What are you looking for?

On September 10, 2015, during testimony to the House Select Committee on Intelligence, U.S. Director of National Intelligence James R. Clapper stated that “Politically motivated cyber-attacks are now a growing reality, and foreign actors are reconnoitering and developing access to U.S. critical infrastructure systems, which might be quickly exploited for disruption if an adversary’s intent became hostile.”  Clapper further noted that “Russian cyber-actors are developing means to remotely access industrial control systems (ICS) used to manage critical infrastructures.…Russian actors successfully compromised the product supply chains of at least three ICS vendors such that customers downloaded malicious software (malware) designed to facilitate exploitation directly from the vendors’ websites along with legitimate software updates…”[1]

One thing that notorious threats such as Stuxnet and Duqu have shown us is that ICS are increasingly at risk as high-profile targets for cybercrime syndicates and hostile nation-state attackers. The reason?  ICS are necessary components of critical infrastructure, linked to fundamental systems that control our power, water, transportation, gas and electricity operations.

Attacks on ICS can result in costly outages and disruptions that range from inconvenient to potentially fatal. Yet, unfortunately, many of these systems rely on aging legacy security solutions and are ill-equipped to deal with today’s sophisticated threats. What’s more, critical infrastructure needs to sustain almost 100 percent availability, making security implementations and lengthy threat-detection activities even more challenging.

 Typical manufacturing facilities, such as power plants,  automotive, aerospace, pharmaceutical, and water and waste water management systems, among others, are everywhere embedded with numerous ICS-controlled processes.  This highly connected infrastructure makes the most vulnerable devices susceptible to some of the most dangerous attackers.

Many believe that ICS networks are separate from corporate information technology networks.  Unfortunately, this belief is often wrong.  Data from ICS networks is required by corporate IT infrastructure and vice versa in order for these interconnections to be sustained.  “In conducting hundreds of vulnerability assessments in the private sector, in no case have we ever found the operations network, the supervisory control and data acquisition (SCADA) system or energy management system separated from the enterprise network,” according to Sean McGurk, National Cybersecurity and Communications Integration Center director, in his May 2011 testimony. He continues, “On average, we see 11 direct connections between those networks, and in some extreme cases, we have identified up to 250 connections between the actual producing network and the enterprise environment.”

 In light of this enhanced connectivity, modern attackers are now regularly armed with sophisticated technologies and an understanding of IT systems as well as ICS networks and their target’s manufacturing processes.

Weaknesses in our ICS Infrastructure

These common and highly visible vulnerabilities and attack vectors are repeatedly the source of system compromise.

• Known, documented ICS controller and software vulnerabilities

• Connections with internal corporate networks for accessing manufacturing or financial systems

• Use of unauthorized software installed on ICS components, servers and workstations

• Use of USB memory to load infected maintenance software

• Use of laptops from another network on the ICS network

• Contractors with compromised and/or insecure devices

• Employees who violate policies to access infected Websites

• Employees who have been socially engineered into a compromise in conjunction with the above attack vectors

ICS systems are often much harder to install and maintain than traditional corporate computing resources. For one, they are often leveraged in extreme environmental conditions.  What’s more, they often rely on older, outdated operating systems that are missing critical updates or have other known deficiencies. In addition, traditional defense-in-depth cyber-security software may be inadequate, as ICS components cannot be easily scanned or monitored. And because updates cannot be conducted via a network, manually updating cyber-security software can also introduce new malware.

Best Practices Can Reduce Risk

Industry wisdom shares many security best practices that can minimize risk.  These include:

• Validating upgrades to all of the ICS to the manufacturer’s requirements for cyber defense.

• Questioning your vendors. Many vendors have been slow to mitigate risks within their architectures.  If you see weaknesses, identify them and ask your vendors to deliver meaningful solutions.

