Side effects of an ICS attack

Side effects of an ICS attack

Specific threats against Industrial Control Systems (ICS) Security are becoming more frequent in the Information Security scenario. There are many differences between standard IT Security and ICS Security, being the two most important the availability of the Control System in ICS, and the attack’s consequences, more on this in a future entry. Before getting in details, I would like to mention some of the most important sectors in the ICS spectrum: Energy, Nuclear, Communications, Emergency Services, Transportation Systems, and Water Systems [1]

From the point of view of availability, due to the nature of ICS in which products or processes are configure in a loop, where due to the continuous cycle, ICS devices can’t be stopped in order to mitigate risks or attacks in an ad-hoc basis. At the same time, consequences of successful attacks generate a different sense of urgency compared to the ones in IT due to the kinetic nature. In other words, when there is a data leaked case, people affected might receive a procedure from the affected company to apply a temporally solution changing passwords, settings, etc., but affected end users will not know exactly when or how their data could be used or the consequences of that misuse until it is already too late.

In the case of ICS Systems, their kinetic impact is instantaneous, targeted (possibly affecting the normal life development of a specific geographical region by attacking an Electric Plant and stopping the energy production) and it could last for weeks or months depending on the level of destruction the attack caused. In the worst case scenario, a successful attack against ICS infrastructure could cause the loss of lives.

As we can see, the kinetic impact is the most dangerous consequence of an attack against an ICS Infrastructure.

2019 Attacks analysis

Although the world, from the IT perspective is smaller than ever, the main targets of malicious actors are still being large corporations in industrialized nations. These malicious actors could be divided in five groups [2]:

1.      Nation State attackers

APT owners, have highly skilled resources and are capable of develop new threats

2.      Cyber Criminals

Individuals or groups that perform cyber-attacks to get financial benefit from it.

3.      Hacktivists

Individuals or groups that perform cyber-attacks on targets for political or ideological reasons

4.      Internal users

End users, system administrators, executives, etc.

5.      Partners

Defined as Companies that provide Services working together or by remote access with the client company.

These groups are usually focused on large targets, or as mentioned earlier, targets localized in industrialized countries, especially in the area of ICS where mayor players of Energy or Industry are located. Therefore, it is very interesting to see countries like Peru or Bolivia listed as main countries with the highest increase in the percentage of ICS computers on which malicious objects were blocked when removable media were connected to them, as shown in the following diagram:

Figure 1. Countries and territories with the highest increase in the percentage of ICS computers on which malicious objects were blocked when removable media were connected [3, 4].

Although statistics are focused on computers used in the ICS environment, the increment of blocked malicious objects blocked is a clear indication that ICS attacks could happen in the near future, either because a compromised PC is connected to an ICS device directly or that the malware is designed to use the PC infrastructure as a bridge to identify and compromise ICS devices.

The reason behind that assumption is that although Antivirus (AVs) could be found in enterprise environments in South American countries, AVs are only able to detect commodity malware, in other words, historical malware, leaving the door open to more advanced ICS Security threats.

Implementation of more advanced or multi-layered security controls, especially for ICS in countries like Bolivia or Peru is usually a difficult topic to discuss in any company size, due primarily to the cost associated to these products, in addition to this is the lack of understanding how Security works from the knowledge cycle point of view where additional investment is required in internal and external training.

Bolivia, and Peru, why?

There are many reasons for attackers, mainly Cyber Criminals and Hacktivists, could be interested into attacking ICS infrastructure in Bolivia and Peru, here I present you some of them:

1.      Economy dependency

Countries like Peru and Bolivia, as well as other South American countries, because one of the biggest economic activities are the extraction and export of Natural resources, for example Peru has important cooper and gold mines that provide those minerals to countries like China, Japan, US, etc., generating a good percentage of the country’s annual budget and supporting the ability of the government to improve living conditions of their citizens. Having an impact on that money making engine will have a significant impact to the country’s economy and therefore to their citizens.

In this case Cyber Criminals and Hacktivists might be hired to do the job by the real organization interested into causing negative effects to these countries’ economies.

2.      Side effect in another economies

Having a large impact in raw material providers’ countries like Peru and Bolivia could impact their final customers, like China, Japan, US, etc., not allowing them to continue normal operations in their factories which could slow down, or halt them if the ICS attack caused a major impact in the infrastructure, causing a different impact on their economies.

In this case, as the same as the previous one, Cyber Criminals and Hacktivists might be hired to do the job by the real organization interested into causing negative effects in the main customers of these countries’ production. In this particular case, Nation State Attackers could be part of the attacking strategy.

3.      Disgruntled workers

This is a common conversation in IT Security, but not so common in ICS Security due that, because of the nature of the network, it is sometimes difficult to identify the unhappy worker. Still, necessary measures should be consider, like the use of CCTV cameras in key points of the plant, or additional Safety infrastructure and controls enforced among all resource levels in the organizations.

