Symantec’s 2015 Website Security Threat Report included details of methods used in targeted attacks on Industrial Control Systems (ICS). ICSes control not just industrial facilities, but critical infrastructure components such as energy, transportation and communications networks. Repercussions of hacks on ICSes can include the potential sabotage of energy systems or the massive damage done in a German steel mill when an incursion led to the unscheduled shut down of a blast furnace.
The function of ICSes makes them a high priority targets for hackers. Long term attacks using every possible attack vector and vulnerability are the norm and understanding the best practices needed to protect ICSes can provide significant insight on protecting systems that are not as heavily targeted.
NIST’s Guide to Industrial Control Systems (ICS) Security notes that ICSes were originally not available over the internet, and were therefore subject to threats from local access only. ICSes primary design concerns were availability, safety, and performance, and patching security vulnerabilities cannot sacrifice these features. With that in mind, NIST provides the following recommendations for securing ICSes:
- Restricting logical access to the ICS network and network activity
- Restricting physical access to the ICS network and devices
- Applying security patches “in as expeditious manner as possible, after testing them under field conditions”
- Disabling all unused ports and services
- Restricting user privileges to only required privileges
- Antivirus software
- File integrity checking software
Symantec’s report found that in practice ICSes were not locked down as stringently as NIST recommended.
The Dragonfly group exploited multiple vulnerabilities in ICS security with attacks on the US energy sector that date back to 2011. They started with a spear phishing attack, and then moved on to compromising websites that users at their targets were likely to visit in a watering hole attack. The compromised websites redirected visitors to other sites that hosted exploit kits that were then downloaded onto the target network’s computers. Exploits at this stage were primarily used for recon on the corporate network, capturing everything from file names to passwords. With hackers entrenched in the corporate network the only way to protect the ICS is to completely segregate its network.
The last stage of the Dragonfly attack was innovative and broke directly into the ICS network. They used a variant of the watering hole attack in which software from ICS equipment manufacturers was infected. When ICSes checked for updates, they downloaded the malware along with the update. A thorough test of patches before installation might have been able to detect the infected software.
Another direct attack on the ICS systems was access to internet accessible human-machine interfaces (HMIs). Symantec outlines the vulnerabilities in HMIs and other ICS web interfaces:
Many of the proprietary Web applications available have security vulnerabilities that allow buffer overflows, SQL injection, or cross-site scripting attacks. Poor authentication and authorization techniques can lead the attacker to gain access to critical ICS functionalities. Weak authentication in ICS protocols allows for man-in-the-middle attacks like packet replay and spoofing.
Best practices for vulnerable, internet accessible applications are patching where available, restricting access to secure channels (e.g. VPN), and implementing multifactor authentication.
The stakes are higher for ICSes, but the best practices are the same. Keep your high value targets segregated. Keep up to date on patches and antivirus definitions. Educate your users on security. And finally, make sure you monitor your networks for any and all suspicious activity.