July 10th 2019
Where do you start when wanting to understand the OT threat landscape?
This is a common question industrial companies are facing when trying to cope with the mountains of cybersecurity issues, attacks, malware, and campaigns popping up around the world.
The answer is simple - you start at the beginning.
Understand who the people behind the threat are and what drives them.
Naturally, security teams should be familiar with cybersecurity threats, but it is just as important for them to understand what the sources of these threats are. This article provides a better focus for industrial security teams looking for the best ways to defend their networks from the many different OT cyber threats that are present in the world.
Here are the five main categories of industrial cyber-attackers and common methods:
Read on for more information
1. The Opportunistic Attacker
The ‘Opportunistic attacker’ is the most common type in terms of victim volume. As can be inferred by their name, many of these attackers rely on probability, meaning their malware spreads as much as possible in order to increase their chance of success without a specific target in mind. Therefore, the industrial sector is not the target of this threat specifically, rather it suffers the infection as a side effect, simply on account of having its computers connected to the internet.
“In the ICS world, we consider the enterprise world as untrusted”
- Dale Peterson at S4 2019
The main attacker's motivation is money. When the infection takes place, the attacker usually tries to use the infected computer for monetization using different techniques, such as:
Ransomware - Blocking access to files on the machines by encrypting them until payment is made by the user.
Botnets - Harness the processing power of the computer in order to mine cryptocurrencies for example.
Other motivations may include data gathering or using the infected computer as a bot for future attacks. In some cases, attacks will not have a specific motivation in mind. Sometimes people develop malware just for fun, with no real intention behind their work. Many cases of targetless attacks are accidental - downloading the wrong file or visiting the wrong website
The potential severity of this kind of attack varies greatly depending on the company that was infected, as well as the complexity and nature of the malware. Most companies have adequate segmentation and communication policies thereby avoiding excessive propagation of the malware. However, companies that lack these measures could have their operations considerably interrupted. Recent ransomware attacks cost manufacturing companies $50M-$300M in damages strictly by blocking access to IT servers that were in charge of production. In some events, companies were forced to shut down entire plants until the risk was fully remediated.
For security teams, increasing cybersecurity awareness can decrease the potential of these attacks taking place. Restricting employees to browse only legitimate websites and avoid clicking on hyperlinks in suspicious emails are two examples for facilitating guidelines that can reduce cyber risk. Dedicated tools (IDS, IPS, AV) can also assist in blocking malware that may have surpassed “human” preventive actions.
2. Industrial Opportunistic Attackers
This is the second-largest group of attackers in terms of volume. These attackers use opportunistic infection methods but they specifically target industrial companies and once again, the main motivation is money. However, in this case, the attackers know that targeting an industrial company can result in higher profits and they use this for their benefit. Ransomware is extremely popular in ICS attacks, for example.
Manufacturers have a very low tolerance for downtime, even a couple of days without production can cause severe damage to income or reputation, and that is just the tip of the iceberg. Downtime in the energy sector, for example, can cause large-scale power outages. Consequently, industrial companies are more inclined to pay ransom demands, which is exactly what the attackers behind this method are counting on - targeting a wide array of plants, some will get infected, most will pay.
Other attackers may spread their malware hoping to gain access to a company to later sell this access to the highest bidder. Another motivation is attackers who are looking to gather data, without a specific victim in mind, they only know that they wish to target the ICS sector. The industrial opportunistic attacks have a wide range of potential severity which depends on the company and malware. To cope, security teams should stay alert and aware of the perimeter through personnel training and monitoring of the networks are the best actions that the team can take.
Intellectual Property (IP) is a key element in the growing industrial world. Innovative methods of production, solutions, etc. are pieces of data that help companies excel in their field. Data theft via cyber espionage can have a catastrophic impact on a given company. The rarity of this type of attacks is unknown.
