As attacks on critical infrastructure and industrial control systems become increasingly brazen, ICS defenses must go beyond just preventative security. Control system defenses must be ICS-specific, teams need to be proactive and have ICS cyber specific knowledge and skills.
Brazen ICS Attack Techniques
The recent evolution of targeted attacks against critical infrastructure sends a clear message: proactive control system cyber defense requires engineering knowledge to preserve the safety of industrial control system (ICS) and operational technology (OT) operations.
Discussions in Facilities - On the Plant Floor
One of the many things I love about being an ICS-Certified SANS instructor is that in between teaching in the classroom, we spend our time as practitioners in the field. We bring up-to-the-minute threat intelligence-driven knowledge from the field directly into each class. For example, at my firm, ICS Defense Force, I perform cybersecurity control system assessments across multiple critical infrastructure sectors - oil and gas, water, electric power generation, distribution, critical manufacturing, etc.
That means I meet with security teams, engineering staff, facility stakeholders, operators, and those leading the charge of security and ICS risk management. Many meetings are held on the plant floor in hard hats, discussing how to practically apply new ICS defense technologies, tactical defense knowledge, incident response processes, and risk management strategies.
ICS Living-Off-the-Land Attacks Explained
ICS living-off-the-land attacks essentially turn control systems against themselves. This can be achieved when an adversary is abusing already deployed engineering software, industrial network protocols, trusted network access, engineering tools, control system libraries, etc. Living-off-the-land attacks can be much cheaper for adversaries to deploy, have higher success rates, are more difficult to detect, require more rapid industrial response, and can have immediate direct safety and engineering impacts. Let's look at just a few of the ways adversaries live off the ICS land.
Valid Credentials
Adversaries commonly abuse valid credentials to laterally move from IT to ICS/OT networks, then throughout control system networks by way of legitimate Active Directory (AD) accounts, for example. This is most commonly seen in high-risk environments that allow a trust relationship between both IT and ICS/OT ADs. Or where organizations have the same AD infrastructure that authenticates accounts on both IT and ICS/OT networks.
ICS Protocols
ICS cyber defenders must know what normal ICS network traffic looks like. As adversaries abuse deployed industrial network protocols, monitoring will detect anomalous unauthorized commands. This requires deep network visibility, or ICS network security monitoring (NSM) to identify engineering commands sent in packet payloads to/from key ICS assets and to ensure they are authorized, expected, and unmanipulated. Such assets are critical human machine interfaces (HMIs), programmable logic controllers (PLCs), remote terminal units (RTUs), protection control relays, meters, historians, etc.
Scripting
The abuse of already installed scripting interpreters is also common. Such interpreters like PowerShell can be used to build malware or run functions for malicious purposes inside the system without the adversary having to bring in attack tools or malicious payloads. This helps the adversary avoid detection. PowerShell is a great administrative tool for proactive ICS threat hunting and used in incident response (IR) situations. Ensure powerful scripting and interpreters are monitored and limited to only the systems and users that require it for engineering and IR purposes.
Engineering Controls System Applications
Why would an adversary group invest time, money, development, and testing of exploit code if already installed engineering applications can be abused to directly interact with the control systems to cause negative consequences? Engineering software is targeted because of its ability to directly monitor, control, and modify the physical process.
Trusted Network Paths
Adversaries abuse trusted network access paths. Firewalls will not defend against an attack group abusing legitimate allowed network ports or protocols over trusted pathways. The adversaries will be allowed access using existing access controls lists (ACLs). While network segmentation following Purdue1 and the SANS ICS410 SCADA Reference Architecture is a fundamental ICS security best-practice, modern ICS defense must go well beyond basic best-practice engineering network architecture. Additionally, know that once a strong network architecture is in place, all other ICS defense investments will have a much higher return on investment.
