No discussion on ICS attacks could be complete without talking about what some would call, ‘the elephant in the room.’
Critical infrastructure has always been a target for warfare, and modern ICS are no exception. Several high-profile ICS disruptions have in fact been attributed to malicious hackers working at the behest of a military or intelligence agency.
Looking at Examples of APTs
The potential impact of a wartime ICS cyber incident is hard to understate. ICS war games such as the Aurora Generator Test in 2007 have demonstrated that skilled attackers can cause lasting physical damage to industrial equipment. In that case, simulated attackers rapidly opened and closed protective relays out of sync with the attached diesel generators and ultimately caused the generator to tear itself apart, leaving behind a smoking pile of rubble.
Apart from endangering the physical safety of plant workers, this type of attack could lead to cascading failures lasting for a prolonged period. Attacks could create long-term disruption of electricity, water, fuel, and other municipal services. Attackers may also create industrial accidents jeopardizing the safety of plant workers as well as those in served communities. Whether it is losing heat during the cold Ukrainian winter or excessive pressure on natural gas lines leading into people’s homes, there is a strong potential for loss of life in the wake of a sophisticated ICS attack.
Even without destroying generators, determined adversaries can keep a power grid down for an extended period by using destructive malware to wipe IT machines and even firmware modules used for remote serial data access. Malware has been discovered in the wild with communication capabilities using major industrial protocols. Once the malware has gained access to an OT network, there is typically no need for further exploitation because the industrial protocols largely fail to require authentication or protect against spoofing/replay attacks. All that is needed is a qualified technician and a plan to achieve the intended objective. Nation-state attackers are well-suited to this, as they are among the few attack groups with the capability to acquire and study targeted industrial equipment or processes.
Disruption is a common goal for government hackers targeting a control system, but there are a variety of ways in which this can be carried out to achieve different objectives.
Stuxnet, for example, was apparently introduced to an air-gapped network through an infected USB device, and then it used this access to quietly alter plant operations so that equipment would misbehave. All the while, reporting through the HMI would indicate it was performing normally. The resulting failures depleted resources at the targeted nuclear plant by causing repeated component failures.
ICS attacks in Ukraine and Estonia, on the other hand, have not been so discrete. In some cases, plant technicians watched helplessly as their mouse pointers moved across the screen closing critical circuit breakers one at a time. Some of the attacks went further by wiping or otherwise destroying firmware on critical controls needed to remotely restore service. To handle these conditions, technicians must be able to fall back to the “old school” analog instruments and controls needed to bring the system back online. Highly automated environments may struggle more to restore access in this scenario as the systems are further removed from their analog heritage.
It’s easy for anyone following the headlines to become overwhelmed with concern about APT. In just the past year, we have learned about intrusions into untold numbers of networks including many highly guarded corporate and government networks. A well-resourced APT has nearly unlimited entry points to a network, and it is important for defenders to be familiar with the common tactics, techniques, and procedures (TTPs) of various threat groups. Resources like ATT&CK and D3FEND allow organizations to learn about known adversaries and how they operate. This is critical for making informed decisions on how to not only reduce the risk of intrusion but also impede an attacker’s lateral movement while increasing the defender’s chances for detection.
Read more in The Next Disruptive ICS Attacker Series:
The Next Disruptive ICS Attack: 3 Likely Sources for Major Disruptions
The Next Disruptive ICS Attacker: A Disgruntled Insider?
The Next Disruptive ICS Attacker: A Ransomware Gang?
The Next Disruptive ICS Attacker: An Advanced Persistent Threat (APT)?
The Next Disruptive ICS Attacker: Only Time Will Tell