Protecting Critical Infrastructure: Defending Against Threats to OT/ICS Systems

Background

Operational Technology (OT) and Industrial Control Systems (ICS) are the backbone of critical infrastructure, ranging from power grids and water treatment plants to manufacturing facilities and transportation networks. These systems ensure the smooth operation of essential services that society relies on daily. However, the increasing interconnectivity of OT/ICS systems with the digital world has introduced new vulnerabilities, making them prime targets for malicious actors.

The convergence of IT (Information Technology) and OT/ICS environments has opened the door to both innovative advancements and heightened cybersecurity risks. Threat actors, ranging from nation-states to cybercriminals, have recognized the value of targeting these systems, which can disrupt operations, cause physical damage, and even pose risks to public safety.

Introduction

The number of vulnerabilities in industrial control systems (ICS) has surged by almost 70% over the past three years, with more than 20% of them remaining unpatched by manufacturers, according to a study by SynSaber. Analyzing advisories from the US Cybersecurity and Infrastructure Security Agency (CISA) from 2020 to 2022, the research found a 67% increase in ICS advisories between 2020 and 2021, with a 2% rise the following year. While this increase in Common Vulnerabilities and Exposures (CVEs) could indicate greater reporting, the absence of patches presents cyber risks, especially in critical infrastructure sectors like transportation and utilities.

In 2022, significant advancements in the creation of malware aimed at industrial control systems (ICS) garnered attention, while ransomware attacks on manufacturing sectors expanded in scale. Simultaneously, growing geopolitical tensions heightened awareness of the cybersecurity challenges faced by industrial sectors. As in previous years, the ICS and Operational Technology (OT) community grappled with an increasing number of vulnerabilities, often lacking the necessary mitigations to minimize risk and ensure uninterrupted operations. Furthermore, sectors such as electric grids, oil and gas pipelines, water systems, and manufacturing facilities found themselves contending with ever more intricate regulatory frameworks that demanded substantial enhancements in their defensive measures.

Emerging Threats to OT and ICS

The continually shifting landscape of cyber threats has placed a premium on robust cybersecurity practices, particularly in the context of OT and ICS deployed in critical infrastructure sectors. Below, we delve into six prominent threats that have emerged within the OT and ICS domains, exposing the potential consequences and significance these threats hold for organizations.

Operational Disruption: Unauthorized access or manipulation of OT/ICS systems can lead to operational disruptions, causing downtime, delays, and financial losses. In critical infrastructure sectors like energy and transportation, such disruptions can have far-reaching consequences.

Insider Threat: Insider attacks pose a significant risk to OT environments due to the extensive technical knowledge and operational expertise of individuals with access. Over the past four years, the incidence of insider threats has risen by 40%, resulting in an average annual cost of $16.2 million for organizations.

Physical Damage: Tampering with control systems can result in physical damage to industrial equipment, potentially causing accidents, fires, or environmental disasters. This poses a significant threat to worker safety and the environment.

Data Exfiltration: Stealing sensitive data from OT/ICS systems, such as proprietary designs or operational information, can harm an organization’s competitiveness and national security.

Ransomware Attacks: Cybercriminals increasingly use ransomware to encrypt critical systems, demanding ransom payments in exchange for decryption keys. Paying the ransom may not guarantee system recovery and can encourage further attacks.

Nation-State Threats: Nation-state actors may target critical infrastructure for espionage, sabotage, or as part of geopolitical conflicts. The potential for state-sponsored attacks adds complexity to the threat landscape.

OT/ICS Threat Actors and Malware:

The cybersecurity landscape concerning critical infrastructure is undergoing swift evolution, marked by the rising sophistication of threat actors and the escalating potency of malware. These malicious entities, frequently displaying advanced capabilities and often backed by state sponsorship, employ a diverse arsenal of tools and tactics to infiltrate and disrupt the vital systems that underpin our society. Acquiring a comprehensive understanding of these threat actors’ profiles and the capabilities inherent in the malware they deploy stands as a pivotal step in fortifying the defenses of critical infrastructure sectors.

