Modern Attacks Against Critical Infrastructure
The evolution of targeted attacks against critical infrastructure in recent times sends a clear message to asset owners and operators. In industrial control systems - water management, oil and gas refineries and distribution operations, and power grids, etc. - that is, modern adversaries have illustrated brazen steps to defeat traditional security controls and have impacts to safety and engineering reliability. Today, proactive control system cyber defense requires dedicated ICS security teams with engineering knowledge to preserve safety of industrial control system (ICS) and operational technology (OT) operations.
ICS Security In The Field Experience
With my firm ICS Defense Force, I perform industrial control system (ICS) security assessments, incident response tasks, and incident response tabletops across multiple critical infrastructure sectors, globally. It is important to describe my practical field work in this context. It allows me to meet with security teams, engineering staff, and those leading the charge of cybersecurity risk management and defense. Including the decision makers, who are seeking technical solutions and tactical training to address their identified cybersecurity challenges.
ICS Threat Landscape In The Gulf Region
Recent threat landscape analysis for the Gulf Cooperative Council (GCC) indicates attacks against critical infrastructure are increasing in volume and sophistication. Critical infrastructure adversaries and cyber criminals alike are exploiting both ICS and IT environments to achieve malicious goals with impacts to the safety and engineering operations.
The Oil and Gas and Energy sectors specifically present valuable targets to modern advanced persistent threats (APTs) who are active and continue adjusting attack tradecraft to infiltrate multiple types of facilities and evade detection. Adversaries targeting facilities operating in GCC, in all energy sectors - electric, oil and gas, and related supply chain providers for equipment and software - are at increased risk then prior years. Adversaries consider cyber-attacks against critical infrastructure a legitimate component of warfare.
For example, industrial cyber incidents from active adversary groups target oil and gas operations across upstream, midstream, and downstream operations. Their purpose appears to have been consequences ranging from disruptive to destructive incidents, including potential personal safety and environmental impacts. 1This is evident with the discovered ICS targeted malware TRISIS/TRITON against oil and gas safety systems2.
Additionally, there has been a global increase of Ransomware events against ICS environments with no sign of slowing down. Ransomware impacting IT support services can also impact the ICS operations if the organization does not have suitable network segmentation in place to protect engineering networks from IT and the Internet. An example is the Colonial Pipeline3 incident in oil and gas, where other adversary groups are learning from such events to adapt and strengthen their own attack techniques. As well, ICS specific ransomware has been discovered in the form of EKANS4.
Common ICS Cybersecurity Challenges
Threat intelligence reveals critical infrastructure could be at increased unnecessary risk of cyber incidents with impacts if the following scenarios are present, but other gaps exist.
- Lack of ICS/OT Network Visibility - ICS Network visibility is a critical requirement for any ICS facility today. That is, specific ICS-protocol aware network intrusion detection systems deployed to monitor and alert on anonymous engineering commands and protocols.
- Dual-homed Assets between ICS and IT Networks - Connections between IT networks and ICS networks are a major concern for owners and operations as it presents a pathway from commonly targeted IT environments into critical engineering systems.
- Lack of Multi-factor Authentication for Remote Access - Multi-factor authentication is a best practice that strengthens remote access authentication. However, remote access has several other controls that must be in place, including but not limited to proper network access control and monitoring.
- Limited Logging Enabled and Monitoring for Engineering Systems - Legacy engineering assets may have logging disabled by default or assets may not be configured to log security events, or important engineering events such as logic updates.
- Unprotected End of Life Operating Systems, Engineering Hardware - Legacy systems require additional ICS specific security controls, processes, and mitigations to protect the safety and reliability of operations.
What About ICS Incident Response?
According to the recent SANS 2023 ICS/OT Cybersecurity Survey data, only 52%5 of ICS facilities have an ICS/OT-specific incident response plan that is documented, tested using engineering driven tabletop exercises, and is kept up to date. 17% are unsure whether they have such a dedicated ICS incident response plan. What's critical to understand is this is not your IT incident response plan. "Copying and pasting" IT security controls into an ICS/OT facility's incident response plan will not work. In fact, this approach is likely to cause serious unintended or disastrous consequences to safety and engineering operations.
