Today at Dragos we unveil a public dashboard of industrial-focused activity groups expending significant resources to exploit, disrupt, and potentially destroy industrial systems leading to operational downtime, loss of life, and environmental damage. Not all of them are equally mature – some are still information-gathering while others have matured into developing complex tools explicitly designed for industrial equipment. Our goal is to open a small window into this threat landscape and educate a broader community on the reality.
The current industrial threat landscape is very concerning. All of our intelligence suggests industrial security entering a massive growth of threat activity which will likely last at least the next decade. Nobody is facing a “cyber pearl harbor” as some pundits suggest. But, it is not a quiet and calm environment either.
ICS defenders today face threat scenarios deemed near impossible only a couple of years earlier. Protection and safety equipment have always been thought of as a last line of defense against cyber threats and those too have been breached and impacted this past year leaving industrial systems vulnerable as never before. No responsible operator can turn a blind eye to the cyber threat.
Many in ICS security are wary of invoking discussions on Stuxnet as it’s largely dated. But, as it’s the most widely understood ICS malware, it’s important to place it in context of today’s landscape. Also, comparing Stuxnet lessons to contemporary threats provides valuable insights into the underlying types of ICS threats.
Amongst all of the ICS-focused malware, Stuxnet stands out historically. All available intelligence strongly supports the assertion that Stuxnet was a focused military operation. Stuxnet was precisely engineered to limit its use to only one specific military facility and affecting just the process of uranium enrichment – a process not widely conducted in civilian infrastructure.
Therefore, while Stuxnet was the first publicly revealed ICS-focused malware and its lessons are many for securing control systems an overreliance on that case to secure control systems today would be a mistake. The problem is that none of the ICS threats we follow today affecting civilian control systems follow the Stuxnet pattern and protecting against Stuxnet would add little protection against today’s ICS threats.
Fundamentally, the difference between Stuxnet and today’s civilian ICS threats are like a massive chasm. Stuxnet was designed as a precision single-use weapon while today’s ICS threats are frameworks designed for scale and reusability globally. Yes, Stuxnet caused infections outside its targeted environment, Natanz, triggering an incident response and clean-up. But, as we know now, the malware itself would not have caused any further disruption due to self-crippling functions.
But, the “Stuxnet moment” is important to civilian ICS asset owner/operators today. Until Stuxnet was public, ICS cyber operations were the sole domain of only the most rarified adversaries. The publication of Stuxnet began serious investment in ICS-disruption capabilities by many other adversaries to achieve what they perceived as capability parity with other states: “if they can attack our control systems, then we need to be able to respond with the same!”
Beginning with the discovery of Stuxnet in 2010, there have been five distinct malware families engineered to target operational industrial environments (Stuxnet, Havex, Black energy 2, CRASHOVERRIDE, and TRISIS). Only three of those families disrupt control systems (Stuxnet, CRASHOVERRIDE, TRISIS) – two of the three were discovered last year and used within a year of each other (2016-2017). Dragos has recorded at least ten distinct campaigns by adversaries to target OT environments in the last two years alone.
Several factors led to the ICS threat growth:
As of May 2018, Dragos tracks seven named activity groups explicitly targeting and operating inside ICS networks. But, there is much more activity not yet categorized, and we suspect many more operating globally.
The fascinating feature of current ICS threats facing defenders is the shared tradecraft amongst them. While the final element of each threat causing impact is “novel” – the months and years of operations leading to that point are surprisingly common. There is little evidence that defenders should be overly concerned with the “novel” components of an ICS attack.
Instead, focus on the whole adversary process, the “kill chain.” The initial access, lateral movement, and intelligence gathering process which takes months or years before any disruption. Organizations and defenders have a higher chance of discovering and remediating ICS threats earlier in this process before any disruption.
For instance, almost every ICS intrusion Dragos has monitored began with remote access external to the industrial environment either as from compromised VPN credentials via 3rd party vendors or intrusion into the IT/business network using email phishing and strategic web compromise (i.e., “watering holes”). These adversaries focus on password stealing to masquerade as legitimate users.
These are not the novel attack scenarios theorized by many and published by the hacker-research community. There are few if any, zero-day vulnerabilities employed. These traditional approaches are good news for defenders because it means success is achievable by focusing on known behaviors rather than identifying novel tradecraft. Things may change as we learn more and adversaries evolve, but for now – we’re not in a complicated place.
Here are lessons for defenders based on many recent ICS network intrusions: