Past and future of integrity based attacks in ics environments
1 like609 views
The document discusses several past and potential future ICS attacks: - Stuxnet successfully disrupted Iranian nuclear centrifuges but had limited direct impact. - CRASHOVERRIDE largely failed to impact the Ukrainian power grid as intended. - TRISIS that targeted a safety instrumented system failed to cause damage. Future attacks may seek to directly manipulate industrial processes, undermine electric utilities, or compromise safety systems to cause physical disruption or damage. Defenders need ICS-focused security strategies including process monitoring to detect and respond to these evolving threats.
Past and future of integrity based attacks in ics environments
- 1. Joe Slowik / @jfslowik Dragos, Inc. | October 2019
- 4. ➢ ➢ ➢ ➢
- 11. Output Validation • Manufacturing tolerances • Product quality • Product consistency Long-Term Operations • Process control and understanding • Maintenance, upkeep, and modification Safety • Integrity is vital to reliability which enables safety • Unsafe processes are non-functional processes
- 12. ICS Attack Turn off the power Blow up the plant Destroy centrifuges
- 13. ICS Attack Degrade process in hard- to-diagnose fashion Introduce defects or lack of reliability Undermine process safety
- 14. Preparatory Actions Deny Degrade Destroy
- 15. Breach victim IT network Identify points of contact with ICS Enumerate and categorize control system environment Deliver effects on objective
- 19. More Aggressive Attacks Greater Adversary Risk Tolerance Pursuit of Physical ICS Attacks Heightened Danger to Asset Owners
- 22. • Use lots of zero days! • Destroy centrifuges! • Eliminate Iranian nuclear enrichment activity Popular Conception • Increase operational variation in centrifuges, increasing failure rate • Modify process telemetry to hide defect • Create hard-to-diagnose uncertainty in enrichment process Reality
- 23. Direct Impact •Some process disruption •Equipment failure Indirect Impact •Operators could no longer trust the process •Leadership no longer trusted scientists, supply chain Result •Uranium still enriched •Rate of production slowed •Trust in the process reduced
- 24. Increase cost of enrichment program Combined with physical measures* emphasized risk of current activity Likely facilitated JCPOA negotiations
- 26. Penetrate ICS, place malware on computers communicating to field devices Schedule malware execution to open breakers at target transmission site Perform a limited wipe and system disabling event on infected machines Target protective relays with DoS exploit post- attack*
- 27. Attack Operations • 2015: Manual interaction with control systems • 2016: Interactions encoded in malware* Attack Impact • 2015: Disrupt electricity distribution, inhibit recovery • 2016: Disrupt electricity transmission, inhibit recovery, attempt to impact protection systems Attack Success • 2015: • 3 distribution companies • 225k customers • Several hours • 2016: • Single transmission/distribution site • <225k customers • Approx. 1-2 hours
- 28. • Serial-to-ethernet firmware modification • Killdisk wiper deployment on workstations, HMIs 2015 • File and service wiper on impacted workstations • Attempted protective relay DoS 2016
- 29. Attackers used “wiper” to delay recovery in 2015 – but UA operators quickly moved to manual restoration Assume attackers took note: wiper functionality in 2016 would not delay (near-term) service recovery 2016 “wiper” intended for other purposes: eliminate logical view and control of SCADA environment
- 31. Create hazardous situation for personnel and equipment Induce islanding among affected substations Create pre-conditions for a possible physical impact on reconnect
- 33. Create large-scale transmission outage • Timing coincides with 2015 event • Pressures utility to restore ASAP Wiper event products loss of view, loss of control • Wiper delays restoration • More importantly degrades visibility into SCADA DoS SIPROTEC Protective Relays • Remove transmission protection on de- energized line • Loss of view makes this difficult to ascertain Anticipate rush to physical restoration • Create conditions for overcurrent event • SIPROTEC DoS results in physical damage
