Fighting Off the ICS Pivot Point

Wednesday, September 16, 2015 @ 02:09 PM gHale

By Gregory Hale
Spear phishing campaigns used in advanced persistent threat (APT) attacks and social engineering are gaining a foothold into enterprise systems these days, which is providing a pivot point for bad guys to jump into the industrial control network.

Just this past July, ICS-CERT learned of a spear-phishing campaign by APT attackers that targeted multiple sectors, including chemical, critical manufacturing, energy, and government facilities.

German Steel Mill Attack: Inside Job
Stuxnet Loaded by Iran Double Agents
IT Getting an OT Education
Breaking with Tradition: Secure ICS Hits Industry

“These attacks are not new. The IT space is often used as a vector to get into the OT networks,” said George Wrenn, cyber security officer (CSO) and vice president cyber security at Schneider Electric. “One approach from a couple years back used weaponized PDF files planted on a website to exploit older Windows-based control systems. Attackers will use any and all methods, tools and tactics to get access to ICS systems. The rule is, ‘there are no rules.’”

This latest spear phishing attack involved emails with links that redirected to web sites hosting malicious files that exploited a Zero Day vulnerability (since then patched) in Adobe Flash Player, according to a report in the July-August ICS Monitor.

In previous incidents occurring in early 2014, the same bad guys also used various social engineering tactics and social media to perform reconnaissance and target company employees. In one case, attackers used a social media account to pose as a perspective candidate for employment and opened a dialogue with employees of a critical infrastructure asset owner.

The attackers asked probing questions such as the name of the company’s IT manager and versions of the current running software.

Critical Infrastructure a Target
The growing use of social media, spear phishing and Zero Days just shows how strongly attackers want to get into critical infrastructure networks.

“This was mainly an IT-focused attack that, if they are interested in the ICS, they would have to then pivot onto other systems. Obviously the two cases where this has likely happened is Stuxnet and the German Steel Mill attack of last year,” said Graham Speake, vice president and chief product architect at NexDefense, Inc.

“The Steel Mill definitely seems to have been a case of a phishing email into the business network and then working their way through the firewall (assuming there was one) and into the process side,” Speake said. “The level of knowledge needed would tend to lead me to thinking there was some insider information as well as just getting onto the control network and successfully disabling parts of the process to cause the blast furnace to be unable to shutdown was complicated. Undertaking this without insider knowledge or a very good grasp of process control in general, would probably lead to a more random series of events, and any safety system should be able to bring the system to a safe, controlled shutdown. The number of talks … showing how fragile these systems are, will definitely give rise to an increase in the number of attacks in this area.”

“Social attacks, spear-phishing chief among them, really are the scourge of IT departments. Reason being is they (unwittingly) compromise a very fundamentally trusted asset, the user,” said Dan Schaffer, business development manager, Networking & Security at Phoenix Contact. “And it becomes very complicated to try and either a. stop trusting your users or b. start “whitelisting” all the sites, and only the sites, that IT feels users need to visit. And of course there are a ton of false positives where frustrated users say ‘but I need to go to because they have market data there.’”

“However, (phishing) is a very attractive attack vector, with humans representing, frankly, a pretty tasty vulnerability to the bad guys.”
–Dan Schaffer, Phoenix Contact

In terms of phishing attacks focusing on the ICS side, Schaffer feels there is potential for more in the future.

“I’ve heard of a few (less than 10) accounts from folks in critical infrastructure getting phishing emails, but I don’t believe they were truly spear phishing,” he said. “However, it is a very attractive attack vector, with humans representing, frankly, a pretty tasty vulnerability to the bad guys. I’d be surprised if it doesn’t become more of a problem, but remember true spear phishing takes some work by the bad guys. You need to know a bit about your target in order to craft the proper email.”

Not on the ICS
Just looking at the industrial network, Joel Langill, operational security professional, ICS cyber security expert and founder of feels the attacks had to come from a different system within the enterprise.

“So, it may be true that a particular company in a critical infrastructure sector was victimized by this type of attack; however, it is highly unlikely that this attack actually occurred from within the industrial networks and had a negative impact to operations,” Langill said. “Since these companies must comply with regulations like NERC-CIP for reporting of such incidents, they are being safe and reporting all such incidents – not just those that impact ICS networks and associated assets. I do not see how a spear-phishing attack would occur in the ICS today, unless the network and associated perimeter access control are not properly designed.”

You can talk all day about the attacks the issues, but good common sense in applying security prevention needs to come into play and security experts offered some solid preventative measures.

“The best thing to do is make your ICS systems and operators ‘hard targets,’ training them to avoid these types of blended attack vectors, Wrenn said.

Some measures, however, really focus on the human approach.

“Prevention really requires a non-technical approach,” Schaffer said “Train your users on the signs of an attack; be it phone call or email. Of course keeping anti-malware up to date helps as it will catch the known bad stuff that the hijacked site might try to do, but the ‘known’ list is becoming a smaller and smaller percentage of the bad stuff that is out there.”

For prevention, Langill said just “go Back to basics. I recommend the same things all the time:”
• Physically segment “critical” ICS and “non-critical” business networks – this means separate physical infrastructure and not implementation of VLANs
• Utilize stateful access control mechanisms (firewalls, NGFW, etc.) between these networks that restricted access across these perimeters to the greatest extent possible
• Maintain separate authentication domains between critical and non-critical networks to minimize the chance stolen credentials on one zone can end up used to further exploit another zone
• Further segment critical cyber assets (i.e. PLCs, Panel Displays, etc.) that cannot be secured with traditional methods and implemented zone-based security on the “conduits” into these zones via technologies like IPS, NGFW, etc.
• Implement basic monitoring and event reporting infrastructure so it is possible to have visibility into sensitive networks when/if they end up breached
• Consider implementing “egress” protection on all nodes (when possible) to minimize the ability of a compromised host to be used to further exploit the network

For Speake, it mainly comes down to awareness:
1. Employee awareness – build security into the plans as well as safety
2. The use of email in a control system network should be discouraged as much as possible. At least the direct vector is then eliminated
3. Similarly web access from the control network should be avoided
4. Firewall with a well-controlled ruleset between the business and control network, limiting the connections to the smallest number possible. A unidirectional diode would be better
5. Segmentation of the control network with VLANS and small industrial firewalls would also increase the need to make attack more sophisticated
6. Deploying and IDS or network anomaly tool would also help

Preventative measures, and a disciplined approach will help slow any types of attacks, but as the intensity of attacks continue to rise, so too, must the efforts of security professionals across the board.

“My crystal ball says this ‘there are no rules’ approach will only increase in sophistication as ICS systems become hardened,” Wrenn said.