Today at Dragos we unveil a public dashboard of industrial-focused activity groups expending significant resources to exploit, disrupt, and potentially destroy industrial systems leading to operational downtime, loss of life, and environmental damage. Not all of them are equally mature – some are still information-gathering while others have matured into developing complex tools explicitly designed for industrial equipment. Our goal is to open a small window into this threat landscape and educate a broader community on the reality.
The current industrial threat landscape is very concerning. All of our intelligence suggests industrial security entering a massive growth of threat activity which will likely last at least the next decade. Nobody is facing a “cyber pearl harbor” as some pundits suggest. But, it is not a quiet and calm environment either.
ICS defenders today face threat scenarios deemed near impossible only a couple of years earlier. Protection and safety equipment have always been thought of as a last line of defense against cyber threats and those too have been breached and impacted this past year leaving industrial systems vulnerable as never before. No responsible operator can turn a blind eye to the cyber threat.
Stuxnet in Today’s Threat Context
Many in ICS security are wary of invoking discussions on Stuxnet as it’s largely dated. But, as it’s the most widely understood ICS malware, it’s important to place it in context of today’s landscape. Also, comparing Stuxnet lessons to contemporary threats provides valuable insights into the underlying types of ICS threats.
Amongst all of the ICS-focused malware, Stuxnet stands out historically. All available intelligence strongly supports the assertion that Stuxnet was a focused military operation. Stuxnet was precisely engineered to limit its use to only one specific military facility and affecting just the process of uranium enrichment – a process not widely conducted in civilian infrastructure.
Therefore, while Stuxnet was the first publicly revealed ICS-focused malware and its lessons are many for securing control systems an overreliance on that case to secure control systems today would be a mistake. The problem is that none of the ICS threats we follow today affecting civilian control systems follow the Stuxnet pattern and protecting against Stuxnet would add little protection against today’s ICS threats.
Fundamentally, the difference between Stuxnet and today’s civilian ICS threats are like a massive chasm. Stuxnet was designed as a precision single-use weapon while today’s ICS threats are frameworks designed for scale and reusability globally. Yes, Stuxnet caused infections outside its targeted environment, Natanz, triggering an incident response and clean-up. But, as we know now, the malware itself would not have caused any further disruption due to self-crippling functions.
But, the “Stuxnet moment” is important to civilian ICS asset owner/operators today. Until Stuxnet was public, ICS cyber operations were the sole domain of only the most rarified adversaries. The publication of Stuxnet began serious investment in ICS-disruption capabilities by many other adversaries to achieve what they perceived as capability parity with other states: “if they can attack our control systems, then we need to be able to respond with the same!”
The Quickly Growing Threat
Beginning with the discovery of Stuxnet in 2010, there have been five distinct malware families engineered to target operational industrial environments (Stuxnet, Havex, Black energy 2, CRASHOVERRIDE, and TRISIS). Only three of those families disrupt control systems (Stuxnet, CRASHOVERRIDE, TRISIS) – two of the three were discovered last year and used within a year of each other (2016-2017). Dragos has recorded at least ten distinct campaigns by adversaries to target OT environments in the last two years alone.
Several factors led to the ICS threat growth:
- Stuxnet started a growth of research, interest, and investment in industrial system compromise now bearing fruit
- Defenders increased monitoring and therefore visibility on threats not detected before (we know more because we see more)
- After years of compromise and surveillance on operational networks, some adversaries have matured sufficiently to be effective against ICS (which can take years) – we expect that as time continues more will evolve past the initial learning phase and into disruption
What Dragos Observes Today
As of May 2018, Dragos tracks seven named activity groups explicitly targeting and operating inside ICS networks. But, there is much more activity not yet categorized, and we suspect many more operating globally.
The fascinating feature of current ICS threats facing defenders is the shared tradecraft amongst them. While the final element of each threat causing impact is “novel” – the months and years of operations leading to that point are surprisingly common. There is little evidence that defenders should be overly concerned with the “novel” components of an ICS attack.
Instead, focus on the whole adversary process, the “kill chain.” The initial access, lateral movement, and intelligence gathering process which takes months or years before any disruption. Organizations and defenders have a higher chance of discovering and remediating ICS threats earlier in this process before any disruption.
For instance, almost every ICS intrusion Dragos has monitored began with remote access external to the industrial environment either as from compromised VPN credentials via 3rd party vendors or intrusion into the IT/business network using email phishing and strategic web compromise (i.e., “watering holes”). These adversaries focus on password stealing to masquerade as legitimate users.
These are not the novel attack scenarios theorized by many and published by the hacker-research community. There are few if any, zero-day vulnerabilities employed. These traditional approaches are good news for defenders because it means success is achievable by focusing on known behaviors rather than identifying novel tradecraft. Things may change as we learn more and adversaries evolve, but for now – we’re not in a complicated place.
Here are lessons for defenders based on many recent ICS network intrusions:
- Initial compromise begins in the IT/business network almost always from email phishing attacks and strategic web compromise (i.e., “watering holes”)
- Lesson: focus on any porous points in the IT-OT boundary
- Third-party vendors and services are strong compromise and disruption vectors
- Lesson: Monitor VPN usage for odd behaviors and identify risk from 3rd party services to industrial and business operations
- Adversaries are using scalable and reusable tradecraft as opposed to novel tradecraft
- Lesson: Take an intelligence-driven approach to defense and use threat intelligence to know and understand the threats to the ICS environment
- Adversaries are “living off the land” (e.g., using legitimate tools already available in the environment) with little-to-no malware in their operations
- Lesson: anti-virus will provide little protection against ICS-focused adversaries, and behavioral threat analytics are critical
- Adversaries stay persistent from months-to-years before touching any control equipment
- Lesson: greater monitoring in OT will yield benefit because defenders have time
- Single factor authentication allows easy lateral movement inside and around networks
- Lesson: use multi-factor (not phone factor) authentication on all internal assets and services + limit the use of administrator and service accounts
- Adversaries continue to target critical services
- Lesson: Apply greater monitoring to high-value assets like safety systems and identity management (e.g., active directory)
- Adversaries use many paths and approaches during their operations, and most incident response teams are not ready to investigate in an industrial environment
- Lesson: Prepare for compromise and reduce time to remediation by collecting a wide variety of data within the OT environment (e.g., host, network, process historian, authentication) and using ICS-specific security skill sets and knowledge ready to investigate and respond