- 34. Anticipate rush to recovery Create unsafe state at time of restoration Produce physically- destructive impact
- 36. Gain access to and harvest credentials from IT network (Mimikatz, ‘SecHack’) Leverage multiple open- or commercial-source tools for post-exploitation (WMImplant, administrative tools) Utilize remote access to OT network via stolen credentials Continue pivoting through network via credential capture Gain sufficient access to SIS to deploy TRISIS
- 37. Media and Conference Circuit • Emphasis on plant operations disruption • ‘Malware that can kill’ Actual Implications • SIS interaction introduced an in-memory rootkit allowing adversary access • Access could enable arbitrary modification of SIS • Integrity of SIS compromised to unknown effect
- 39. Compromise SIS and plant DCS Modify SIS safety settings to support desired impact Modify or manipulate DCS to create unsafe plant state SIS modification allows unsafe state to persist or accelerate
- 40. Record safe conditions as unsafe (plant DoS) Directly trip SIS for multiple possible reasons Record unsafe conditions as safe (possible destructive event)
- 41. Modify SIS to reduce safety effectiveness Leverage DCS compromise to produce dangerous plant status Maximize potential damage due to SIS failure in impacting plant
- 42. Stuxnet: Mostly* worked CRASHOVERRIDE: Largely failed TRISIS: Failed
- 43. Integrity attacks undermine confidence in process while potentially producing impact Delayed direct impact can produce effects at time of adversary choosing Immediate direct impacts are least flexible and likely to scale
- 44. Process Manipulation Manufacturing Operations Electric Generation and Distribution Oil & Gas Production
- 45. Introduce defects into manufacturing process Add difficult-to-diagnose errors to process Increase likely product failure rate Manipulate testing tolerances for equipment quality control
- 47. • Target equipment and process safety • TRISIS-like attacksSafety • Undermine ability to protect personnel and equipment • CRASHOVERRIDE-like DoSProtection • Impact frequency consistency to introduce process variability • Generate oscillating conditions to produce AURORA-like eventReliability
- 49. Electric Utility Operation Attacks Generation Frequency Instability Protective Relay Disabling Translate loss of Frequency Stability into Physical Damage
- 50. ICS Security Traditional IT- Centric Defense Process Monitoring and Analysis Resilience and Recovery Investment
- 51. Identify indications of ICS breach Correlate IT intrusion information to anomalous process data Deploy knowledge to investigate process disruptions Facilitate post-incident recovery and analysis
- 52. Continued Adversary Interest in ICS Increased Acceptance of Physical Damage Need for Defenders to Embrace Logical and Process Monitoring, ICS- Focused Defense
- 53. • Evolution of ICS Attacks and Prospects for Future Disruptive Events – Dragos (https://dragos.com/wp- content/uploads/Evolution-of-ICS-Attacks-and-the-Prospects-for-Future-Disruptive-Events-Joseph-Slowik-1.pdf) • Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE – Dragos (https://dragos.com/whitepapers/CrashOverride2018.html) • CRASHOVERRIDE: Reassessing the 2016 Ukraine Electric Power Event as a Protection-Focused Attack – Dragos (https://dragos.com/wp-content/uploads/CRASHOVERRIDE.pdf) • Industroyer – ESET (https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf) • Analysis of the Cyber Attack on the Ukrainian Power Grid – SANS (https://ics.sans.org/media/E- ISAC_SANS_Ukraine_DUC_5.pdf) • Staged Cyber Attack Reveals Vulnerability in Power Grid – CNN (http://www.cnn.com/2007/US/09/26/power.at.risk/) • Common Questions and Answers Addressing the Aurora Vulnerability – Mark Zeller (https://cdn.selinc.com/assets/Literature/Publications/Technical%20Papers/6467_CommonQuestions_MZ_20101209_Web.p df?v=20150812-151908) • Myth or Reality – Does the Aurora Vulnerability Pose a Risk to My Generator? – Mark Zeller (https://cdn.selinc.com/assets/Literature/Publications/Technical%20Papers/6452_MythReality_MZ_20110217_Web2.pdf?v=2 0181015-210359)