Threat Actor: CHERNOVITE

Malware: PIPEDREAM

Pipedream is a versatile modular framework for targeting Industrial Control Systems (ICS) and stands out as the first cross-industry ICS and Operational Technology (OT) malware with disruptive capabilities. It combines standard ICS and OT protocols with enhanced techniques, such as the utilization of the OPC UA protocol. It is assessed that Pipedream was developed by a state actor for future disruptive or destructive operations. This malware equips adversaries with comprehensive knowledge of a target’s OT network, assets, and processes, facilitating more extensive and devastating campaigns.

Threat Actor: Dragonfly

Malware: HAVEX

Dragonfly, alternatively identified as Energetic Bear, is a group believed to have affiliations with Russia. It has directed its efforts towards energy and utility companies operating in Europe and North America. Notably, this threat actor has employed HAVEX, a malware campaign primarily attributed to state-sponsored actors. HAVEX is tailored for targeting Industrial Control Systems (ICS) within critical infrastructure sectors, with a particular emphasis on energy-related enterprises. HAVEX functions as an intelligence-gathering tool, potentially granting adversaries the means to disrupt or manipulate industrial processes. Its notoriety extends to its involvement in espionage activities and its capacity to potentially disrupt the stability of the energy sector.

Threat Actor: XENOTIME

Malware: TRISIS

XENOTIME is linked to cyberattacks on critical infrastructure in the Middle East, notably within the oil and gas sectors. This threat actor deployed TRISIS, also referred to as Triton, a highly specialized malware meticulously crafted to infiltrate industrial safety systems, specifically targeting the Schneider Electric Triconex safety instrumented system (SIS). TRISIS poses a significant threat to industrial facilities by meddling with vital safety mechanisms. The discovery of TRISIS underscored the alarming potential for cyberattacks to directly compromise physical safety within industrial settings, thus intensifying concerns regarding the security of critical infrastructure.

Threat Actor: Unknown

Malware: Mirai Botnet

The notorious Mirai botnet, an ongoing menace to IoT (Internet of Things) devices, has resurfaced with renewed activity. This time, it has been found exploiting a vulnerability in TP-Link’s Archer A21 (AX1800) WiFi router to harness these devices for Distributed Denial of Service (DDoS) attacks. The initial exploitation of this vulnerability occurred during the Pwn2Own Toronto hacking event back in December 2022. Mirai botnet’s persistence is evident in its continuous pursuit of new vulnerabilities, effectively broadening its potential targets. Moreover, this recent attack serves as a stark reminder of the diminishing time-to-exploit window available to threat actors before manufacturers can release patches to mitigate such vulnerabilities.

Threat Actors: Sandworm / ELECTRUM /VooDoo Bear

Sandworm, a group with suspected ties to Russia, gained infamy due to the widespread impact of the NotPetya ransomware attack, which affected critical infrastructure worldwide. The Sandworm Team is a destructive threat group believed to be associated with Russia’s General Staff Main Intelligence Directorate (GRU), specifically the Main Center for Special Technologies (GTsST) military unit 74455. This group has been active since at least 2009. Sandword has been associated with the development of BLACKENERGY2, CRASHOVERRIDE, and Industroyer2 malware.

Malware: BLACKENERGY2

BLACKENERGY2 is a strain of malware known for its association with cyberattacks on critical infrastructure, particularly in Ukraine. This malware has been linked to power outages and disruptions in energy distribution systems. It typically functions as a backdoor, enabling unauthorized access to targeted systems. Its use in coordinated attacks on utilities raised concerns about the vulnerability of critical infrastructure to cyber threats.

Malware: CRASHOVERRIDE

CRASHOVERRIDE is a malware framework strategically designed to target electrical grids and inflict extensive power outages, notably demonstrated in its role during the 2016 Ukraine power grid attack. Highly versatile and modular, CRASHOVERRIDE possesses the capability to target various types of Industrial Control Systems (ICS), including the automation of attacks on substations, thereby posing a significant and adaptable threat to critical infrastructure.

