Image
"On a scale of one to 10, with 10 being strongly defended, our critical infrastructure's preparedness to withstand a destructive cyber attack is about a three based on my experience."Statistics seem to support Mr. Alexander’s statement. According to the 2016 Industrial Cyber Security Threat Briefing by consulting firm Booz Allen Hamilton:
- 34% of survey respondents admitted that their ICS was breached more than twice in the last 12 months.
- 44% were unable to identify the source of the attack.
- The US power grid was struck by cyber or physical attacks every 4 days.
- No suspects were identified in 300+ attacks on electrical infrastructure since 2011.
Attack Vectors
The threat actors were the usual suspects: malicious insiders, nation state groups and hacktivists. The attack vectors provided additional context into the origin of the entry points for exploits, including:- Physical (facility or plant) compromise
- Supply chain weaknesses
- Internet-connected critical infrastructure
- Malicious Insiders
- Regulatory blind spots
Campaigns
The attacks on power utilities are not random occurrences. The sophistication and knowledge of systems required to successfully disrupt operations illustrate that these are targeted attacks using a combination of tactics, including ransomware, malware and third-party supply chain entry points. Some of the campaigns reported were:- Ransomware (Cryptolocker)
- Malware (BlackEnergy, Conficker, Ramnit)
- Physical, such as Pacific Gas & Electric's Metcalf substation
- Supply chain (Dragonfly/Energetic Bear)
- ICS Firmware Updates
- Device drivers
- Infrastructure Management Services
Trends
While researching, I also observed some interesting trends, including increases in SCADA Access-as-a-Service (SAaaS) and HMI attacks, as well as active exploits against vulnerable codebases. There have also been instances of non-destructive intellectual property theft and the ever-growing ransomware threat targeting ICS operators. According to Booz Allen's briefing, ransomware samples increased from less than 100K in Q2 2014 to 6 million in Q4 2015. The infamous Cryptowall ransomware generated more than $300 million in revenue in 2015. Critical infrastructure is clearly a target. Below is a list of countermeasures, top lessons learned from past attacks, and best practices that can be used to improve the security of your industrial environment.Lessons Learned from Ukrainian Hack
- Sandbox tech to evaluate incoming documents and emails.
- Use proxies to control outbound and inbound communication paths.
- Limit workstations to communicate only through the proxy devices by implementing perimeter egress access controls.
- Implement continuous monitoring of ICS/SCADA devices to quickly detect anomalous activity.
- Apply network segmentation and multi-factor authentication on all systems containing sensitive data.
- Disable remote access to UPS systems.
Lessons Learned from the Front Lines:
- Go back to the basics with the SANS Top 20 Critical Security Controls. Audit Scripts has free resources to help measure progress against the controls.
- Apply CIS Standards to harden systems.
- Implement advanced monitoring on systems with trusted relationships.
- Segment using established framework, such as ISA-99 (Purdue Model).
- Don’t allow local drive redirection into Citrix infrastructure. VDI reflects local drives off machines, exposing interior infrastructure to a local machine, making it a conduit to infect environment.
- Disallow direct internet connectivity to CI components when possible.
- Disallow PLC updates directly from the internet.
- Monitor critical files changes, including security application and operating system files. (Tripwire is an excellent tool for this!)
- Use change detection to get alerts when security services are turned off. (Tripwire is an excellent tool for this, too!)
- Understand hidden AD activity using 6 degrees of domain admin.
- Provide ongoing awareness training to employees and contractors.
Image
