The subject of an article written for your sister publication, Control Design, has given me cause for concern as it ignores fundamental security issues that can be introduced when connecting control system environments to other environments such as business networks. While the world is becoming more and more interconnected and “connecting machines to IT systems provides a number of benefits,” such connectivity, if not installed properly, can introduce many security challenges. These inter-connections can enable security vulnerabilities and potential pathways for compromise of the control environment by malicious threat actors.
The mission of the Department of Homeland Security’s (DHS’s) National Cybersecurity and Communications Integration Center (NCCIC), and specifically the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) is to assist critical infrastructure asset owners to reduce cyber risks to control systems and processes that operate the nation’s critical infrastructure. ICS-CERT responds to cybersecurity incidents on a daily basis, almost all involving compromises of control system environments via connections to the corporate network. Once on the network, intruders often move laterally looking for other connected zones or networks. Without proper network segmentation and monitoring of communications, the control system environment can potentially be compromised, in some cases providing the ability for the intruder to take control of the process.
When it comes to protecting control system networks from these types of incidents, ICS-CERT recommends three basic principles.
- Do not allow direct connectivity from the Internet into your ICS network.
- Never allow any machine on the control network to talk directly to a machine on the business network or Internet. This means controlling communications flows through intermediary networks such as de-militarized zones (DMZs), virtual private networks (VPNs), thorough access controls and in some cases utilizing one-way traffic devices.
- Configure firewalls to allow only required and specific devices/ports to communicate with one another through the firewall. Block everything else by default.
In 2014, ICS-CERT responded to two malware campaigns launched by sophisticated threat actors specifically targeting control systems: Havex and BlackEnergy. Following the principles above would have prevented these intrusions along with other potential compromises of industrial control systems. ICS-CERT is concerned with the recent rise in targeted and successful malware campaigns against industrial control systems (ICSs).
These campaigns were associated with sophisticated threat actors with demonstrated capabilities to compromise control system networks. The depth of intrusion into the control system network provided the threat actors with the ability to potentially manipulate control system settings, control the process and even potentially destroy data and/or equipment.
Havex is an ICS-focused malware campaign that uses multiple vectors for infection. These include phishing emails containing redirects to compromised websites and, most recently, compromised software installers on at least four software vendor websites, which were delivering malware to unsuspecting customers when they downloaded software updates to their systems. These are known as watering hole-style attacks where the attacker “poisons the well” and all visitors to the website could potentially be infected with a virus or trojan.
The malware is a remote access trojan (RAT) with demonstrated capabilities to access control system environments. Once infected, the threat actor has ready access to the victim’s network and can intrude at will to steal data and, if access is obtained to the control system environment, manipulate the process.
The BlackEnergy malware targets the human-machine interface (HMI) directly. All of the known victims of the BlackEnergy malware campaign were infected via Internet-facing HMIs. With access to the HMI, an intruder can turn on/off equipment, see the status of the process and, in some cases, change the set points of the system such as the allowable level of a tank or the maximum temperature of a batch. This depth of intrusion into a control system poses a serious threat to the stability of the process and the potential for physical consequences.
Analysis of the threat actor’s techniques used in the BlackEnergy campaign reveals a focused effort to find and exploit previously unknown vulnerabilities in control system devices and software. This effort required specific research into control system devices/software, along with testing to gain the capability to launch a successful intrusion.
Scanning modules within the BlackEnergy malware
Once a network is infected, the malware sets up communications back to a command and control server to download additional capabilities, referred to as modules. ICS-CERT is aware of two separate modules designed to scan the victim’s network looking for control system devices. These two modules are of concern because they are the first ICS-specific modules (capabilities) that ICS-CERT is aware of post-Stuxnet. In 2010, the Stuxnet virus was discovered and became known as the first sophisticated malware directly targeting Siemens Step 7 programmable logic controllers used to operate variable speed drives in industrial processes. The following provides a brief description of these modules.
- OPC module: Open platform communications (OPC) is a communications protocol (communications language) that allows different ICS devices from multiple vendors to share information. There are two versions: OPC Classic and a newer version called OPC Unified Architecture (UA). The BlackEnergy malware targeted the older and less secure version. This module used the OPC protocol to scan the compromised network, looking for types of control-system devices running OPC on the network.
- Network scanning module: This module scans specific ports on the victim’s network. The ports that the modules scan are specifically used for control-system software and protocols: RSLinx is a Rockwell ICS server; Modbus is a heavily used ICS protocol; Siemens and Inter-Control Center Communications Protocol (ICCP) are used heavily in the electrical subsector; Measuresoft is a SCADA server; and 7-Technologies is a server now owned by Schneider Electric.
All this points to the fact that the threat actors have knowledge of control systems, of how they operate and of how they communicate. And they’ve developed tactics to find them on the compromised network.
Sophisticated threat actor groups will continue targeting ICS using unique methods and unknown vulnerabilities. The targeting of ICS by both campaigns was undetected by the asset-owner community and the security industry for one to three years. It’s difficult to anticipate the methods and vulnerabilities that will be used in the next campaign; however, the best defense is to use proven security best practices for a sound defensive posture.
ICS-CERT has many resources and services available to assist critical infrastructure asset owners. Most of the cyber incidents ICS-CERT responds to could have been prevented by the use of basic cybersecurity principles and practices. Most sectors have information sharing and analysis centers (ISACs), which provide up-to-date information about emerging threats and vulnerabilities impacting that sector. Every sector has an assigned sector specific agency (SSA) that coordinates risk reduction efforts for that sector. We continue to encourage asset owners to assess their risks and begin the process of continuously improving their cybersecurity posture.