Contributed to SecurityWeek - Reposted here for those that missed it...
In my previous article, I outlined details of the changing threat-landscape in ICS. Of note, I pointed, as we have been with a good deal of frequency, to the growing risk of cyber-crime activity/ransomware activity on the shop floor. While the WannaCry ransomware was not targeted specifically at any ICS devices, and there is no evidence it was specifically targeted at ICS network owners, there are documented cases of it reaching the ICS domain and causing disruption to production.
I bring this up as my intent for this article was to discuss the systemic security risks found in Industrial Control Systems networks – to point to the fact that sophisticated exploits aimed at zero-day vulnerabilities are not required to cause disruption to ICS processes. WannaCry’s impact to production helps to demonstrate this case (vuln was nation-state quality, yes, but the malware was hardly best-in-class). But the discussion is far broader and I will attempt to do it justice in the short amount of space I have below.
The security risk to ICS networks is systemic and not determined by vulnerabilities alone. Yes – vulnerabilities are a major problem and, of course, they represent pathways which can be exploited by our adversaries. But we need to understand that reaching the ICS network is relatively easy once a foothold is established on the IT side of the house – and we have seen just how easy that access is over the course of the past 10 years of daily breach headlines. Once inside the ICS/OT network, causing havoc is as simple as talking to PLCs with legitimate commands.
Accessing the ICS/OT Network:
The concept of a completely air-gapped ICS/OT environment is dead. For a variety of reasons, these networks are increasingly interconnected with IT / accessible to the outside world. As a result, there are two main pathways open for adversaries. Neither of which require some insanely clever or novel vulnerability exploit.
- Getting to ICS/OT through IT interconnections through the “normal tools of the trade” – spear-phishing and watering hole attacks, etc.
- Getting in directly through ICS/OT connections to the outside world – publicly facing IPs of PLCs, compromised VPNs, unaudited, uncontrolled, unmonitored remote access
Side note – keep in mind that the median number of days before attackers are detected on IT networks is 99 days (source: Mandiant) with dozens of security tools watching. In the ICS/OT space network monitoring is scarce and once an attacker transitions from IT to ICS/OT, there is virtually nothing to detect them. Case in point – it is believed Sandworm Team was active for MONTHS on the Ukraine networks impacted in 2015 and 2016.
Of course, aside from external access, there is always the fear of the insider threat – where poor implementation of IT/OT DMZs, lack of restricted credentials, lack of hygiene in revoking credentials of past employees, etc. allow a disgruntled individual to find their way in.
Disrupting the ICS/OT Network is as Easy as Talking to the PLC:
Since there is a significant deficiency in ICS/OT network monitoring, once inside an attacker can take time to learn the topology of the components, and monitor and dissect processes by grabbing a copy of the program the PLC is running. PLCs are just real-time computers optimized for industrial environments. Many lack basic security controls found in other devices such as proper authentication or encryption because they were originally designed to be optimized for real-time communications – not security. Most controllers do not have encryption capabilities, and those that do are not implemented for various reasons. Note that we shouldn’t expect some major shift in this reality as lifecycles for these devices can stretch 15+ years, and as design cycles are in most cases 3-5 years.
As a result, attackers can easily communicate directly with PLCs by using legitimate commands that could cause damage. Starting/stopping a process is as easy as using standard Engineering Tools and running legitimate commands that no existing software in the ICS/OT network will flag as suspicious.
Attackers can also simply change the program the PLC is running by loading a new one. The PLC won’t ask for authentication since, in most cases, even those controllers that are capable of authentication have it disabled.
So, whether the PLC has a vulnerability or not, is largely irrelevant for attackers that manage to get into the ICS network and have the patience to examine the working of the ICS components and use the existing capabilities of the system to change how the system operates.
The Implications of This Reality:
ICS/OT networks are high risk assets and we must find ways to better monitor activity across them. An attacker can cause serious safety and health concerns, steal valuable intellectual property, hold these networks for ransom and even use these networks as pathways over to the IT side of the house. We aren’t going to change the systemic risk associated with these networks overnight – not even in the foreseeable future. We must approach this problem with new and innovative ideas – and do so now, no time for more government mandated studies and reviews - and develop and immediately execute security strategies that deliver drastic improvement.