Side effects of an ICS attack
Specific threats against Industrial Control Systems (ICS)
Security are becoming more frequent in the Information Security scenario. There
are many differences between standard IT Security and ICS Security, being the
two most important the availability of the Control System in ICS, and the
attack’s consequences, more on this in a future entry. Before getting in
details, I would like to mention some of the most important sectors in the ICS
spectrum: Energy, Nuclear, Communications, Emergency Services, Transportation
Systems, and Water Systems [1]
From the point of view of availability, due to the nature of
ICS in which products or processes are configure in a loop, where due to the continuous
cycle, ICS devices can’t be stopped in order to mitigate risks or attacks in an
ad-hoc basis. At the same time, consequences of successful attacks generate a
different sense of urgency compared to the ones in IT due to the kinetic
nature. In other words, when there is a data leaked case, people affected might
receive a procedure from the affected company to apply a temporally solution
changing passwords, settings, etc., but affected end users will not know
exactly when or how their data could be used or the consequences of that misuse
until it is already too late.
In the case of ICS Systems, their kinetic impact is
instantaneous, targeted (possibly affecting the normal life development of a
specific geographical region by attacking an Electric Plant and stopping the
energy production) and it could last for weeks or months depending on the level
of destruction the attack caused. In the worst case scenario, a successful
attack against ICS infrastructure could cause the loss of lives.
As we can see, the kinetic impact is the most dangerous
consequence of an attack against an ICS Infrastructure.
2019 Attacks analysis
Although the world, from the IT perspective is smaller than
ever, the main targets of malicious actors are still being large corporations
in industrialized nations. These malicious actors could be divided in five groups [2]:
1.
Nation State attackers
APT owners, have highly skilled resources and are capable of develop new
threats
2.
Cyber Criminals
Individuals or groups that perform cyber-attacks to get financial benefit
from it.
3.
Hacktivists
Individuals or groups that perform cyber-attacks on targets for political
or ideological reasons
4.
Internal users
End users, system administrators, executives, etc.
5.
Partners
Defined
as Companies that provide Services working together or by remote access with
the client company.
These groups are usually focused on large targets, or as
mentioned earlier, targets localized in industrialized countries, especially in
the area of ICS where mayor players of Energy or Industry are located. Therefore,
it is very interesting to see countries like Peru or Bolivia listed as main
countries with the highest increase in the percentage of ICS computers on which
malicious objects were blocked when removable media were connected to them, as
shown in the following diagram:
Figure 1. Countries and territories with the highest
increase in the percentage of ICS computers on which malicious objects were
blocked when removable media were connected [3, 4].
Although statistics are focused on computers used in the ICS
environment, the increment of blocked malicious objects blocked is a clear
indication that ICS attacks could happen in the near future, either because a
compromised PC is connected to an ICS device directly or that the malware is
designed to use the PC infrastructure as a bridge to identify and compromise
ICS devices.
The reason behind that assumption is that although Antivirus
(AVs) could be found in enterprise environments in South American countries,
AVs are only able to detect commodity malware, in other words, historical
malware, leaving the door open to more advanced ICS Security threats.
Implementation of more advanced or multi-layered security
controls, especially for ICS in countries like Bolivia or Peru is usually a difficult
topic to discuss in any company size, due primarily to the cost associated to
these products, in addition to this is the lack of understanding how Security
works from the knowledge cycle point of view where additional investment is
required in internal and external training.
Bolivia, and Peru, why?
There are many reasons for attackers, mainly Cyber Criminals
and Hacktivists, could be interested into attacking ICS infrastructure in
Bolivia and Peru, here I present you some of them:
1.
Economy dependency
Countries like Peru and Bolivia, as well as other South American
countries, because one of the biggest economic activities are the extraction
and export of Natural resources, for example Peru has important cooper and gold
mines that provide those minerals to countries like China, Japan, US, etc., generating
a good percentage of the country’s annual budget and supporting the ability of the
government to improve living conditions of their citizens. Having an impact on
that money making engine will have a significant impact to the country’s
economy and therefore to their citizens.
In this case Cyber Criminals and Hacktivists might be hired to do the job
by the real organization interested into causing negative effects to these
countries’ economies.
2.
Side effect in another economies
Having a large impact in raw material providers’ countries like Peru and
Bolivia could impact their final customers, like China, Japan, US, etc., not
allowing them to continue normal operations in their factories which could slow
down, or halt them if the ICS attack caused a major impact in the
infrastructure, causing a different impact on their economies.
In this case, as the same as the previous one, Cyber Criminals and
Hacktivists might be hired to do the job by the real organization interested
into causing negative effects in the main customers of these countries’
production. In this particular case, Nation State Attackers could be part of
the attacking strategy.
3.
Disgruntled workers
This
is a common conversation in IT Security, but not so common in ICS Security due
that, because of the nature of the network, it is sometimes difficult to
identify the unhappy worker. Still, necessary measures should be consider, like
the use of CCTV cameras in key points of the plant, or additional Safety infrastructure
and controls enforced among all resource levels in the organizations.
Solutions available
As explained before, companies in either Peru or Bolivia
don’t have the conversation and/or don’t have the required budget to invest, assuming
those specific issues, here are some solutions available:
- Have an honest discussion about IT Security with the people in your company and management. The reason behind mentioning IT Security is because is the front door of any ICS related attack.
