow for pivoting from IT into OT, especially if IT connections to the Internet are present.

2. Intelligence collecting on the target system: 

It is widely known that information about both OT systems and IT technologies is widely known. Publicly available documentation on both IT and OT systems and components are not hidden, including default admin credentials.

WHAT TO DO: Never allow for default admin credentials to reside on any asset and continually rotate passwords.

3. Developing techniques and tools: 

Adversaries can be quite resourceful, especially with readily available tools on the dark web. Presuming devices are secured because they run proprietary protocols is a zero-sum game as tools are readily available to exploit IT and OT systems.

APT actors have also developed tools to scan for, compromise, and control certain Schneider Electric PLCs, OMRON Sysmac NEX PLCs, and Open Platform Communications Unified Architecture (OPC UA) servers.

WHAT TO DO: Acknowledge that standalone, islanded networks are few and far between. Do not presume a posture of security by obscurity. Monitor application usage and ICS traffic to include authorised user access and behavioural anomalies.

4. Gain initial access:

Most modern control systems have remote access capabilities that allow third-party vendors and integrators into the systems, as well as work-from-home, remote access and the supply chain. Oftentimes, these points of access into the network are attack vectors for cyber actors. Matters get worse when we add wireless access points to the mix that attract local actors into the fray.

WHAT TO DO: Audit all third-party access. Ensure the ability to pivot to high-value targets is non-existent. Take advantage of VLAN technologies to create safe holding pens for devices as they are introduced into your network prior to introducing them into the production network. Look for devices with multiple NICs attaching to differing networks, creating bridges from ‘A to B’.

5. Execution: 

The disruption, disabling, denying, and/or destruction of the system, to achieve intended results. This might include the degradation of the monitoring of a target system (Manipulation of View [T0832] ), operation of the control system (Manipulation of Control [T0831]), SCADA impairment (Block Reporting Message [T0804], Denial of View [T0815]), denial of control (Denial of Control [T0813]), or Theft of Operational Information [T0882]).

WHAT TO DO: Monitor industrial control commands and anomalous behaviours coming from unauthorised machines, unauthorised users, commands occurring outside of change control, and multiple reset, errors, and mode changes in critical infrastructure.

As system owners and operators, we cannot prevent a malicious actor from targeting our systems. Understanding that being targeted is not an “if” but a “when” is essential. By assuming that the system is being targeted and predicting the effects that a malicious actor would intend to cause we can employ and prioritise mitigation actions.

It all starts with identifying the initial system and all its sub-components within a protected surface. Once we find success, repeating across the broader OT landscape gets easier each time.