• Planning to rapidly migrate to newer technology and budgeting it as a necessary cost of business if your ICS network relies on older Microsoft or proprietary operating systems.  While many ICS are designed with a systems life ranging from 15 to 20 years, older systems may be able to accommodate the rapidly changing cyber environment we face today. [2]

• Implementing “air gaps” for increased defense.  To the greatest extent possible, minimize network connections and the use of USB memory sticks and DVD drives.  Use completely isolated stand-alone systems in the air gap to scan software update deliverables in a test or quasi-production environment.

• Hiring a top-notch consulting firm to review software update deliverables once or twice a quarter prior to installation in the production network.  Make sure your team can analyze both static and dynamic memory dumps as a routine, course-of-business process.  This is much more than 99 percent of the industry does today, but assume at some point this gap will be breached and plan your response accordingly.

• Being aware of the U.S. Nuclear Energy Institute (NEI) NEI-08-09 guidance if you are with a critical installation such as a nuclear plant.  Rule NRC-5.71 shuts down interactive remote user access to nuclear generator control system networks.  All of us should think that way.

• Absolutely limiting use of ICS networks to essential operations.  That should entail no other access to ICS workstations and monitors and no external Internet browser access.  Assume these policies will fail and plan accordingly.

• Minimizing activity within ICS systems to only essential operations and ‘white listing’ the files required for operation within these systems. This can work in conjunction with ‘black list’ technologies such as anti-virus software.  A sophisticated attacker will research the necessary files in a system beforehand in order to execute an attack.  A ‘white list’ is an excellent tactic but no guarantee of safety.

• Preferring products with signed software to further minimize attack vectors.

• Identifying all embedded passwords anyplace within your ICS architecture.  Let your manufacturer know that these are unacceptable and ask for a plan of remediation.

• Utilizing two-factor authentication within your ICS networks to the greatest extent practical.

• Assuming you will be breached and augmenting your defense-in-depth suite with tools that include deception technology.  This can reduce the time to breach detection and add a significant layer of protection to your networks.

Finally, don’t underestimate the danger of a socially engineered attack, a threat that is real and growing. The most sophisticated attackers against vulnerable systems will conduct careful research on your facility, the vendors that provide service and the websites your team members frequent through corporate networks. From there they will leverage their findings to put the weaponry in place for an ‘air gapped’ attack.

Conclusions

Both public utilities and major commercial manufacturing ICS are under an increasing threat of compromise. Out-of-date software and operating systems, embedded passwords and the broad-scale deployment of interconnections to standard information technology networks have raised the risk for ICS compromise to new levels.  Attackers are investing more to better understand ways to infiltrate these networks and deliver damaging, highly sophisticated attacks.  The TrapX team documented similar attacks on medical device networks in 2015 (see Medjack).

Existing defense-in-depth deployed within ICS networks is not enough. Attackers will continue to compromise these systems.  In the final analysis, security best practice also requires a response to successful attacks.  We must implement a strategy to quickly detect the attackers within the compromised systems, successfully break the attack, remediate the threat and recover full operations of the ISC network.

About the Author: Greg Enriquez is a talented senior executive with more than 30 years of deep domain experience in cyber security. Prior toTrapX Enriquez served as Vice President Sales at FireEye, where he led the worldwide sales team for the company’s advanced technologies division. Enriquez began his career with IBM and ascended to the rank of Vice President Worldwide Industry Sales, Software Group. Among his other executive assignments Enriquez served as Vice President of Tivoli’s Americas Sales organization following the company’s acquisition by IBM; Senior Vice President, Worldwide Sales and Field Operations for Stratus Technologies; and led worldwide sales, business development, marketing and services for Symantec’s Norton Data Services unit. Enriquez earned a Bachelor’s Degree in business administration from the University of Southern California (USC).

[1] http://www.dni.gov/files/documents/HPSCI%2010%20Sept%20Cyber%20Hearing%20SFR.pdf

[2] http://csrc.nist.gov/publications/nistpubs/800-82/SP800-82-final.pdf page 3-3 component lifetime