Headlines are full of proclamations covering the latest in industrial control system (ICS) attacks and threats to critical infrastructure. But behind each prominent event lies a trendline from the 2015 Ukraine power outage through the 2017 attack on safety systems at an oil and gas facility in Saudi Arabia. When moving beyond media reporting, two clear patterns emerge in how ICS attacks have evolved: first, initial attack vectors increasingly avoid using malware and techniques that are tell-tale signs of advanced adversary activity; second, only at the final, ICS-disruptive stages of intrusions is complex malware introduced to codify ICS-specific knowledge to enable nearly any computer network operations operator to execute complex commands.
Exploration and examination of these trends reveals a definite direction in how future attacks will occur within the ICS space, as adversaries seek to satisfy the seemingly mutually-exclusive goals of evading detection while deploying increasingly advanced capabilities. By adopting and understanding a “complete kill-chain” approach to ICS attack methods, defenders – from ICS asset owners and operators to national governments to intergovernmental organizations – can begin formulating defensive plans to detect and mitigate future attacks.
To describe and defend this thesis, ICS disruptive events from the past four years will be analysed in detail to identify how these threats have evolved over time, and what complementary measures are necessary to defeat these attacks. A thorough understanding of the risk posed by ICS attacks will allow stakeholders from ICS operators to policymakers to begin identifying and implementing appropriate controls and security measures to safeguard critical infrastructure and prevent future, potentially catastrophic attacks.