"On a scale of one to 10, with 10 being strongly defended, our critical infrastructure's preparedness to withstand a destructive cyber attack is about a three based on my experience."Statistics seem to support Mr. Alexander’s statement. According to the 2016 Industrial Cyber Security Threat Briefing by consulting firm Booz Allen Hamilton:
- 34% of survey respondents admitted that their ICS was breached more than twice in the last 12 months.
- 44% were unable to identify the source of the attack.
- The US power grid was struck by cyber or physical attacks every 4 days.
- No suspects were identified in 300+ attacks on electrical infrastructure since 2011.
Attack VectorsThe threat actors were the usual suspects: malicious insiders, nation state groups and hacktivists. The attack vectors provided additional context into the origin of the entry points for exploits, including:
- Physical (facility or plant) compromise
- Supply chain weaknesses
- Internet-connected critical infrastructure
- Malicious Insiders
- Regulatory blind spots
CampaignsThe attacks on power utilities are not random occurrences. The sophistication and knowledge of systems required to successfully disrupt operations illustrate that these are targeted attacks using a combination of tactics, including ransomware, malware and third-party supply chain entry points. Some of the campaigns reported were:
- Ransomware (Cryptolocker)
- Malware (BlackEnergy, Conficker, Ramnit)
- Physical, such as Pacific Gas & Electric's Metcalf substation
- Supply chain (Dragonfly/Energetic Bear)
- ICS Firmware Updates
- Device drivers
- Infrastructure Management Services
TrendsWhile researching, I also observed some interesting trends, including increases in SCADA Access-as-a-Service (SAaaS) and HMI attacks, as well as active exploits against vulnerable codebases. There have also been instances of non-destructive intellectual property theft and the ever-growing ransomware threat targeting ICS operators. According to Booz Allen's briefing, ransomware samples increased from less than 100K in Q2 2014 to 6 million in Q4 2015. The infamous Cryptowall ransomware generated more than $300 million in revenue in 2015. Critical infrastructure is clearly a target. Below is a list of countermeasures, top lessons learned from past attacks, and best practices that can be used to improve the security of your industrial environment.
Lessons Learned from Ukrainian Hack
- Sandbox tech to evaluate incoming documents and emails.
- Use proxies to control outbound and inbound communication paths.
- Limit workstations to communicate only through the proxy devices by implementing perimeter egress access controls.
- Implement continuous monitoring of ICS/SCADA devices to quickly detect anomalous activity.
- Apply network segmentation and multi-factor authentication on all systems containing sensitive data.
- Disable remote access to UPS systems.
Lessons Learned from the Front Lines:
- Go back to the basics with the SANS Top 20 Critical Security Controls. Audit Scripts has free resources to help measure progress against the controls.
- Apply CIS Standards to harden systems.
- Implement advanced monitoring on systems with trusted relationships.
- Segment using established framework, such as ISA-99 (Purdue Model).
- Don’t allow local drive redirection into Citrix infrastructure. VDI reflects local drives off machines, exposing interior infrastructure to a local machine, making it a conduit to infect environment.
- Disallow direct internet connectivity to CI components when possible.
- Disallow PLC updates directly from the internet.
- Monitor critical files changes, including security application and operating system files. (Tripwire is an excellent tool for this!)
- Use change detection to get alerts when security services are turned off. (Tripwire is an excellent tool for this, too!)
- Understand hidden AD activity using 6 degrees of domain admin.
- Provide ongoing awareness training to employees and contractors.