ICS attack responses

Attacks can happen anywhere and anytime and they don’t have to be major attacks by nation states. They could come from inside or outside. Professionals in the control environment need to understand the security lifecycle where the user goes from assessing to implementing to maintaining the system.

By Gregory Hale, ISSSource November 24, 2014

For those manufacturers who still feel they are "too small" to suffer from a cyber attack or are not "significant enough" players, should take warning. Attacks can happen anywhere and anytime and they don’t have to be major attacks by nation states. They could come from inside or outside.

In essence, professionals in the control environment need to understand the security lifecycle where the user goes from assessing to implementing to maintaining the system. The catch is, though, security is not a one off solution, so the lifecycle keeps evolving and going in a circular motion.

In the assess mode, the user should start off with a risk assessment to understand where vulnerabilities are and also establish zones and conduits. Then in the implementation stage, there is training and then the user is able to design in zones and conduits and then validate and test. In the maintain stage, the user would conduct periodic vulnerability assessments and also test and deploy patches.

Whether it is an unintentional cyber incident or a deliberate attack, security continues to be a vital part of the automation industry and it will remain, with safety, a growing area of concern for manufacturers in the coming years.

Just take a look at one water treatment facility that suffered control system anomalies, according to ICS-CERT. The organization responded to an incident involving operational anomalies at water and wastewater treatment facilities.

The asset owner reported a control system maintenance employee had improperly accessed the control system on at least four separate occasions. One of these instances resulted in the overflow of the systems wastewater treatment process, according to the report. The owner requested ICS-CERT deploy an onsite incident response team to determine if unauthorized system access had occurred and if it caused the basin to overflow, according to a report in the ICS-CERT Monitor.

The incident response team, in conjunction with law enforcement, performed extensive analysis of the control system and historical trending data around the four dates provided by the owner. The team was unable to conclusively determine if the suspected employee had unauthorized access on the date of the overflow or if that access resulted in the basin overflowing. The factors that significantly contributed to the inconclusive findings included:

  • Each host did not record logon events
  • Only one username ended up used throughout the network
  • A lack of network monitoring systems in place could verify the activity
  • Logging was not enabled or was irrelevant for any of the remote access tools seen on the hosts (pcAnywhere, RealVNC, NetVanta VPN client, WindowsRemote Desktop)
  • Operating system records ended up eliminated due to the age of reported access event.

This is a perfect example of the importance of detailed logging capabilities and policies related to logging analysis. Also, network administrators should implement least privilege practices and ensure each user has unique logon credentials that provide access to only those systems the employee needs to control.

While onsite, the incident response team conducted a design and architecture review and cyber security assessment to thoroughly evaluate the facilities. The team identified vulnerabilities and provided recommendations to mitigate and improve security.

At the 2014 Industrial Ethernet Infrastructure Design Seminar, Houston, TX, Joel Langill of RedHat Cyber, an independent ICS security researcher, talked about the need for a change in approach companies need to take when it comes to planning for security.

"Security right now is about short term tactical measures like patch management or installing antivirus," Langill said. "Security has to get to thinking about strategic controls or long term planning. There are other things that can help solve the issues," he said. One of those areas he mentioned paying closer attention to logging data.

Meanwhile, in another incident reported to ICS-CERT, a large critical manufacturing organization suffered a compromise by multiple sophisticated attackers over several months. ICS-CERT received and analyzed digital media data provided by the organization and deployed an onsite incident response team to assist the organization with recovery efforts.

The team performed network sweeps using indicators of compromise and identified numerous compromised hosts as well as lateral movement of the threat actors throughout their network. The response team also uncovered evidence of compromised domain accounts, which provided the intruders with privileged access throughout the network. In addition to the incident response activities, ICS-CERT analyzed its overall network architecture and provided strategies for improving its overall defensive posture.

This organization is a conglomeration of multiple companies acquired in recent years. The acquisition and subsequent merging of multiple networks introduced latent weaknesses in network management and visibility, which allowed lateral movement from intruders to go largely undetected.

The organization has over 100 entry/exit point connections to the Internet, complicating the implementation of network boundary protections. In this situation, re-architecting the network is the best approach to ensure the company has a consistent security posture across its wide enterprise.

"We are having to deal with problems today that we didn’t have to deal with yesterday," Langill said. "Securing against tomorrow’s events means users must improve access control, gain situational awareness, and plan for a cyber incident." Attacks against industrial sites are continuing, he said. While he could not get into specifics, Langill mentioned a South American refinery that had a malware breach that affected 3000 nodes and went through their PLCs.

Gregory Hale is the editor and founder of Industrial Safety and Security Source (ISSSource.com), a news and information website covering safety and security issues in the manufacturing automation sector. This content originally appeared on the ISSSource website. Edited by Joy Chang, digital project manager, CFE Media, jchang@cfemedia.com