(Eduard Kovacs – SecurityWeek) – US government agencies have shared a new cybersecurity resource that can help organizations defend critical control systems against threat actors.
Industrial control systems (ICS) and other operational technology (OT) systems can be a tempting target for state-sponsored threat actors, profit-driven cybercriminals and hacktivists. These devices are often left unprotected and hacking them could have serious consequences, including physical damage and loss of life.
The NSA and the DHS’s Cybersecurity and Infrastructure Security Agency (CISA) have been publishing resources to help potentially targeted organizations address the vulnerabilities that expose them to such attacks, and the two agencies have now released another advisory, one focusing on how threat actors plan and execute their attacks against critical infrastructure control systems.
The joint advisory describes the five typical steps involved in planning and executing such an attack. The agencies believe that understanding threat actors’ tactics, techniques, and procedures (TTPs) can be useful for implementing protections and countering adversaries.
In the first phase, threat actors establish the intended effect and select a target. For instance, cybercriminals can target ICS/OT for financial gain, while state-sponsored actors do it for political and/or military objectives. The goals can include causing damage or destruction.
“For example, disabling power grids in strategic locations could destabilize economic landscapes or support broader military campaigns. Disrupting water treatment facilities or threatening to destroy a dam could have psychological or social impacts on a population,” the agencies warned.
In the second phase, the attackers collect intelligence on the targeted systems. This can be done through open source research, insider threats, or after compromising IT networks and using that access to obtain ICS-related information.
The attackers then use the collected information to develop techniques and tools that will help them achieve their goals.
In the last two phases, the attackers gain initial access to the targeted system and use the aforementioned tools and techniques to achieve the intended effect.
“They could open or close breakers, throttle valves, overfill tanks, set turbines to over-speed, or place plants in unsafe operating conditions. Additionally, cyber actors could manipulate the control environment, obscuring operator awareness and obstructing recovery, by locking interfaces and setting monitors to show normal conditions. Actors can even suspend alarm functionality, allowing the system to operate under unsafe conditions without alerting the operator. Even when physical safety systems should prevent catastrophic physical consequences, more limited effects are possible and could be sufficient to meet the actor’s intent. In some scenarios though, if an actor simultaneously manipulates multiple parts of the system, the physical safety systems may not be enough. Impacts to the system could be temporary or permanent, potentially even including physical destruction of equipment.”
The advisory also includes some recommendations, including limiting exposure of information that can be useful to an attacker, identifying and securing remote access points, limiting access to network and control system tools and scripts, conducting regular security audits, and implementing a dynamic network environment.
The advisory, titled Control System Defense: Know the Opponent, is available on CISA’s website and as a PDF.
NSA, CISA Explain How Adversaries Plan and Execute ICS/OT Attacks
A joint advisory describes five typical steps involved in planning and executing an attack on Industrial control systems (ICS) and other operational technology (OT) systems
Russia-Linked Pipedream/Incontroller ICS Malware Designed to Target Energy Facilities
A modular ICS attack framework and a collection of custom-made tools, can be used by threat actors to target ICS and SCADA devices, including programmable logic controllers (PLCs) from Schneider Electric and Omron, and OPC UA servers.
MITRE Releases ATT&CK Knowledge Base for Industrial Control Systems
(Eduard Kovacs - SecurityWeek) MITRE on Tuesday announced the initial release of a version of its ATT&CK knowledge base that covers the tactics and techniques used by malicious actors when targeting industrial control systems (ICS). MITRE’s ATT&CK framework has been widely used by cybersecurity professionals to describe and classify attacker behavior and assess an organization’s risks. The new ATT&CK for ICS knowledge base builds upon it in an effort to help critical infrastructure and other organizations whose environments house ICS. In addition to a
Jennifer Leggio Joins Claroty as Chief Marketing Officer
Industrial cybersecurity firm Claroty announced that Jennifer Leggio has taken the role of Chief Marketing Officer (CMO) at the company.
Leadership, Security, and Support at the Clinton White House (Video)
Presented at SecurityWeek's 2018 ICS Cyber Security Conference How would you handle leadership in this the most stressful Chief Information Officer (CIO) job in the World – being the CIO at The White House? Colonel Gelhardt answers this question, and talks about the leadership and mentorship he used and how you can use the same skills in the civilian world. If he can do it so can you! Speaker: Colonel Mark Gelhardt - Former CIO for President Clinton
Exfiltrating Reconnaissance Data from Air-Gapped ICS/SCADA Networks By Injecting Ladder Logic Code into PLCs
Presented first at SecurityWeek's 2017 ICS Cyber Security Conference, this presentation explains how to inject specially-crafted ladder logic code into a Siemens S7-1200 PLC. The code uses memory copy operations to generate frequency-modulated RF signals slightly below the AM band (340kHz-420kHz), with the modulation representing encoded reconnaissance data. The signal can then be picked up by a nearby antenna and decoded using a low-cost Software-Defined Radio (SDR) and a PC. The receiving equipment can be located just outside the facility
The Growing Threat of Drones
Drones are an increasing threat to industrial sites, enabling various attacks (cyber and physical) that historically were only possible in close proximity to a facility or device.
Cisco to Acquire OT Cybersecurity Firm Sentryo
Cisco on Thursday announced that it has agreed to acquire privately-held operational technology (OT) cybersecurity firm Sentryo for an undisclosed sum. Founded in 2014 and headquartered in Lyon, France, Sentryo, provides device visibility and security solutions for industrial control system (ICS) networks and OT assets. “Sentryo’s industrial IoT/OT technology solution helps companies like those in the energy, manufacturing, oil and gas and transportation sectors ensure the resilience of their industrial networks and protect against cybersecurity attacks,” said Rob Salvagno, VP Global Corporate Development at
Ransomware Attack Costs Aluminum Giant Norsk Hydro Tens of Millions of Dollars
(Eduard Kovacs - SecurityWeek) - Norwegian aluminum giant Norsk Hydro lost $35-41 million in the first quarter of 2019 as a result of the ransomware attack and expects additional losses of $23-29 million in the second quarter. A piece of file-encrypting ransomware named LockerGoga started infecting Norsk Hydro systems on March 18. The attack caused disruptions at several of the company’s plants, forcing workers to rely on manual processes. Hydro has been highly transparent regarding the impact of the incident. It claimed
NIST Working on IIoT Security Guide for Energy Companies
(Eduard Kovacs - SecurityWeek) - The U.S. National Institute of Standards and Technology (NIST), through its National Cybersecurity Center of Excellence (NCCoE), this week announced that it’s working on a project whose goal is to help the energy sector secure industrial Internet of Things (IIoT) systems. A draft of the project was published on Monday and the NCCoE is hoping to get some feedback until June 5 that would help it “refine the challenge and scope.” Industrial IoT Security Guide From NIST Designed to