Protecting Industrial Networks: Key Risks and Attack Scenarios
· What are the risks?
· Stages of Cyber Kill Chain
· Industrial plant hijacking.
∘ Wireless hacking
∘ Gaining access to the plant’s field network
· Dangerous Event A: Intellectual Property Theft
∘ Dangerous event B: Industrial sabotage
∘ Hazardous event C: Industrial plant maintenance failure
The number of Industrial Control Systems (ICS) connected to corporate IT networks is steadily growing. Many companies are adopting Industrial Internet of Things (IIoT) technologies.
Deeper integration between IT infrastructure, cloud systems and industrial networks leads to a variety of security threats for companies. This is becoming a major barrier to the implementation of digital technology.
In a special project of Computer Review, IT Integrator and Cisco discuss how Cyber Vision solution helps enterprises deploy Industrial Internet of Things (IIoT) technology and effectively protect their networks and IT infrastructures.
Let’s understand what Cisco Cyber Vision is all about. The solution provides a complete overview of the industrial control system, including dynamic asset inventory, real-time monitoring of control networks and process data, comprehensive threat intelligence to build secure infrastructures and implementation of security policies to control risk.
It’s worth noting that Cyber Vision is embedded in industrial networking equipment, so it makes it easy to deploy operational technology (OT) security at any scale. The product equips existing cybersecurity platforms with information about OT assets and events to create a unified threat management strategy.
The solution was specifically designed for industrial organizations to provide full visibility into their production management systems. So that these systems, in turn, can ensure process integrity, create secure infrastructures, ensure regulatory compliance and apply security policies to control risks.
According to Nikolay Lomenko, Director of Industry Solutions Department at IT-Integrator, the main specificity of production management systems is that they are very closed, have limited control capabilities and are much worse protected against cyber attacks than more open and secure networks for IT systems.
When the digitalization of production processes integrates OT with IT, it is very difficult to guarantee cybersecurity specifically for the former with the more advanced IT systems’ more advanced security management tools. Each of the OT systems may have its own industry specifics (other protocols, standards, etc.) that are not currently supported by IT system management tools.
What are the risks?
So what is the risk landscape for industrial networks? In the traditional world, IT risk is associated with threats that can undermine the confidentiality, integrity and availability of data and systems. The impact is mostly financial, such as cases of ransomware (Cryptolocker virus), bank fraud, or denial-of-service attacks that spread to web servers used by e-commerce sites.
Process control systems control the physical world in which OTs are used. Risks in their environments include threats that can undermine operational security (physical security of goods and people, environmental impact) and the availability or even physical integrity of a production tool. The theft of important industrial data should also be feared.
Remote diagnostics and remote maintenance require appropriate access to networks and industrial control systems. Remote access represents an even more serious threat vector because it connects networks of varying criticality and sometimes third parties.
Remote access workstations connect to the heart of critical industrial control systems to perform operations that can have a significant impact (for example, updating software or downloading new firmware). They cannot simply be prohibited and must be controlled by effective monitoring mechanisms.
All of these threat vectors are, for the most part, specific to the industrial world. Security measures implemented in production management systems must consider the operational reality in which OT personnel must continue to operate facilities and operate efficiently. They cannot simply deny all remote access or rely solely on access controls and organizational measures.
In addition, industrial control systems were never designed to deal with cybersecurity threats. They are designed for operational security and continuity of operations and often do not take into account the possibility that a motivated and malicious attacker could get at their digital interfaces.
This is why automation products still perform only a few cybersecurity functions. Moreover, in most cases, industrial operators do not activate cybersecurity features.
To build an effective ACS cybersecurity strategy, it is critical to identify the security events that are most likely to occur. This will allow you to focus on taking appropriate measures to protect the assets that are most likely to be targets and to enhance the security of sensitive assets that an attacker could use to penetrate the APCS.
In the field of industrial cybersecurity, the feared event involves a cyber attack on an industrial IP, it can cause significant damage to a company’s operations, its production tools, manufactured products or even its employees or customers.
The Cyber Kill Chain concept is used to systematize a cyber attack scenario and detail its various phases. It allows a detailed description of the structure of a complex intrusion attempt typical of new attacks.
Stages of Cyber Kill Chain
The Cyber Kill Chain phases consist of recognition, arming, delivery, operation, installation, command and control, and action on targets. For the events described below, it is assumed that the attacker is already “connected” to the industrial control network.
It is especially important to understand how a cybercriminal will compromise his target’s industrial network. There are many sensitivities to consider when designing a monitoring process. These are categorized by likelihood.
Industrial plant hijacking.
An attacker uses targeted IT distribution mechanisms (i.e., the malware communicates with the attacker’s “command and control” server) to spread the malware on the target network until it reaches the workstation in the industrial area. The primary targets are supervisory control and data acquisition (SCADA) and engineering stations because they contain important process information.
Spoofing authorized remote access for a third party
An attacker uses authorized remote access for a third party, such as a subcontractor. This can be a DSL/Ethernet or VPN connection left open or used only for certain IP addresses. This often gives access to the heart of an industrial facility, providing a “quality” entry point for an attacker.
An attacker exploits publicly available or proprietary vulnerabilities in the wireless channels used (known WEP or WPA attacks). In this way, he can connect to the industrial control network and gain direct access to the heart of the system — design stations, SCADA stations, and programmable logic controllers (PLCs).
Gaining access to the plant’s field network
An attacker has direct physical access to a facility’s field network for their attack, such as having access to a computer cabinet along a distribution axis (a pipe in a sewer or along a water line). The field network provides direct access to the ICS equipment used to control the I/O modules. This is especially important in the transportation sector.
Installing a third-party physical component to change the network remotely
To take advantage of its physical access without being forced to be physically present at the compromised location, an attacker installs a remote control module on the industrial network: for example, a miniature Raspberry Pi with a battery and 4G modem, providing it with remote control.
Here are some examples of cybersecurity events.
Dangerous Event A: Intellectual Property Theft
Intellectual property theft is an attack on a production control system aimed at stealing valuable process or production data. The attacker’s motive could be economic, such as stealing a production secret from a competitor.
The attack will be in a long-term temporal context: the attacker will want to maintain access for as long as possible, or at least until he succeeds in extracting all the search data. If the attacker does not have direct physical access, he needs to maintain a “control” connection between his malware installed in the industrial control network and his command and control server.
Dangerous event B: Industrial sabotage
This scenario describes an attack on an industrial production system that leads to sabotage. The attacker’s motives could be cyberterrorism, competitive positioning, or even war between two countries.
Hazardous event C: Industrial plant maintenance failure
This scenario is more focused on a maintenance failure in industry. The goal is to stop the production of a continuous process at an industrial plant, such as an oil refinery, a water treatment plant, or a gas distribution network.
Industrial control systems are often geographically remote and consist of many “small networks” with few components. To monitor all of this without deploying complex and expensive infrastructure, a detection system typically consists of sensors close to the process that extract communication data between the devices and a central server that collects, stores and analyzes the data collected by the sensors.
The placement of the sensors should allow the monitoring of different connection points of the industrial system.
To cover the above risks, the detection system analyzes component properties, control messages and various tokens, such as MAC address and protocol identifier, vendor name and PLC name, firmware and hardware versions, compromise indicators and several others.