Ixia advises on how to preventing Industrial Control System attacks
June 2017 by Ixia
Ixia, a provider of network testing, visibility and security solutions, offers organizations advice on preventing Industrial Control Systems (ICS) attacks in light of the recent report from Dragos on the CrashOverride malware. This malware took down 30 substations in the Ukraine’s power grid late last year, and left 230,000 residents in the Ukraine without power.
The report from Dragos on CrashOverride was detailed and specific. The possibility of this malware strain permeating critical infrastructure around the world is evidence that plants and power systems continue to be under targeted attacks. In fact, early last year, hackers breached the a water utility company that is referred to as the “Kemuri Water Company.” They took control of hundreds of programmable logic controllers (PLCs) that manage the flow of toxic chemicals used for water treatment, which could have had dire consequences.
“The work required to create malware targeting specific ICS systems indicates nation-state sponsorship. One does not simply go out and build a ’mirror lab’ of an electrical grid in their basement,” said Chuck McAuley, Principal Security Research Engineer at Ixia. “Human intelligence backed with strong technical knowledge is needed to create this type of software. Countries, and their private partners involved in infrastructure, need to be proactive about their security measures. In a region such as Europe, where the interconnected electrical grid crosses the borders of many countries, operators need to be ready for cyberattacks at all times.”
Attacks are rapidly evolving and, with nation-state support, will continue doing so. CrashOverride took advantage of four communication protocols used in ICS systems across Europe, Asia, and the Middle East, which highlights potential ICS system design flaws.
McAuley continued, “This attack illustrates that flipping breakers on and off repeatedly should trigger warnings from both remote terminal units and networking equipment. Rate limiting, inline mitigation, and machine learning defenses are quite mature and can easily be adapted to help provide protection in the ICS space. If a hacker’s intent is simply to cause disruption, they do not need to use tradecraft of the nth degree. In this particular case, the malware leveraged no zero day at all, choosing instead to leverage design flaws in the ICS network. Your adversary will only expose and use as much of their arsenal as they need to obtain their objective.”
According to Ixia, there a few simple steps organizations can follow to better prepare for these types of attacks: Stay offline: If organizations are incapable of maintaining their ICS networks with up to date countermeasures, they need to be disconnected from the Internet. In fact, organizations should attempt to remove any direct reliance on IP communications. Air gapping the network can help, but it does not always stop malware from entering a network.
Sharing is caring: A culture of information sharing between the public and private sector should be encouraged. One of the most difficult aspects of cybersecurity is establishing and maintaining trust with peers across industries. Hackers already have the latter part down, and organizations should, too. The enemy relies on slow communications, legal tie-ups, and other bureaucratic clutter.
Get the whole picture: As in most cases, but especially the one outlined in the Dragos report, visibility is key to thwarting industrial attacks. Network visibility should be a cornerstone of any security posture. Moreover, rate limiting functions and alerting functions should be used with a strong visibility platform to notify operators when anomalies occur.
Preparation is key: More than having the right relationship dynamics or tools, organizations cannot be frozen when attacks do occur. They should prepare by testing both their network equipment and people. While testing equipment is relatively straightforward, you need to test your people under real-world conditions using tabletop and cyber range exercises. This enables staff to learn how to perform and think outside the box like a hacker.
McAuley concluded, “The more you can see, the quicker and easier you can react. If the CrashOverride victims had tapped their ICS network, they would have immediately noticed a change in traffic patterns: the scanning for OPC-based services and the IEC 104 commands that repeatedly closed and opened breakers. Network monitoring equipment would be able see and alert on these transactions in realtime.”