1https://www.sans.org/blog/introduction-to-ics-security-part-2/
Living-Off-the-Land Attack Examples - They're Not New, and Growing
One example of living-off-the-land is when attackers gain access to an HMI. The adversary uses HMI commands on-screen against the engineering process. An adversary gaining access to an HMI in an electric power facility could remotely open circuit breakers in the field causing power outages. Like in the 2015 Ukraine power distribution system attack. Or, in a water treatment facility in Oldsmar Florida where an adversary abused the HMI and altered the chemical mixture in the water to toxic levels.
Another example is the abuse of the engineering workstation (EWS) functionality to reprogram PLCs with manipulated logic over legitimate EWS-to-PLC communication ports, like the TRISIS/Triton malware.
Living-off-the-land attacks are not new (HAVEX, CRASHOVERRIDE, etc.). Other examples are seen with PIPEDREAM/Incontroller, which is a scalable ICS-specific attack framework which can be deployed for distribute and possibly physically destructive impacts to operations and safety, regardless of sector or region. The attack modules inside the PIPEDREAM toolkit help adversaries live off the land. The framework can impact a wide variety of vendor PLCs. It can abuse already installed legitimate industrial automation software. Additionally, attackers can abuse legitimate ICS protocols within the ICS network, including but not limited to OPC-UA, Modbus, and some proprietary control protocols.
Exploiting ICS Vulnerabilities Vs Living-Off-The-Land
When I'm teaching ICS515, ICS418 or conducting on-site assessments this question on pre-empting adversary tradecraft often comes up:
"Are adversaries shifting away from exploiting engineering hardware or software vulnerabilities to instead focus on ICS living-off-the-land attacks techniques?"
We should expect a blend of exploits and living-off-the-land attack techniques depending on the adversary's goals. This will also depend on the environment and current ICS security program maturity. The effort the adversary invests in attacks against your ICS will likely be directly related to the ICS-specific defenses in place, or lack thereof. Vulnerabilities in engineering hardware and software should continue to be addressed during scheduled engineering maintenance windows while always considering the engineering impacts of deploying patches and workarounds. Living-off-the-land attacks are not going aways any time soon. In fact in anything, they are likely to increase in frequently and be more creative. We must continuously assess risk while considering the following questions:
Do the engineering needs outweigh the risk of an identified vulnerably actually being exploited within the ICS network, such that the exploit provides the adversary the ability to impact the safety and reliability of operations?
Would the adversary take this expensive option of pre-positioning, developing, testing, and launching exploits, rather than just abusing the HMI, EWS, or other elements inside the ICS to enable the same or more harmful affect?
ICS Living-Off-the-Land Countermeasures
Those responsible for leading the charge in ICS/OT cybersecurity and risk management must plan to rely on more than just basic ICS-specific defense-in-depth preventative controls. We must have trained staff ready to respond and maintain engineering operations when those controls fail to detect ICS living-off-the-land attacks. Early detection of adversary pre-positioning in the ICS Cyber Kill Chain is a must.
- ICS418: ICS Security Essentials for Managers provides ICS leaders with tons of industry resources, leadership drills, and the "must dos" of ICS security leadership into the two-day class. It empowers leaders to successfully address the need for dedicated ICS security programs, the teams that run them, and the skills required to map industrial cyber risk to business objectives while prioritizing safety in engineering environments.
- ICS tactical defenders, engineering staff, and those coming into ICS/OT from IT can level-up their technical skills in ICS515: ICS Visibility, Detection, and Response. Students will walk away from this course with the ability to detect and respond quickly inside any ICS network with active defense, network visibility, ICS threat detection and industrial response.
- Engineering and ICS cybersecurity staff can gain even more engineering-focused ICS defense-in-depth expertise in ICS612: ICS Cybersecurity In-Depth. ICS612 provides an advanced focus on engineering components, control system network architectures, and configurations.
Defend Your ICS/OT Critical Infrastructure
Join me in class for ICS515: ICS Visibility, Detection, and Response and ICS418: ICS Security Essentials for Managers. And don't forget to network in-person with the ICS community and connect with me in-person at the SANS ICS Summit in June 2024!
To learn more about effective strategies for safeguarding your ICS against sophisticated cyber threats like living off the land techniques, download the SANS Strategy Guide: ICS Is the Business.
