"Major stories would be picked up for a simple infection in an ICS as if these were extremely unique. The public metrics, as an example, tend to point to either very high (500,000+ cyber attacks) to very low (ICS-CERT’s ~260 incidents per year) counts of non-targeted intrusions and malware infections. The ICS-CERT’s numbers are far more respectable but each year that they identify the attack vectors you will see that the #1 attack vector is 'Unknown' followed by the #2 attack vector of 'spear phishing'. But we don’t have a lot of email servers in industrial environments (hopefully none). What the metrics are really saying is that when an infection is actually seen, it’s because it comes in through the business networks; otherwise we simply do not know how it got there as a community (although there are some industry leaders doing very well)."To address this ignorance, Lee thought it would be useful to develop some metrics that controllers could use to secure their systems. Ben Miller, director of the Dragos Threat Operations Center, ran with this idea by analyzing data that pertains to ICS security incidents. He made some important discoveries along the way. These are as follows:
1. Non-Targeted Malware Is ProlificMiller's efforts revealed approximately 30,000 samples of malicious files capable of infecting ICS environments. Some of these threats spread quickly throughout ICS environments, while some can afford attackers with access to environments that are connected to the web. On average, non-targeted malware strikes 3,000 industrial sites a year.
2. ICS Targeted Intrusions Are RareStuxnet, Havex, and BlackEnergy2 are the only ICS-tailored malware whose attacks have gained public attention. As a result, it's no surprise there are only about 12 documented ICS targeted intrusions that employ these malicious families. Dragos is currently investigating one of those dozen events. As revealed by Lee:
"Starting in 2013 there were submissions from an ICS environment in the US for Siemens programmable logic controller (PLC) control software. The various anti-virus vendors were flagging it as a false positive initially and then eventually a basic piece of malware. Upon our inspection, we found that variations of this file and Siemens theme 10 times over the last 4 years with the most recent flagging of this malicious software being this month in 2017. In short, there has been an active infection for the last 4 years of an adversary attempting to compromise industrial environments by theming their malware to look like Siemens control software. The malware is simply crimeware but has seemingly been effective."
3. Industrial Organizations Could Improve Their OPSECFinally, Miller found that IT security systems that aren't familiar with ICS environments are flagging legitimate ICS software as suspicious. That's a problem because these tools can place the software in databases available to anyone--even adversaries who can download them and develop attacks against industrial organizations. In total, he found 120 project files along with reports and substation layouts available on databases like VirusTotal.
ICS Security Going ForwardMiller's findings are cause for a concern, but only to a certain extent. Organizations can leverage security best practices like continuous monitoring, conduct supply chain awareness of security software, and maintain an ongoing dialogue with their IT security teams about what files are legitimate to respond to the trends identified by Miller. Industrial companies should also recognize that technological innovation is increasingly pulling IT and OT together. Rather than fight this trend, they should embrace it and help teams converge and work together to defend against digital attackers. If you are interested in learning more about Industrial Cyber Security you can download our new e-book, “Industrial Cyber Security For Dummies” here.