Project MIMICS – Stage One

What can the community learn in terms of realistic metrics and data points around malware in modern industrial control systems (MIMICS) from completely public datasets? That’s what project MIMICS sets out to do. In this project the Dragos, Inc. team looked at public data sources such as VirusTotal to identify malware and (in many cases) legitimate ICS files being uploaded to encourage a more nuanced discussion around security in the modern ICS.

How It Started

In 2016 I began seeing more interest in the ICS security community from news media around stories such as incidental malware (non-targeted IT malware). Major stories would be picked up for a simple infection in an ICS as if these were extremely unique. The public metrics, as an example, tend to point to either very high (500,000+ cyber attacks) to very low (ICS-CERT’s ~260 incidents per year) counts of non-targeted intrusions and malware infections. The ICS-CERT’s numbers are far more respectable but each year that they identify the attack vectors you will see that the #1 attack vector is “Unknown” followed by the #2 attack vector of “spear phishing”. But we don’t have a lot of email servers in industrial environments (hopefully none). What the metrics are really saying is that when an infection is actually seen, it’s because it comes in through the business networks; otherwise we simply do not know how it got there as a community (although there are some industry leaders doing very well).

I also started seeing some IT security companies picking up ICS security stories and making a bigger deal out of the potential impact than was realistic. Security in the ICS is very important to safety and reliability but the power grid isn’t going to just fall over and gas pipelines aren’t going to start exploding over random infections or non-nation-state actors deciding to target them. I began to wonder, and finally hypothesize, what are some real metrics we could generate around malware infections in ICS to give a realistic approach to the numbers. It was my hope the data would give ICS security practitioners the ammo they need to talk about security without hype and fear, while encouraging those outside the ICS security community to also take a realistic approach to understanding our environments.

Ben Miller, Director of the Dragos Threat Operations Center, then took my hypothesis and put a ton of work into identifying, analyzing, and extracting lessons learned around his discoveries. This research was only possible because of the significant amount of effort he put into the data collection and analysis. You will see us present this research in a few places starting as the keynote for the SANS ICS Summit. Later this year we will show off the second phase of this research into a more targeted threat discussion as well.

The First Finding – Non-Targeted IT Infections are Numerous

The first discovery from Ben’s efforts was around ~30k samples of infected ICS files and installers dating back to 2003. The major offenders of course are those pieces of malware that spread quickly in environments, viruses, such as Sivis, Ramnit, and Virut. Lesser offenders, Trojans, may not have the same high number counts of infections but give access to environments that are connected to the Internet to the adversary. So while these are not targeted intrusions or infections, they still can have impact to environments or give adversaries access.

From our analysis, there are around 3,000 unique industrial sites a year that are infected with traditional non-targeted malware. Obviously not all of the sites are having their files submitted to public databases such as VirusTotal. This allows us to assess that this number is very conservative but allows the community to have a base metric to use now. We do not need news stories because 1 nuclear facility was infected with Ramnit. It happens a lot. It doesn’t mean that safety is ever compromised or that the sky is falling but asset owners and operators can be assured that simple best practices such as network security monitoring will absolutely contribute to better reliability in their ICS.

The Second Finding – Targeted ICS Intrusions are Not So Rare

There have only ever been three publicly showcased pieces of ICS tailored malware: Stuxnet, Havex, and BlackEnergy2. There have been rumors around another 1 or 2 pieces of ICS tailored malware leveraged in active campaigns and there have been some proof of concept demonstrations potentially from researchers such as IronGate. But Stuxnet set the bar high for the expectation that ICS tailored malware is required to target and disrupt operations. Hopefully, Ukraine 2015 helped show that an adversary leveraging the ICS against itself is just as much of a threat.

As far as ICS targeted intrusions through ICS-themed malware (specifically targeting ICS operators and engineers or theming the malware to look like ICS software) there are only a handful of examples. The hypothesis for this portion of the research was that there are many IT security companies who just don’t know what to look for in terms of what matters for ICS software and installer paths to determine legitimate from illegitimate (or have enough customers to care about ICS much). In our research, we found a dozen such ICS-themed malware intrusions.

Of the dozen ICS-themed malware cases one really stood out. Starting in 2013 there were submissions from an ICS environment in the US for Siemens programmable logic controller (PLC) control software. The various anti-virus vendors were flagging it as a false positive initially and then eventually a basic piece of malware. Upon our inspection, we found that variations of this file and Siemens theme 10 times over the last 4 years with the most recent flagging of this malicious software being this month in 2017. In short, there has been an active infection for the last 4 years of an adversary attempting to compromise industrial environments by theming their malware to look like Siemens control software. The malware is simply crimeware but has seemingly been effective.

We are digging into this case and will report back to the community if there is anything specific but there’s no reason for alarm or hype here. These types of cases are actually not that unique; and this is again what this research is about: highlighting that the threats are real, but not life changing, and should be taken seriously with a sound approach to the priorities in industrial environments. As an example, simple supply chain awareness of software would eliminate this attack vector. Identify the digital hash of the software from the vendor, download the software, and check the hash against the known-good before installing it in the industrial environment.

The Third Finding – Operational Security (OPSEC) Issues Exist

The last finding we had was driven by the hypothesis that many of the IT security teams and security technologies that are not used to ICS environments may be flagging legitimate ICS software as malicious where it could be inappropriately placed in public databases. In testing this hypothesis we found thousands of unique pieces of ICS software such as human machine interface installers, data historian installers, and key generators for those software in these databases. This means that adversaries can simply download these software files and leverage access to them for their own learning and practicing. Keeping our legitimate software out of the hands of the adversaries helps lengthen the time it takes them to target our environments.

Interestingly, we found over 120 project files that were flagged and submitted to these public databases. Lastly, there were a number of unique reports, NRC (Nuclear Regulatory Commission) reports, substation layouts and maintenance reports, and more all in the database. There are a few lessons here: have a discussion with the IT security teams (out-sourced or on-site) on what is legitimate and what should not be submitted to the internet, validate what your security technologies are submitting to databases such as VirusTotal (to my knowledge no AV company directly submits files to VirusTotal but some vendors submit bulk sets of files after they are done indexing it and analyzing it meaning you rely on their ability to sanitize your data), and be proactive in looking at such databases for your own files and information.

Conclusion

In conclusion, we now have some better empirical data around traditional IT malware (non-targeted) infecting industrial environments. Asset owners and operators as well as their IT and OT security teams should look to taking an active defense approach of network security monitoring and security best practices to help the reliability of those operations. This dataset should give people the ammo to make the argument for safety and security without having to rely on hype.

We also now have a better view into a few case studies of targeted intrusions into ICS networks by theming malware after ICS software and installers. At a minimum, we have a dozen of such cases over the last few years and simple practices such as software supply chain validation can reduce or eliminate a concerning attack vector. Lastly, we can also confidently assess that sensitive datasets are being submitted to public infrastructure due to poor OPSEC practices around analyzing and identifying malicious software in the ICS that is accidently flagging legitimate ICS software.

It is our hope that this census-like data is useful to the community as a base to some important discussions taking place. Our research and a deep-dive into it will be presented at various conferences and recorded at a few of them. I will update this blog later when the recordings are available online and add them for folks who are interested in viewing them.

As always – happy hunting and best of luck!