ICS attacks typically focus on immediate process disruption: turning off the power, shutting down a plant, or something similar. Yet an examination of the history and potential of ICS intrusions shows a far more worrisome attack vector: undermining the integrity (either via process accuracy or process safety) of an industrial environment. While not necessarily immediately evident, such an attack can produce significant impacts through undermining a physical process and calling into doubt the viability of a specific facility.
Historically, such attacks are not new, but instead encapsulate the very first know ICS-targeting malware: Stuxnet. Rather than seeking direct disruption, Stuxnet sought to undermine process integrity by altering the functionality of the plant in question while masking effects to operators. Since that time, the industrial community initially faced a long period focused only on direct disruption, until the emergence of CRASHOVERRIDE in 2016 (whose integrity-impacting effects have not previously been discussed) and the safety-system targeting TRISIS. Each of these sought in certain ways to undermine the very reliability of underlying processes to produce potentially disastrous outcomes.
This presentation will explores these historical examples while presenting potential attack scenarios for future integrity-based attacks. In doing so, attendees will learn more about the risk framework faced by ICS-operating organizations and unique defense and recovery requirements within these environments. This talk will conclude with recommendations for defense and recovery to mitigate against integrity-based attacks, while seeking to educate audiences on the unique risk posed by such events.
(Presented at SecurityWeek’s 2019 ICS Cyber Security Conference)
Integrity-based attacks can produce significant impacts through undermining a physical process and calling into doubt the viability of a specific facility.
ICS Devices Vulnerable to Side-Channel Attacks: Researcher Shows (Eduard Kovacs - SecurityWeek) Side-channel attacks can pose a serious threat to industrial control systems (ICS), a researcher warned last month at SecurityWeek’s ICS Cyber Security Conference in Atlanta, GA. Demos Andreou, a lead engineer at power management company Eaton, has conducted an analysis of protection devices typically used in the energy sector, specifically in power distribution stations. Side-channel attacks can be used to extract data from a system based on information gained by observing
(SecurityWeek - Eduard Kovacs) - An unusually high volume of malicious internal reconnaissance and lateral movement have been observed in the manufacturing industry, which experts believe is a result of the rapid convergence between IT and OT networks. The data comes from the 2018 Spotlight Report on Manufacturing released on Wednesday by threat detection company Vectra. The report is based on observations from another report released on Wednesday by the company, the 2018 Black Hat Edition of the Attacker Behavior Industry Report, which shows
(SecurityWeek - Eduard Kovacs) - A threat actor with ties to hacker groups believed to be operating out of Iran has been targeting the industrial networks of organizations in the Middle East and the United Kingdom. Tracked by industrial cybersecurity firm Dragos as “Chrysene,” the actor has been linked to OilRig and Greenbug, groups that have mainly focused on the Arabian Gulf region and which are believed to have been involved in the Shamoon and Shamoon 2 attacks. According to Dragos, Chrysene
(Eduard Kovacs - SecurityWeek) Several natural gas pipeline operators in the United States have been affected by a cyberattack that hit a third-party communications system, but the incident does not appear to have impacted operational technology. Energy Transfer Partners was the first pipeline company to report problems with its Electronic Data Interchange (EDI) system due to a cyberattack that targeted Energy Services Group, specifically the company’s Latitude Technologies unit. EDI is a platform used by businesses to exchange documents such as purchase
[Presentation from SecurityWeek's 2017 Singapore ICS Cyber Security Conference] Operations managers need to be 100% certain that their PLCs’ software is shielded from unauthorized modifications, to assure that operational processes go uninterrupted. This session demonstrates how PLC software can be modified without operators being aware, and outline the potential impact on ongoing ICS processes. An attack demo shows how to simulate an engineering workstation operation to change the firmware of the PLC while keeping the communication with the SCADA system intact. Various defense
By Kevin Townsend (SecurityWeek) The U.K. Government Communications Headquarters (GCHQ), Britain's secret eavesdropping agency, warns that 'a number of [UK] Industrial Control System engineering and services organisations are likely to have been compromised' following the discovery of 'connections from multiple UK IP addresses to infrastructure associated with advanced state-sponsored hostile threat actors.' The warning comes from a National Cyber Security Centre (NCSC) memo obtained by Motherboard and confirmed by the BBC. NCSC is part of the UK's primary cyber intelligence agency, GCHQ. From the little information available, it
Multiple cyberattacks on critical infrastructure facilities in 2016 resulted in mere inconvenience or embarrassment. How long can dumb luck keep us from harm? By Michael Shalyt, VP Product, APERIO Systems When the U.S. Energy Department released a nearly 500 page report this month warning of an “imminent” threat to the electrical grid, it was the latest reminder of just how dependent our day-to-day existence is on critical infrastructure networks — from power grids and water supplies to transportation networks and more. In 2016, attackers clearly