Security vendor Dragos has highlighted the cybersecurity risks facing Industrial Control Systems (ICS). Many of these systems are used in critical national infrastructure (CNI). Hackers are beginning to exploit these systems for both financial and political gain.
The challenge for many users of ICS are that they lack an understanding of how vulnerable their systems are. Few have their own cybersecurity operations centre (SOC) to advise them on threats and provide solutions. They also have many generations of hardware which have little to no security built-in.
A quick look at Shodan, a public search engine that identifies internet-connected devices, shows large numbers of ICS that are exposed to the Internet. The majority of these are insecure and open to attack. Hackers trade details on the effectiveness of attacks against different ICS. This means that the risks continue to grow.
Dragos has issued three separate reports today:
- Industrial Control Vulnerabilities 2017 In Review
- Hunting and Responding to Industrial Intrusions
- Industrial Control System Threats
While there is some overlap between the reports, when read together they make for disturbing reading. They show just how vulnerable many ICS installations are and how unprepared industry is to respond to the threat.
How bad was 2017?
The Industrial Control Vulnerabilities 2017 In Review document delivers some damning comments over the way vulnerabilities in ICS are dealt with. Reid Wightman, Senior Vulnerability Analyst, Dragos said: “In 2017, Dragos tracked 163 vulnerability advisories with an industrial control system (ICS) impact. Of these, the majority were vulnerabilities in insecure-by-design products which are typically deep within an ICS network.”
One of the major problems that Wightman calls out is how advisories are issued. He continued: “Dragos found that public reports failed to adequately define the industrial impact of vulnerabilities. Coupled with the fact that most public vulnerability disclosures provide no alternative guidance beyond, ‘patch,’ or ‘use secure networks.'”
What is worrying about this report is the damage the vulnerabilities can do. The report states that 63% of ICS-vulnerabilities cause a loss of control. This could be by preventing a device unable to respond to new input (hard loss). Alternatively, where devices are still accessible they may refused to action new commands (soft loss). In addition. The majority of patches do not fully eliminate the risk due to poor product design. The scope of the problem is shown with 14 vulnerabilities per month being issued in 2017.
There are some bright spots. Only 15% of these vulnerabilities could be used to gain initial access into a network. The majority affect interior-only assets. However, several attacks have sought to steal security credentials or been launched by insiders. At this point, all vulnerabilities are in play.
What needs to be done?
One approach to improve security is to air-gap all ICS systems from the Internet. That is not always possible especially when they are on remote sites. Wightman believes that companies should focus on Internet-facing systems first. This represents 30% of the vulnerabilities from last year. If this is made a priority it will reduce the threat. It will also leave more time to address the remainder of the vulnerabilities.
Vendors also need to do more. 12% of advisories provided no mitigation at all. Of the remainder, the vast majority contained simplistic solutions such as ‘use a firewall’. Wightman believes that much more detail such as specific and reasonable guidance. Advisories should also provide more detail on the vulnerability and what can be done to mitigate it. The risk here, however, is that the same advisories can be used by hackers to improve their attack.
Dragos claims 2017 saw a significant change in threat levels
One of the surprises in this report is the sudden explosion of attacks in 2017. The report states that prior to 2017 there were only three ICS-specific malware families. That has grown to five and there are also five activity groups. The latter are described by Dragos as: “combinations of behavior or techniques, infrastructure, and victimology.” They have all demonstrated the capability to attack ICS networks or been identified carrying out reconnaissance.
Of more concern is that Dragos sees this as not representing the real situation. It claims that its research is just scratching the surface of the risks to ICS networks. This means that there is more bad news to come for CNI operators.
Joe Slowik, Adversary Hunter, Dragos said: “2017 represents a defining year in ICS security: two major and unique ICS-disruptive attackers were revealed; five distinct activity groups targeting ICS networks were identified; and several largescale IT infection events with ICS implications occurred.
“While this represents a significant increase in ‘known’ ICS activity, Dragos assesses we are only scratching the surface of ICSfocused threats. 2017 may therefore represent a break-through moment, as opposed to a high-water mark – with more activity to be expected in 2018 and beyond.”
What new attacks and groups have been seen?
The two new attacks that came to the fore in 2017 are Trisis and CrashOverride. The former attacked safety systems from Schneider Electric. The latter targeted the electricity grid in Ukraine that led to outages in Kiev. CrashOverride was created and distributed by Russian-backed malware actors Electrum.
One of the concerns is how quickly these two attacks could spread to other countries. The actors behind Trisis are currently unknown. However, as this was an attack in the Middle East they are likely to be, at least, state sponsored. This may reduce the speed of spread to other locations. However, as was seen with StuxNet, it doesn’t take long before attacks become more widespread as samples are gathered and analysed.
CrashOverride is a different issue. Electrum is believed to be active in several countries. Two days ago Anomali published its threat assessment of UK CNI. It raised concerns over threats to electricity generation. It would be interesting to know how many facilities in the UK and Europe, during the current extreme cold snap, have taken proactive steps to deal with CrashOverride.
Attackers are not just attacking ICS networks. They are engaged in probing and reconnaissance attacks. This allows them to identify weaknesses, infiltrate networks and prepare new attacks. There is so much activity going on that Dragos says it is confident that additional unknown events have occurred.
The report goes on to look in detail at the attacks and the activity groups. It also makes some recommendations for security teams. These are steps that can be easily implemented to improve defence.
According to Slowik: “While our visibility and efforts at hunting are increasing, we recognize that the adversaries continue to grow in number and sophistication. By identifying and focusing on adversary techniques – especially those which will be required in any intrusion event – ICS defenders can achieve an advantageous position with respect to identifying and monitoring future attacks.”
What does this mean?
ICS systems are the forgotten weaknesses inside many industrial environments. Some have been in place for decades and cannot be easily replaced. Over time, vulnerabilities and weaknesses have been exposed but protecting against them is not easy. While the majority of ICS networks are not directly connected to the Internet, some are. Those systems are connected to vendor networks or those of their partners. This means that IT departments have no visibility of the threats that they pose.
Dragos has laid out the risks from last year and the scale of the threats. It admits that the level of attacks and reconnaissance means that it has underestimated the threat. This should worry all those concerned with securing CNI and industrial premises.