- Ask your IT Security people to make a Risk Assessment and define the critical infrastructure or systems from the IT point of view.
- Make an assessment of the condition of the ICS network used in the company, things like: years of operation and life expectancy, upgradability, segmentation between the ICS Network and the IT Network, management requirements, etc.
- Collect all the results of your ICS Assessment and make a Risk Assessment of your ICS infrastructure, different methods are available for this purpose (NIST 800-82, North American Electrical Reliability Council (NERC), Cyber Security Evaluation Tool or CSET, Electricity Subsector Cybersecurity Risk Management Process, etc.) decide the one most suitable for you and apply it, the results should be your critical infrastructure or Systems [5, 6, 7, 8].
- With the Risk Assessment results, have a conversation with your IT Security people, ICS people and cross reference the two results (IT and ICS) of their correspondent Risk Assessments. The result should be the most important points to protect.
- Define the required strategy from the IT Security point of view to protect those important points, the resource required and the budget associated.
- Check, and create if required, all policies according to local/international regulators and company specific regulations.
- It is always a good idea to contact the ICS manufacturers and IT Security systems companies to create POCs. Results of the System POC should show the system effectiveness to apply Company’s policies, and its effectiveness to mitigate discovered risks.
- Map the POC results with the available budget. This could give Management an idea to make the final decision to buy, implement, rent or outsource the given system
To spend or not to spend, there is the dilemma
One useful factor to decide an expense in a company is the
cost associated with a breach. Although in the case of an ICS attack the breach
negative impact of the information disclosed is smaller compared to the real kinetic impact, it is still
useful to explain to management how reputation and normal operations in a
company could be affected, and how could be difficult to recover from it [9].
Having the IT and ICS team working together on the results
of the combined Risk Assessment could provide a valuable assessment on the cost
associated with a breach and depending of the nature of the business of the
company a much detailed cost could be calculated. Obviously, if there is the
slightest probability that an attack against the company could result in the
loss of lives, the cost associated could go beyond the company value, and
definitely no amount of money could be enough for the families that could be
affected because of that loss of live.
Being said that, there are solutions for every pocket and
they can be either paid ones or open source ones, each one with their own
drawbacks, more on this in a future post. The biggest drawback associated with
the paid ones is the budget required, not only for the solution but, even more
important, for the training required for the resources that will interact with
the solution. Always remember that People are the most fundamental part of your
People Process and Technology (PPT).
As for the Open Source solutions, although the cost
associated with them is not that big, usually the hardware used in the solution
is the largest cost associated; the knowledge cost associated is the biggest
impact in the company’s budget. Having an in-house expert of an Open Source
solution could be costly, moreover debugging and administrating an Open Source
solution could not be always straightforward, especially in an ICS environment,
where availability is king.
Now, depending on company’s structures, your IT Team could
be outsourced as well as the company in charge of the ICS devices’ maintenance,
or in the case that there is no expertise to rely on when making the different
risk assessments and having the necessary discussions, or when your Senior Management
wants a third set of eyes to oversee the process (which is not a bad idea after
all), in those cases, an additional cost could be the hiring of a consulting
company to provide the expertise and solution. Depending on the task in hands
and the company to be hired, this cost could represent a significant amount of
budget, therefore, be careful if you go this route, check as much as you can
all the references and information about the consulting organization.
Conclusion
Although is interesting to see countries like Bolivia and
Peru in the list of countries affected by ICS attacks, ICS companies in general
should have Security as one of their priority tasks, moreover if an attack
could potentially have a kinetic impact represented by loss of lives.
Risk assessments, from the IT and ICS point of view, are
required and should be cross referenced and analyzed as a group by both IT and
ICS teams.
Spending is always an issue, but necessary to avoid
unwilling negative consequences, or negative impact, and to act proactively
against any possible ICS attack.
References
[1] Critical Infrastructure Sectors, Department of Homeland
Security, US - https://www.dhs.gov/cisa/critical-infrastructure-sectors
[2] Creating a Threat Profile in your organization, SANS - https://www.sans.org/reading-room/whitepapers/threats/creating-threat-profile-organization-35492
[3] Threat landscape for industrial automation systems, H1
2019, Kaspersky - https://ics-cert.kaspersky.com/reports/2019/09/30/threat-landscape-for-industrial-automation-systems-h1-2019
[4] Infographic – ICS/OT Cyber Attacks, Galactic Security
Systems - https://www.galacticsecurity.systems/
[5] Guide to Industrial Control Systems (ICS) Security, NIST
- https://csrc.nist.gov/publications/detail/sp/800-82/rev-2/final
[6] North American Electric Reliability Corporation (NERC) -
https://www.nerc.com/Pages/default.aspx
[7] Industrial Control Systems Assessment, CISA - https://www.us-cert.gov/ics/Assessments
[8] Electricity Subsector Cybersecurity Risk Management
Process, U.S. Department of Energy - https://www.energy.gov/sites/prod/files/Cybersecurity%20Risk%20Management%20Process%20Guideline%20-%20Final%20-%20May%202012.pdf
[9] The State Of Industrial Cybersecurity 2018 - https://ics.kaspersky.com/media/2018-Kaspersky-ICS-Whitepaper.pdf