Threats affecting industrial control systems
Industrial control systems are increasingly becoming subject to attack on the part of malicious users out to gain from their actions. But it's not just that; incidents such as Stuxnet show that these attacks are not random and that they are carried out by well qualified professionals with very specific objectives. Some of the big attacks registered have had significant media impact, affecting major companies, primarily in the corporate area of their networks but also in control systems, albeit without the same repercussion. Below we look at some cases of these attacks and how they have impacted the systems.
Known as BlackEnergy, this was the first successful known attack against an electricity distribution network, in this case against the electricity network of Ukraine in late 2015. BlackEnergy is not a malware but a well-known virus, the version of which used in this incident is rather different from the original. Originally it was a Trojan, used as a tool to create botnets tasked with performing denial of service attacks. In its latest incarnation, that used in this incident, BlackEnergy evolved to become an APT (Advanced Persistent Threat) including a KillDisk module and allowing it to run in SCADA systems. The infection vector was a spear phishing attack, sending emails containing a Word file through which the user was tricked into allowing the execution of a malicious macro that installed the malware. Once installed, it ran its KillDisk module, deleting the files from the system and corrupting the MBR, disabling the system.
CrashOverride, also called Industroyer, was a malware designed specifically to attack the energy distribution system of Ukraine and of which we speak in-depth in “CrashOverride: The ICS Malware Attacks Again”
Its principal feature is that it uses the functionalities of 3 famous industrial malware, namely Stuxnet, HAVEX/Dragonfly, and BlackEnergy2. It copies Stuxnet in the way it understands the industrial process so as to disrupt it. It copies HAVEX/Dragonfly in its mapping of the system architecture using OPC and, like BlackEnergy2, it reviews HMI configuration libraries and files to understand the environment it finds itself in and attempts to connect to the internet where possible.
Triton, or Trisis or Hatman, depending on the source consulted, is a malware designed to attack the protection elements of Schneider Electric. Specifically, the Triconex model is widely used in the energy industry, from nuclear facilities to oil and gas plants. It is the last known malware designed to specifically attack industrial systems.
The attack was launched by obtaining access to an SIS (Safety Instrumented System) with the subsequent deployment of Triton, seeking to wrestle control of the SIS system. This caused these devices, possibly due to a fault in the malware, to enter "test mode" completely shutting down the plant affected by the malware. The sector and location of the plant in question has never been revealed but it is thought to have occurred in Saudi Arabia.
The attack has not yet been attributed but it is believed, given the level of sophistication and the specific objectives, that the attack was sponsored by a country. This catalogues Trito as potentially part of testing for a cyberwar.
Wannacry is probably one of the most well-known security incidents of recent years due to its rapid spread and the impact it had on the corporate systems of many companies. Even though it was not part of its primary objective, it also managed to affect industrial control systems, infecting Windows computers that managed industrial control software.
WannaCry is a ransomware characterised by its rapid spread without any need for interaction from the user, using a Microsoft Windows vulnerability and a SMB protocol known as EternalBlue. The main characteristic of WannaCry and what makes it different from other similar malware is that a system can be infected with WannaCry with no need for any interaction on the part of the user.
And why did WannaCry affect industrial control systems and OT environments in general when the attack was not aimed at them? Many plant systems (HMI, engineering station, etc.) use Windows as the platform and the SMB protocol to communicate, and, through shared folders were thus also affected by the EternalBlue vulnerability. The lack of patching on many computers (a fact aggravated in OT, where patching is more difficult) combined with the lack of correct segmentation, created a favourable environmental for the infection of computers, paralysing many processes.
NotPetya is a wiper malware that simulates a ransomware attack but whose ultimate purpose is to irreparably damage the system, just like WannaCry. Even though industrial systems were not the primary target, many were affected.
Initially it was catalogued as an evolution of the Petya virus; however the Kapersky company insists that this is a completely new virus, giving it the NotPetya.
The main focus of the attack, once again, was Ukraine, affecting different critical infrastructure, from energy infrastructure to Boryspil Airport. The situation of continued tension with Russia saw Ukraine accuse Russia of being the author of the attack, cataloguing it as an act of cyber warfare.
This virus simulates a ransomware attack, displaying a ransom message to the user, but in truth, whether the ransom is paid or not, the system will never be decrypted. Rather than encrypt files like a common ransomware attack, NotPetya restarts the computer and encrypts the master file table on the hard disc and makes the system start-up request useless by replacing it with a code that shows the ransom warning, leaving the computer completely inoperable and unserviceable. To spread, it uses the EternalBlue vulnerability, just like WannaCry
Awareness as a protection measure
If they have one trait in common, what most attacks share is that they take advantage of vulnerabilities that already known and have even been published. Given that once these vulnerabilities are published, they are often accompanied by the pertinent solution, often a system update patch, it is of vital importance that these updates are applied as quickly as possible, thus preventing the exploitation of public vulnerabilities.
Another important point to bear in mind is that the principal vector of these attacks is human. Without the adequate security training of all users in a company to prevent, for example, phishing attacks it is impossible to prevent these types of attacks. Security tools are useless if the user voluntarily downloads a malicious file without knowing the real functionality of same, even if they do so by accident.
In short, the best protection measure is always the overall security awareness of a company to protect against easily falling victim to attacks like those mentioned.
Other additional measures
But awareness alone is not always enough and all possible measures must be taken (network management, network segmentation, antivirus, anti-spam, etc.) to prevent any cyber incident or, where prevention has not been possible, all the mitigation and containment measures available must be taken to minimise the impact as much as possible.
Correct segmentation of the network is vitally important to prevent the spread of any possible threat, ensuring that it only affects the minimum number of computers possible.
Another action is to monitor our network traffic, detecting an anomalous behaviour in same that might be due to malware, in order to identify it and take the necessary measures.
Attacks aimed at industrial control systems are the order of the day and their consequences can be severe. What's more, with increasing convergence between IT and OT and OT, an attack targeting IT can impact critical infrastructure. It is vitally important to learn from past mistakes to prevent any repeat and, especially, to be prepared for any possible future incidents.
Los sistemas de control industrial son, cada vez con más frecuencia, objetivo de ataques por parte de usuarios malintencionados que buscan un provecho en sus acciones. Pero no solo eso, incidentes como Stuxnet demuestran que estos ataques no son aleatorios y que son llevados a cabo por profesionales bien cualificados y con unos objetivos muy concretos. Algunos de los últimos grandes ataques registrados han tenido un importante impacto mediático por afectar a grandes compañías, principalmente en la parte corporativa de sus redes, pero también en los sistemas de control, aunque no haya tenido la misma repercusión. A continuación, vamos a repasar algunos incidentes con estos ataques y sus repercusiones sobre los sistemas.