It Is Not OT/ICS - Key Differences
It is imperative top facility leadership, and engineering teams know the differences between traditional IT security and industrial control system security. ICS/OT assets are often incorrectly compared to traditional IT assets. Traditional IT assets focus on data at rest or data in transit, user data and user applications. Whereas ICS/OT are engineering assets, equipment, that focus on real-time systems for physical input values and controlled output physical action that have an effect in the real-world. It is this primary difference between IT and ICS/OT that drive differing cybersecurity design, security assessment approaches, risk surface understanding, safety, strategy, support, cyber tactical defense, and industrial incident response practices. "Standard cyber incident remediation actions deployed in IT business systems may result in ineffective and even disastrous results when applied to ICS cyber incidents, if prior thought and planning specific to operational ICS is not done."6
ICS Leaders' Defense Actions:
Those responsible for ICS/OT cybersecurity and infrastructure defence can position their facility to meet best practices by having an engineering-driven ICS-specific incident response plan. They can regularly exercise that plan by running ICS tabletops facilitated by ICS experts with realistic scenarios derived from sector specific threat intelligence. Ensure all the right teams are included.
ICS Practitioners' Defense Actions:
Tactical practitioners working on the front lines to defend engineering operations should embrace the fact that IT and ICS/OT are different. Discover what can be adapted from IT security to actively respond to ICS specific threats using ICS specific controls, technologies, and processes, while prioritizing safety first. Realize that ICS Security is not a "copy and paste" of IT Security into the ICS. In many cases what works for IT will cause disruptive or disastrous consequences if applied to ICS.
Engineering And Cyber Security Training In Gulf Region
I am very fortunate to be strengthening the SANS relationships in the region with senior leadership, decision makers, engineering, and security staff. I was recently in Dubai at the SANS EMEA Gulf Region event in November teaching both ICS515 and ICS418, meeting great people from the local sectors in oil and gas, energy, and manufacturing. It was fantastic being in-person delivering best-in-class practical risk management to leadership teams, and hands-on tactical ICS cybersecurity training to those in day-to-day operations.
Teaching in Dubai at the SANS EMEA Gulf Region event in November 2023
During the break and networking sessions it gave us a wonderful opportunity to share experiences and assistance to facilities to help address some of the ICS/OT cybersecurity challenges they have today.
Teaching students in the Gulf region how to protect ICS systems using the ICS515 included student PLC hardware kit.
Professional Development and Practical Defense
The SANS course, ICS515: ICS Visibility, Detection, and Response meets several modern ICS security challenges head-on. ICS515 teaches students how to perform tactical ICS incident response by leveraging hands-on labs. Labs include assembling and running a programmable logic controller (PLC) like you'd see on a plant floor. Students keep the PLC kit for continued learning after class is over. Students from IT, ICS, engineering, etc., will detect and defend against threats in several realistic ICS environments.
Conclusion
It's critical for critical infrastructure owners and operators to ensure they have their teams attend, complete and being certified in ICS specific security training, in order to defense against the latest threat groups that mean to cause disruption, downtime and safety impacts.
On behalf of myself and the EMEA team, thank you for taking the time to review this important topic as is relations to the protection of critical systems in the Gulf region. We look forward to seeing you all at our regional SANS training events! Stay tuned for additional ICS blogs in this series in a dedicated effort to provide actionable information to protect critical infrastructure in this region.
Be safe from industrial incidents!
Best,
References
1 https://www.dragos.com/industries/oil-gas-industrial-cybersecurity/
2 https://en.wikipedia.org/wiki/Triton_(malware)
3 https://en.wikipedia.org/wiki/Colonial_Pipeline_ransomware_attack
4 https://attack.mitre.org/software/S0605/
5 https://www.sans.org/white-papers/ics-ot-cybersecurity-survey-2023s-challenges-tomorrows-defenses/
