The security community has seen multiple high-profile incidents targeting industrial control systems (ICS) over the past few years. No one can forget Christmas 2015, when a threat actor linked to the Russian government sent spear-phishing emails to the Western Ukrainian power company Prykarpattyaoblenergo. Those messages were laced with BlackEnergy, a form of malware which used a plugin known as KillDisk to overwrite sensitive documents. The attack caused so much "interference" on the company's systems that an area in Ukraine including the regional capital Ivano-Frankivsk subsequently suffered a power outage. Just a few months later in August 2016, we learned of an attack campaign known as Operation Ghoul. Bad actors sent spear-phishing emails to at least 130 organizations, with many operating in the petrochemical, naval, military, aerospace, heavy machinery, solar energy, steel, pumps, and plastics industries. These emails delivered HawkEye/KeyBase spyware to recipients who opened their malicious attachments. No one can deny these attacks' significance. But the security community may still have yet to appreciate the full impact of these events. Robert M. Lee is the CEO and Founder of the critical infrastructure digital security company Dragos. He feels part of what might be holding back the security community is the media's treatment of security incidents involving industrial control systems. Not only are media outlets blowing stories of infections out of proportion, he argues, but they're also choosing stories about incidental (non ICS-targeted) malware. As Lee explains in a blog post:
"Major stories would be picked up for a simple infection in an ICS as if these were extremely unique. The public metrics, as an example, tend to point to either very high (500,000+ cyber attacks) to very low (ICS-CERT’s ~260 incidents per year) counts of non-targeted intrusions and malware infections. The ICS-CERT’s numbers are far more respectable but each year that they identify the attack vectors you will see that the #1 attack vector is 'Unknown' followed by the #2 attack vector of 'spear phishing'. But we don’t have a lot of email servers in industrial environments (hopefully none). What the metrics are really saying is that when an infection is actually seen, it’s because it comes in through the business networks; otherwise we simply do not know how it got there as a community (although there are some industry leaders doing very well)."
To address this ignorance, Lee thought it would be useful to develop some metrics that controllers could use to secure their systems. Ben Miller, director of the Dragos Threat Operations Center, ran with this idea by analyzing data that pertains to ICS security incidents. He made some important discoveries along the way. These are as follows:
1. Non-Targeted Malware Is Prolific
Miller's efforts revealed approximately 30,000 samples of malicious files capable of infecting ICS environments. Some of these threats spread quickly throughout ICS environments, while some can afford attackers with access to environments that are connected to the web. On average, non-targeted malware strikes 3,000 industrial sites a year.
2. ICS Targeted Intrusions Are Rare
Stuxnet, Havex, and BlackEnergy2 are the only ICS-tailored malware whose attacks have gained public attention. As a result, it's no surprise there are only about 12 documented ICS targeted intrusions that employ these malicious families. Dragos is currently investigating one of those dozen events. As revealed by Lee:
"Starting in 2013 there were submissions from an ICS environment in the US for Siemens programmable logic controller (PLC) control software. The various anti-virus vendors were flagging it as a false positive initially and then eventually a basic piece of malware. Upon our inspection, we found that variations of this file and Siemens theme 10 times over the last 4 years with the most recent flagging of this malicious software being this month in 2017. In short, there has been an active infection for the last 4 years of an adversary attempting to compromise industrial environments by theming their malware to look like Siemens control software. The malware is simply crimeware but has seemingly been effective."
3. Industrial Organizations Could Improve Their OPSEC
Finally, Miller found that IT security systems that aren't familiar with ICS environments are flagging legitimate ICS software as suspicious. That's a problem because these tools can place the software in databases available to anyone--even adversaries who can download them and develop attacks against industrial organizations. In total, he found 120 project files along with reports and substation layouts available on databases like VirusTotal.
ICS Security Going Forward
Miller's findings are cause for a concern, but only to a certain extent. Organizations can leverage security best practices like continuous monitoring, conduct supply chain awareness of security software, and maintain an ongoing dialogue with their IT security teams about what files are legitimate to respond to the trends identified by Miller. Industrial companies should also recognize that technological innovation is increasingly pulling IT and OT together. Rather than fight this trend, they should embrace it and help teams converge and work together to defend against digital attackers. If you are interested in learning more about Industrial Cyber Security you can download our new e-book, “Industrial Cyber Security For Dummies” here.