Solutions available

As explained before, companies in either Peru or Bolivia don’t have the conversation and/or don’t have the required budget to invest, assuming those specific issues, here are some solutions available:

1. Have an honest discussion about IT Security with the people in your company and management. The reason behind mentioning IT Security is because is the front door of any ICS related attack.
2. Ask your IT Security people to make a Risk Assessment and define the critical infrastructure or systems from the IT point of view.
3. Make an assessment of the condition of the ICS network used in the company, things like: years of operation and life expectancy, upgradability, segmentation between the ICS Network and the IT Network, management requirements, etc.
4. Collect all the results of your ICS Assessment and make a Risk Assessment of your ICS infrastructure, different methods are available for this purpose (NIST 800-82, North American Electrical Reliability Council (NERC), Cyber Security Evaluation Tool or CSET, Electricity Subsector Cybersecurity Risk Management Process, etc.) decide the one most suitable for you and apply it, the results should be your critical infrastructure or Systems [5, 6, 7, 8].
5. With the Risk Assessment results, have a conversation with your IT Security people, ICS people and cross reference the two results (IT and ICS) of their correspondent Risk Assessments. The result should be the most important points to protect.
6. Define the required strategy from the IT Security point of view to protect those important points, the resource required and the budget associated.
7. Check, and create if required, all policies according to local/international regulators and company specific regulations.
8. It is always a good idea to contact the ICS manufacturers and IT Security systems companies to create POCs. Results of the System POC should show the system effectiveness to apply Company’s policies, and its effectiveness to mitigate discovered risks.
9. Map the POC results with the available budget. This could give Management an idea to make the final decision to buy, implement, rent or outsource the given system

To spend or not to spend, there is the dilemma

One useful factor to decide an expense in a company is the cost associated with a breach. Although in the case of an ICS attack the breach negative impact of the information disclosed is smaller compared to the real kinetic impact, it is still useful to explain to management how reputation and normal operations in a company could be affected, and how could be difficult to recover from it [9].

Having the IT and ICS team working together on the results of the combined Risk Assessment could provide a valuable assessment on the cost associated with a breach and depending of the nature of the business of the company a much detailed cost could be calculated. Obviously, if there is the slightest probability that an attack against the company could result in the loss of lives, the cost associated could go beyond the company value, and definitely no amount of money could be enough for the families that could be affected because of that loss of live.

Being said that, there are solutions for every pocket and they can be either paid ones or open source ones, each one with their own drawbacks, more on this in a future post. The biggest drawback associated with the paid ones is the budget required, not only for the solution but, even more important, for the training required for the resources that will interact with the solution. Always remember that People are the most fundamental part of your People Process and Technology (PPT).

As for the Open Source solutions, although the cost associated with them is not that big, usually the hardware used in the solution is the largest cost associated; the knowledge cost associated is the biggest impact in the company’s budget. Having an in-house expert of an Open Source solution could be costly, moreover debugging and administrating an Open Source solution could not be always straightforward, especially in an ICS environment, where availability is king.

Now, depending on company’s structures, your IT Team could be outsourced as well as the company in charge of the ICS devices’ maintenance, or in the case that there is no expertise to rely on when making the different risk assessments and having the necessary discussions, or when your Senior Management wants a third set of eyes to oversee the process (which is not a bad idea after all), in those cases, an additional cost could be the hiring of a consulting company to provide the expertise and solution. Depending on the task in hands and the company to be hired, this cost could represent a significant amount of budget, therefore, be careful if you go this route, check as much as you can all the references and information about the consulting organization.

Conclusion

Although is interesting to see countries like Bolivia and Peru in the list of countries affected by ICS attacks, ICS companies in general should have Security as one of their priority tasks, moreover if an attack could potentially have a kinetic impact represented by loss of lives.

Risk assessments, from the IT and ICS point of view, are required and should be cross referenced and analyzed as a group by both IT and ICS teams.

Spending is always an issue, but necessary to avoid unwilling negative consequences, or negative impact, and to act proactively against any possible ICS attack.

References

[1] Critical Infrastructure Sectors, Department of Homeland Security, US -  https://www.dhs.gov/cisa/critical-infrastructure-sectors

[2] Creating a Threat Profile in your organization, SANS - https://www.sans.org/reading-room/whitepapers/threats/creating-threat-profile-organization-35492

[3] Threat landscape for industrial automation systems, H1 2019, Kaspersky - https://ics-cert.kaspersky.com/reports/2019/09/30/threat-landscape-for-industrial-automation-systems-h1-2019

[4] Infographic – ICS/OT Cyber Attacks, Galactic Security Systems - https://www.galacticsecurity.systems/

[5] Guide to Industrial Control Systems (ICS) Security, NIST - https://csrc.nist.gov/publications/detail/sp/800-82/rev-2/final

[6] North American Electric Reliability Corporation (NERC) - https://www.nerc.com/Pages/default.aspx

[7] Industrial Control Systems Assessment, CISA - https://www.us-cert.gov/ics/Assessments

[8] Electricity Subsector Cybersecurity Risk Management Process, U.S. Department of Energy - https://www.energy.gov/sites/prod/files/Cybersecurity%20Risk%20Management%20Process%20Guideline%20-%20Final%20-%20May%202012.pdf

[9] The State Of Industrial Cybersecurity 2018 - https://ics.kaspersky.com/media/2018-Kaspersky-ICS-Whitepaper.pdf