Attackers typically aim at two different outcomes:
1. Learning the secret "recipe" for the production of a certain product.
2. Trying to hinder or stop the production of the competitors.
Unlike the direct financial damages in the first two methods, espionage enters a different category of reputation and status. Various companies pride themselves in their innovative methods for solutions in their field of work; losing this information can be devastating to them. Companies that implement unique production methods will lose their edge against competitors who will have access to their work methods, thus bringing them down to par with the others.
Intellectual Property can be found everywhere and on all levels of the factory - from enterprise IT and all the way down to the lowest OT levels. Therefore, other than the obvious solution of network monitoring, communication policies, and so forth, the best matter security teams can turn to is containment. Performing the following actions will help to minimize the locations of IP on your network, and ensure that communication with these assets is minimized, encrypted, and requires high privileges.
- Minimize the IT computers that have recipes, work methods, work statistics, etc. on them.
- Minimize the number of computers that directly communicate or gather data from the OT layer.
- Minimize the number of users who can access these computers.
- Implement DLP software, and encrypt the information you wish to keep safe.
4. The Revenging Employee
A disgruntled employee or ex-employee can seek revenge against their employer. Sabotage from inside the company usually means catastrophic outcomes for that company. Since it is an “inside job”, employees who have access to the company’s network can perform any action an external hacker could if they had elevated privileges and full access. Revenging employees attacks are impactful but rare - there are several cases of inside jobs by ex-employees per year. Their primary motivation is emotional - getting revenge, letting out frustration, and so forth.
Since these attackers work from within the network, they are most likely to act with relatively high privileges and authorization. Employees who use cyber attacks as their revenge are most likely from departments that have a vast knowledge of communications and networking (IT departments for example), meaning that they are familiar with the organization’s soft spots.
For security teams, blocking ex-employees is much easier than blocking current employees. When it comes to existing employees it is hard to differentiate between legitimate and malicious activity. In some cases, the person whose employment was terminated was able to access the network remotely with their old VPN credentials and perform destructive actions on the network. A simple, yet effective action that security teams can implement is to promptly revoke the access of dismissed employees, making sure that they can no longer access the systems.
5. Advanced Persistent Threats (APT)
Advanced Persistent Threats are seen in the industrial world when an organization or country tries to stop or damage the production process as part of cyberwar. Other motivations can be efforts to block technical advancement of a specific country or to send a message to an opponent. APTs are more dedicated and tailored than the attacks that were mentioned earlier in the article. These attacks usually have a very clear target in advance, and they serve a specific purpose. Fortunately, there have been a very few known OT-oriented APT attacks in history.
The main goal of APTs is psychological warfare, e.g.sending a message to opponents. Therefore the targets are typically high profile companies and critical infrastructures (e.g., power grids, oil & gas, defense, etc.). History has shown that APTs often do not target small companies, or cause minor damages. Since many of these attacks are complex, state-sponsored, and customized to their target, their severity tends to be very high.
Unfortunately for security teams, stopping APTs is virtually impossible. There is a long-standing belief that “if an attacker has enough funds, manpower, and motivation, they will be successful in their attack”. This belief is exemplified through APTs, where attacks often have sufficient resources to carry out years of preparation and ongoing operations. Nevertheless, security teams can better their odds by implementing all the lessons learned throughout this article.
Securing their perimeter, making sure their network communication is monitored, and that their components are patched and up to date with the latest versions can help minimize the attacks dramatically. An effective step security teams can take is to minimize the network information available online. Since OT attacks require deep knowledge of the specific network they are targeting (the network structure, what components are present, etc.), a large amount of the preparation is done by online reconnaissance. It is surprising to see how much data regarding networks, components, and protocols are available online, just waiting for attackers to find.
“Know Your Enemy. Know Yourself. Only Then May You Achieve Victory”
This quote by fantasy-writer Jim Butcher says it best. Cyber attacks against OT environments can come in many different shapes and sizes. There are endless vectors, methods, motivations, and tools that an industrial company may have to face when moving forward with digitalization.
Understanding these threats, knowing their relevance, calculating their risks, and learning how to prepare for them are key elements in a safe journey towards the new age of OT, the age of cybersecurity, and safe digital production.