Joe Slowik / @jfslowik

Dragos, Inc. | May 2019

Student

Student

Officer

Student

Officer

Network Defender

Student

Officer

Network Defender

ICS Defender

➢

➢

➢

➢

https://ics.sans.org/media/An-Abbreviated-History-of-Automation-and-ICS-Cybersecurity.pdf

http://www.a2n.net/site/wp-content/uploads/2017/03/IoT_04.png

Increasing Adoption of IT Technology in ICS Environments

Perimeter Extension and Greater Connectivity

Increased Vendor Interest in ICS Security

Increased Efficiency and Cost Savings by Incorporating COTS Hardware/Software into ICS Equipment

Elimination of (some) custom environments, airgaps, and traditional separation from enterprise IT

Result: IT threat surface imported to IT environment – WITHOUT the same security capabilities

Traditional ICS Perimeter

Vendor and Contractor Access

Increased Remote Work and Administration

Cloud and Off-Prem Products

Increased vendor interest in ICS space

Attempt to leverage “IT-ification” as justification to extend existing IT products to industrial

Fails to recognize operational and technical differences in how IT technologies are deployed for industrial use

Breach victim IT network

Identify points of contact with

ICS

Enumerate and categorize

control system environment

Deliver effects on objective

Preparatory Actions

Deny Degrade Destroy

Recon & Initial Access

Many Attempts

Deny, Degrade, Destroy

Few Examples

ICS-Focused Malware

• STUXNET

• HAVEX

• BLACKENERGY2

• CRASHOVERRIDE

• TRISIS

ICS Disruptive Events

• 2005-2010 (?): STUXNET

• 2014: German Steel Mill Attack

• 2015: Ukraine BLACKENERGY3

• 2016: Ukraine CRASHOVERIDE

• 2017: Saudi Arabia TRISIS

Disruptive/Destructive Malware

• STUXNET

• CRASHOVERRIDE

• TRISIS

More Aggressive

Attacks

Greater Adversary

Risk Tolerance

Pursuit of Physical ICS

Attacks

Heightened Danger to

Asset Owners

• Custom Malware and Specific Tools

• Exploit Use for Movement and Access

• Manual Operations for ICS Impact

Legacy (pre-2016)

• “Commodity” Techniques until ICS Attack

• Credential Theft and System Tool Use to Spread

• ICS Effects and Manipulation Codified in Software

Current

Initial Intrusion & Lateral Movement

• Leverage “Commodity” Tools

• Deploy “Living off the Land” Techniques

• Avoid Custom Tools and Tradecraft

ICS-Specific Disruption

• Attacks are Unique to Target, Environment

• Requires Building Custom Attack Software

• Little Scope for Direct Replay

ICS Environments are “Brittle”

• Little scope for direct testing

• Asset owners are conservative

ICS Attacks have Pre-Requisites

• Focus on enabling factors for testing

• Imperfect for complete security, but valuable for defense in depth

Multiple Paths to Security Testing

• Notional/Logical testing has value

• Direct penetration testing may be least valuable option

•Clear communication and requirements necessary

•Be prepared for extensive discussion on ROE

•What experience, certifications, and training do you need to enter environment?

Asset Owner Trust

•Determine scope and direction of test

•ICS tools vs. IT tools – depends on type and extent of assessment

•Are custom tools/capabilities required?

Technical Capability

•Delineate goals in advance relative to ICS operations:

•Improve security

•Enhance recovery

•Minimize downtime

Identifying End-State

Initial Intrusion

Enterprise IT access

Enumerate and scope environment

Identify and gather information of interest to ICS operations

IT-ICS Pivot

Identify mechanisms to migrate to ICS

Requires continuous connectivity to adversary infrastructure

ICS Impact

Two mechanisms:

• Manual manipulation (legacy)

• Automated interaction (current)

Goal is to manipulate physical processes via logical means

•Essentially a standard penetration test

•For industrial organizations, may need to assign “special attention” to operationally-significant groups

