The devices and protocols used in ICS are present in nearly every industrial sector and are at significant risk of disruption by malicious adversaries. We, as cybersecurity professionals, cannot wait on governments across the globe to motivate industry to protect itself through regulation or compliance. We need to take direct action now to actively protect our systems and societies.
Who still believes that their critical infrastructure is secure?
“INCONTROLLER represents an exceptionally rare and dangerous cyber-attack capability” – Mandiant
“Chernovite’s PIPEDREAM can execute 38 percent of known ICS attack techniques and 83 percent of known ICS attack tactics” – Dragos
INCONTROLLER was built to manipulate and disrupt industrial processes, and PIPEDREAM is now the seventh known industrial control system (ICS)-specific malware. Cybersecurity professionals discovered, analyzed, and created defenses against these ICS malware frameworks before they were deployed. Identifying risk has been something we in cybersecurity are good at doing. Treating risk is where the industry struggles the most, with many external challenges such as budget, lack of skilled resources , and even the “it won’t/can’t happen to us” mentality. While experts have been given guidance on how to protect systems, implementing the changes to correct the vulnerabilities still takes dangerously long to realize or is ineffective.
While INCONTROLLER was discovered before being used in the wild, it has since been weaponized – so, expect the stakes to keep rising. INCONTROLLER and Pipedream malware jeopardize many critical infrastructures by sabotaging devices that are integrated with automated machinery. These are often present in inconspicuous parts of industrial operations. We have yet to understand the full-scale consequences of this.
What’s changed since the 2000’s approach of being off grid?
For many years, the only real protection was keeping Operational Technology (OT) isolated from the business IT network. However, that network is also prone to its own set of failures if not implemented correctly. In addition, as rising costs of raw material extraction and processing, scarcity of resources, and global economics all play their part in squeezing margins. Reducing costs and demanding improved efficiency meant industrial controls systems, and their management layer, are now doing something they were never designed for – being internet facing. Regardless of novel approaches such as one way traffic controllers (data diodes), connected is still connected. Visible. Reachable.
In 2016, power was cut to the Ukrainian power grid. The attackers used Industroyer malware. Even though they had already experienced an attack from this malware, it was recompiled and used recently in another successful attack against the very same power grid. To date, they don’t know how the attackers compromised “patient zero” at the power grid nor how they moved from the IT network to the Industrial Control System (ICS) network. This is just another example of how good attackers are at finding weaknesses to exploit, and how difficult it is for defenders to keep up. As the old saying goes – they only need to get it right once, we need to get it right every time.
This new Industroyer campaign followed multiple waves of wipers that have been targeting various sectors. Wiping data and systems is another way to disrupt business. While these targets were part of “critical infrastructure” it in no way means they are unique. Media may be focused on nation-states, however hackers do not discriminate – any target is as good as another and they know that with patience, there is always a vulnerability to discover and exploit.
Is there a path forward in this new era of brazen attacks?
The only truly secure systems and data are completely disconnected from the internet. Yet as The International Society of Automation points out in their myth busting series of blogs, “…a true airgap is no longer practical in an interconnected world. While many will agree that airgaps are disappearing, some still believe this is a viable security measure.”
So if disconnected equals secure yet impractical, and connected equals practical yet insecure, is there a third alternative? Let’s explore this further.
There is an important distinction between claims of disconnectedness that traditional ‘airgap’ technologies offer. “Logically” disconnected systems are not truly physically disconnected, but hidden or obfuscated behind layers of software – and it is that self-same software that is the vulnerability. In a software defined network, it is clear that much due diligence is needed to see beyond the marketing material of a software-only airgap solution.. When something is completely physically disconnected, the element of human error – the back-door the admin leaves open for management, or the occasional forgetting of password setting or changing, is mitigated by the fact that the asset isn’t connected in the first place.
- Use MITRE ATT&CK for ICS matrix model to assess current state of maturity for your Defense, Incident Response and Recovery resources and processes where they apply.
- Monitor industrial environments for all threat behaviors in the MITRE ATT&CK for ICS matrix – adversaries are increasing their scope and scale of capabilities.
- Starting with the most at risk networks with the highest value assets, start the process of segmenting your infrastructure physically from the internet and business IT network. Overcome the connected/disconnected challenge with Goldilock TruAirgap™ as it uniquely enables networks to be totally isolated from each other, and brought back into contact on demand.
- Ensure ICS visibility and threat detection includes all ICS specific communication — network edge and perimeter monitoring are insufficient for PIPEDREAM.
- Maintain knowledge and control of all assets within Operational Technology (OT) environments, including details such as ensuring only known-good firmware and controller configuration files are in use.
- Utilize a fully researched and rehearsed industrial incident response plan that includes attempts by adversaries to deny, disrupt, and destroy processes which can cause extended time-to-recovery.
- Isolate system and data backups from Ransomware that targets these specifically. Leverage Goldilock TruAirgap™ again for this use case to physically isolate backups comparable to taking tapes and drives off site. Control access via Goldilock’s unique 3 Factor Authentication; something a user has, something they know, and a physical barrier with an out of band control mechanism.
- Finally, no more “I should have done this sooner, but it was complicated” excuses. Do it now, get your critical infrastructure off the internet with an airgap that meets the needs of your OT environment and the downward pressures of the organization. Manage your cybersecurity risks by reducing 24/7 internet connected networks. Ensure your ICS is no longer exposed to just such a vulnerability. This is serious, and it isn’t going to get better.
In the face of such risk, put your trust into simple yet effective solutions that solve real world problems and ensure your systems are not sitting ducks for cyber-offenders. Be IN CONTROL, not INCONTROLLER’ed.