Threats To Industrial Control SystemsIWS 11 – Oklahoma City, Oklahoma
Dan Scali
Dragos, Inc. | October 2018
Topics For Today
How do ICS attacks work?
What have we learned from them?
What can we do about it?
1
2
3
ICS attack capabilities are improving – on both offense and defense
1998 - 20092010 - 2012
2013 - 2015
2015-2017
Lack of Collection• Campaigns: APT1• ICS Malware: None
New Interest in ICS• Campaigns: Sandworm• ICS Malware: Stuxnet
Campaigns Target ICS• Campaigns: Dragonfly• ICS Malware: BlackEnergy 2
and Havex• First attack to cause physical
destruction on civilian infrastructure (German Steel)
Adversaries Disrupt ICS• Campaigns: 10 Unique• ICS Malware:
CRASHOVERRIDE and TRISIS
• First and second ever electric grid attacks that disrupt power
• First malware to target human life
German Steel Mill 2014
• Dec 18, 2014 German Government’s BSI released annual report highlighting incidents
• Identified “massive damage” in a steel facility due to a cyber attack
• 2nd publicly known case of physical damage to control systems from cyber attacks
Ukraine 2015
• First ever cyber attack on a power grid to lead to outages
• 3 power companies across Ukraine
• SCADA Hijack scenario by a well funded team
Ukraine 2016 - CRASHOVERRIDE
2017 TRISIS
• TRISIS was delivered into an industrial facility by a well funded attack team
• Targeted Safety Instrumented System (SIS) and failed causing a stop in operations
• First malware to specifically target human life
The ICS Cyber Kill ChainST
AG
E 1
STA
GE
2
Vectors of ICS compromise, by frequency
Interconnectivity
Self Propagation
Trojanized Software
Phising
1
2
3
4
The Diamond Model of Intrusion Analysis
ADVERSARY
INFRASTRUCTURECAPABILITY/TRADECRAFT
VICTIM/TARGET
ELECTRUMADVERSARY• Operating since at least 2017
INFRASTRUCTURE• Legitimate infrastructure• University IPs for C2
CAPABILITY / TRADECRAFT• CRASHOVERRIDE• Long-term persistence• Use Microsoft SQL
database servers as the gateway that bridges business and ICS networks
• Electric grid disruption
VICTIM/TARGET• Electric utility companies in the Ukraine
XENOTIMEADVERSARY• Unique tool development
since at least 2014
INFRASTRUCTURE• European web hosting providers• Asian shipping company
CAPABILITY / TRADECRAFT• TRISIS• Custom credential
harvesting
VICTIM/TARGET• Oil & Gas• Middle East
CHRYSENEADVERSARY• Evolution of “Greenbug” activity• Possible links to Shamoon
INFRASTRUCTURE• Register domains mimicking
legitimate IT services or companies
• Configure an adversary-controlled authoritative nameserver for the domain
CAPABILITY / TRADECRAFT• Watering holes• 64-bit malware• Covert C2 via IPv6 DNS• ISMDOOR
VICTIM/TARGET• Oil & Gas, Manufacturing• Europe, MENA, North America
COVELLITEADVERSARY• Emerged in September 2017 • No clear ICS-specific capability
demonstrated
INFRASTRUCTURE• Legitimate infrastructure• University IPs for C2
CAPABILITY / TRADECRAFT• Sophisticated implant with secure
communication channels• Similar features to malware used
against South Korean targets• Specific session key used for
payload and second encrypted layer• 41 minute and 30 second sleep
VICTIM/TARGET• Electric utility companies in the
United States
MAGNALLIUMADVERSARY• Espionage group with ICS industry focus.• Associated with APT 33.
INFRASTRUCTURE• Registers own infrastructure• Spoofs victim organizations and
generic IT themes
CAPABILITY / TRADECRAFT• STONEDRILL wiper, variants
of TURNEDUP malware
VICTIM/TARGET• Petrochemical, Aerospace• Saudi Arabia
ALLANITEADVERSARY• Operations began no later than May 2017• Similar but distinct from DYMALLOY
INFRASTRUCTURE• Compromised ISPs• European VPS resources
CAPABILITY / TRADECRAFT• Phishing w/ engineering
focused resumes• Compromised legitimate
websites for ICS OEMs and providers
VICTIM/TARGET• Electric utility companies in the
United States
DYMALLOYADVERSARY• Observed mid- to late-2017• Some indications of
relationship to Dragonfly
INFRASTRUCTURE• Compromised ISP service nodes• No domains observed, IP only
used for C2, infection
CAPABILITY / TRADECRAFT• GOODOR• DORSHEL• KARAGANY• Mimikatz
VICTIM/TARGET• Energy sector, Oil & Gas, Advanced Industry• Turkey, Europe, US
RASPITEADVERSARY• Associated with LeafMiner
INFRASTRUCTURE• Registers domains that look like
legitimate IT services• Utilize RDP communications to
controlled C2 servers for remote access
CAPABILITY / TRADECRAFT• Service installer malware
designed to beacon out to adversary infrastructure
VICTIM/TARGET• Electric Utilities• US, Saudi Arabia, Japan, Europe
Conventional Wisdom: ICS Cybersecurity is Hard
other17
Unknown110
Spear Phising109
Abuse of Authorized
Access7
Weak Authentication
18
Network Scanning /
Probing26
FY 2015 INCIDENTS BY INFECTION VECTOR 2015 ( 295 TOTAL)
HUNDREDS
BILLIONS
ICS CYBER SECURITY SPECIALISTS
Defense is Doable• Industrial infrastructures are
some of the most *defensible* networks on the planet
• Predictable high-confidence cyber attacks are difficult (ICS Cyber Kill Chain)
• The threats are worse than we realize but not as bad as we want to imagine
Commodity malware remains a risk to ICS
You cannot just patch away the problem
• Dragos’ 2017 in Review reports revealed that for ICS vulnerabilities:
• 64% of all patches didn’t eliminate the risk
• 72% provided no alternate mitigation to the patch
• Only 15% could be leveraged to gain initial access
Ref: www.dragos.com/YearInReview/2017
Understanding your threat model
Sliding Scale of Security: Where are you now? Where do you want to be?
Ref: https://www.sans.org/reading-room/whitepapers/analyst/sliding-scale-cyber-security-36240
Thank you