Red Teaming

5 min read

What you must know about ICS cyber attacks

Cyber attacks targeting ICS and SCADA are frequently in the news. Learn what you need to know from an ICS security expert.

8balla avatar

8balla,
Jul 14
2021

Industrial Control Systems have been a hot topic lately. 

So what exactly is ICS/SCADA, and what are the risks of an ICS attack? 

SCADA or Supervisory Control And Data Acquisition is the GUI that monitors and controls Industrial Control Systems (ICS). They operate devices via a PLC or Programmable Logic Controller. 

A device can be anything from a solenoid valve to a motor, normally attached to a small relay that opens and closes on commands from the PLC.

The process that provides you with clean drinking water is controlled by SCADA the level of chemicals per litre used in filtration for example, is regulated via a SCADA system. 

It’s in our everyday lives.

SCADA is at work on the street in the form of traffic light systems. We encounter it daily. It’s critical to our day to day lives.

 

ICS and PLCs

To talk about ICS security, we have to talk about PLCs (Programmable Logic Controllers), the main target in most ICS attacks. PLCs have been around for over fifty years now, with very little change to the way they operate or the code used to run them. Many are still connected directly to the internet, with very little protection (it was only recently that password protection was used in the firmware to protect from outside influence.) Crazy, eh? Our lives literally depend on PLCs!

The reliance upon a strong network or iron shield around the main control systems, or soft core is the protection route most companies use. They use the Purdue model to implement levels of protection, using network segmentation with IDS (intrusion detection systems) to limit access to vital levels of the model..

Industrial cyber threats

Topical ICS cyber attacks

There’s a lot of noise at the moment concerning ICS attacks. The Colonial pipeline attack has increased awareness of the security issues facing ICS.

Attacks have increased significantly since the 2016 Ukraine attack that shut down the power grid.

Way back in the 90s, there were small attacks on ICS. But these were more opportunist attacks than specifically targeted intrusions. Fast forward to now, and we have the likes of Triton that target specific ICS assets. Hacking ICS is now big business, with over $100 million made in 2020 alone by ransomware attacks. Cyber crime groups are forming, and constructing ever more sophisticated attacks targeting the critical infrastructure we rely on for our day to day lives. 

Below is a copy of the DarkSide demand from the Colonial pipeline attack.

DarkSide group ransom note.
 

President Biden only last month gave Putin a list of sixteen critical infrastructure installations that are off limits to attack. I mean, do they really need to be told to not target them? Even the DarkSide group has insisted they will not target hospitals or anywhere that puts lives at serious risk, they just want to get paid! So the APT (advanced persistent threat) may not be from cyber crime groups, but from state actors.

This year alone, there has been the high-profile Tampa, Florida water supply poisoning attempt, and the Colonial pipeline attack. They're just the ones we hear about.

So how is an ICS attack implemented? Is it specific to ICS devices, PLCs and the like? Well, the short answer is no!

Unless a PLC is connected directly to the internet, then the attack is pretty basic in nature. The reuse of credentials by APTs is very common. As in the Tampa water supply attack, harvested credentials were used to access TeamViewer.  TeamViewer, a remote connection application, was used to remotely connect into the DMZ (Demilitarized Zone.) It then gave access using the same credentials to the lower levels of the Purdue model. Luckily, an eagle eyed employee spotted an issue via the SCADA GUI, and stopped the attack.

In the case of the Colonial pipeline, basic cyber exploitation techniques were used to gain a foothold in the network. The APT then used phishing techniques to access the main DMZ, Mimikatz to enumerate credentials to access the corporate network, Netscan to find the Active Directory server, then ADFind to harvest the credentials. They used lateral movement with PSExec into the command and control network, and then defense evasion tools like Power Tool GMER and PCHunter, and then finally 7zip, Putty, and RClone to encrypt the data in the ICS workstations. 

Protecting an ICS and SCADA network isn’t hard. Take a nuclear power station for example. They have an extra level of protection in their network models that includes an air gapped segregated network, only accessible via physical manipulation. You may wonder then how did the Stuxnet worm attack the Iranian nuclear facility, bringing it to a halt? The answer is simple. Human error, flash drives were used to transfer data from the control layer to the safety zone. They were not scanned for threats, thus resulting in a shutdown and the spread of the Stuxnet worm!


How do you prevent ICS attacks?


The best way is to completely separate your OT (Operational Technology) from your IT, this of course is not always practical in an industrial environment, i would suggest the use of Unidirectional Security Gateways (USG) that would allow for safe IT/OT integration. The gateways would replace one layer of firewall in an industrial network, providing industrial control systems with complete protection from attacks, secure Industrial network monitoring and safe remote access.

We could also implement an IDS that can detect malicious modbus commands, and prevent the manipulation of the connected ICS devices. Of course, keeping your network’s software and servers up to date with the latest security patches should be part of your security policy, and be implemented periodically and methodically throughout your network.

Never use removable devices on workstations that haven't been completely scanned for malicious content. New passwords are to be generated regularly, and not reused to access different levels of a network. Most importantly, vigilance is key. If it looks wrong, report it. Suspicious people or vehicles in the vicinity of your workplace should be reported and investigated, as many places use insecure WiFi hotspots for contractors to connect to. Beware of the man with the Pringles can on top of his car!

The state of ICS cybersecurity is not great, but it is improving. With every new attack, an increase in awareness and of the manner in which these attacks are implemented gives us as defenders a greater chance at preventing the next big attack. 

Remain vigilant, stay up to date with current attacks and patch, patch, patch, those servers! Hopefully one day, we will all rest a little easier knowing our country's critical infrastructure is being protected, and our safety assured.

Hack The Blog

The latest news and updates, direct from Hack The Box