IT Intrusion

•Identify and assess IT-ICS links

•Still represents an IT-centric test, but determines ICS environment external risk

IT-ICS Boundary

•Options include Windows-centric lateral movement testing, or process-specific assessment

•Identify tools and techniques needed in advance in light of ROEICS Penetration

•Notional/logical only

•Demonstrate mechanisms through which impact could occur – rather than creating such an impact

ICS Impact

Confidentiality

Integrity Availability

ICS Operations

Process Safety

Process Reliability

Process Integrity

Physical-process nature of ICS limits ability to directly assess impacts

Focus instead on pathways to ICS impact

When desired, leverage notional testing through table tops and walk-throughs for direct impact assessment

• Essentially the same as a “normal” penetration test

• Identify ingress points to the organization

Initial Intrusion

• Identify and map routes to reach control systems

• What pathways exist enabling ICS access

Lateral Movement

• Once ICS accessed, what options are available to an adversary

• Test visibility, response, and monitoringICS Breach

Recognize limitations in ICS environments for direct testing

Leverage whole-of-kill chain approach for comprehensive assessment

Build off of known ICS attacks to develop methodologies

Table Top Exercise

•Walk through plans and responses

•Least invasive, also likely to have least value*

Attack Surface Assessment

•Logical and interactive probing of ICS-facing assets

•Determine and evaluate risk with minimally-invasive techniques

Interactive Pen Test

•Risky in the sense of possible “unforeseen consequences”

•Most valuable in accurately gauging defense

Opportunistic IT Infections spreading to ICS

Direct Disruptive ICS Events

ICS Integrity Attacks

Identify IT-ICS Links

• Assess monitoring and access controls

• Identify work-arounds

Lateral Movement

in ICS

• How can additional systems in ICS be reached

• What is the scope of spread from IT

ICS Recovery

• Table top or discussion only

• Plans and procedures for restoring operation

Launcher Start

•Select Payload

•Initiate ICS Impact

Payload Execution

•Connect to Control Systems

•Manipulate State

Wiper•Wait for Timer

•Delete Files, Remap Services, Reboot System

Post-Attack

•Leave behind “Backup” Backdoor

•SIPROTEC DDoS (Fail)

Test C2 capability from ICS

Interactive lateral movement within ICS environment

Determine accessibility of critical systems

(DCS, RTU, Historian, etc.)

Table top or walk-through of possible impacts enabled by

access

Gain access to and harvest credentials from IT network (Mimikatz, ‘SecHack’)

Leverage multiple open- or commercial-source tools for post-exploitation (WMImplant, administrative tools)

Utilize remote access to OT network via stolen credentials

Continue pivoting through network via credential capture

Gain sufficient access to SIS to deploy TRISIS

Map out critical systems for ICS

operational safety and integrity

Determine access and

communication possibilities to these systems

Evaluate monitoring and

auditing mechanisms

Walk through integrity attack

scenarios based on access findings

IT Skills have a Role in ICS Testing

• Audit and test links and communication

• “IT-ification” means production networks feature similarities to IT

Scope Needs and Purpose

• What is actually being tested?

• How will the actions better the organization?

Identify Core Interests and Values

• Safety, Reliability, and Integrity are critical

• Ensure methodologies respect and aim to secure these values!

• Evolution of ICS Attacks and Prospects for Future Disruptive Events – Dragos (https://dragos.com/wp-content/uploads/Evolution-of-ICS-Attacks-and-the-Prospects-for-Future-Disruptive-Events-Joseph-Slowik-1.pdf)

• Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE – Dragos (https://dragos.com/whitepapers/CrashOverride2018.html)

• TRISIS – Dragos (https://dragos.com/blog/trisis/TRISIS-01.pdf)• Industroyer – ESET (https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf)• TRITON – FireEye (https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-

triton.html) • Analysis of the Cyber Attack on the Ukrainian Power Grid – SANS (https://ics.sans.org/media/E-

ISAC_SANS_Ukraine_DUC_5.pdf)