Malware: Industroyer2

Industroyer2 is an evolution of the original Industroyer malware and is designed to target industrial control systems (ICS). This malware is known for its ability to disrupt power grids and other critical infrastructure components. Industroyer2 is capable of launching coordinated attacks against various ICS devices, making it a significant concern for organizations responsible for maintaining critical infrastructure.

Mitigation Strategies

To bolster the cybersecurity posture of Operational Technology (OT) and Industrial Control Systems (ICS), a comprehensive set of strategies and measures is essential:

Segmentation: Implement network segmentation to create isolation between OT/ICS systems and the corporate network as well as the internet. This strategic separation reduces the attack surface and thwarts lateral movement by potential threat actors.

Access Control: Enforce stringent access controls and robust authentication mechanisms. Limit access to critical systems exclusively to authorized personnel and rigorously monitor privileged access.

Regular Patching and Updates: Ensure the continual currency of OT/ICS systems by promptly applying the latest security patches and firmware updates. Outdated systems are more susceptible to known vulnerabilities.

Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS): Deploy IDS and IPS solutions to actively monitor network traffic, swiftly identifying suspicious activities or established attack patterns in real-time.

Anomaly Detection: Implement anomaly detection systems designed to recognize unusual behavior within OT/ICS environments. This proactive approach aids in the identification of previously unknown threats.

Security Training: Provide specialized cybersecurity training for OT/ICS personnel, heightening their awareness of potential threats and equipping them with best practices for effective incident response.

Incident Response Plan: Develop and routinely update a comprehensive incident response plan tailored specifically to OT/ICS environments. This plan should outline procedures for detecting, containing, and recovering from security incidents.

Encryption: Safeguard data integrity and confidentiality by encrypting communication between OT/ICS devices, enhancing the protection of sensitive information.

Backup and Recovery: Regularly create backups of critical data and system configurations, securely storing them offline to prevent compromise in the event of an attack.

Collaboration: Cultivate a culture of collaboration between IT and OT teams, ensuring a harmonized and synchronized approach to cybersecurity. Transparent communication and collaborative efforts are pivotal in defending against evolving threats, fortifying the resilience of OT and ICS systems.

Conclusion

The landscape of OT and ICS presents a multifaceted and ever-evolving challenge for the security of critical infrastructure. As our society becomes increasingly dependent on these systems for essential services, the threat posed by malicious actors continues to escalate. The convergence of IT and OT/ICS environments, coupled with the rapid proliferation of vulnerabilities, has created an urgent demand for robust cybersecurity measures. The notable surge in vulnerabilities, with a nearly 70% increase over the past three years, serves as a compelling reminder of the critical need to address cybersecurity within the realm of critical infrastructure. While reporting has shown improvement, the persistence of unpatched vulnerabilities within vital sectors such as transportation and utilities elevates the level of risk we face.

Threat actors like CHERNOVITE and Dragonfly, along with malware such as PIPEDREAM, HAVEX, and TRISIS, underscore the sophistication and diversity of adversaries targeting critical infrastructure. The adoption of robust mitigation strategies is imperative to safeguard the systems that underpin our daily lives and ensure the continued reliability and security of essential services.

__________________________________________________________________________

CRITICALSTART® offers a pioneering solution to modern organizational challenges in aligning cyber protection with risk appetite through its Cyber Operations Risk & Response™ platform, award-winning Managed Detection and Response (MDR) services, and a dedicated human-led risk and security team. By providing continuous monitoring, mitigation, maturity assessments, and comprehensive threat intelligence research, they enable businesses to proactively protect critical assets with measurable ROI. Critical Start’s comprehensive approach allows organizations to achieve the highest level of cyber risk reduction for every dollar invested, aligning with their desired levels of risk tolerance.