Cyber Threat Intelligence and ICS/OT Security

Introduction

Industrial Control Systems and Operational Technology (ICS/OT) are information systems that control physical machines to operate complex systems. As the world of the Internet has evolved, these systems have been adapted to accommodate the need for Internet connectivity. This evolution has raised unforeseen security concerns, including many of the critical infrastructure areas identified by the Cybersecurity and Infrastructure Security Agency (CISA). Having a framework to defend these systems is crucial for the operation of these industries.

ICS/OT Security Background

Industrial Control Systems (ICS) and Operational Technology (OT) are the systems that run and manage critical infrastructure, including water and sewage treatment plants, electrical grids, traffic control systems, and many other essential facilities. The security of these systems is paramount to society's daily operations (Verve, 2024). As technology evolves, the complexity of these systems and the adversaries that aim to either take control or disrupt these systems grow at a comparable rate. ICS/OT Security defends these systems. Some key components of ICS/OT Security are asset inventory, vulnerability management, network segmentation, patch management, and endpoint protection. The potential for a security incident grows yearly, and the consequences may be dire.

Energy Sector Incidents

Understanding what types of incidents can occur will help build a cyber threat intelligence program to help defend against the adversaries that target these systems. These incidents may range from a simple denial of service to a disruption of service to even putting public safety at risk. Protecting ICS/OT systems is different than traditional Information Technology (IT) systems. IT systems can be patched at regular intervals and receive standard support from vendors and software developers. ICS/OT systems may have been in place for ten, fifteen, or even twenty years. They may consist of basic sensors that report on pumps, PLC controllers, and monitoring and control stations. These systems may also lack vendor support due to age, cost, or other reasons. Let’s explore the types of incidents that have occurred with these systems.

Incident 1: Ukrainian Power Grid Attack

At the end of 2015, an attack left roughly 230,000 residents of Ukraine without power for 1 to 6 hours. The attack, as described by one of the operators, showed significant sophistication. The operator described as he watched the mouse cursor move across the screen, clicking through menus and shutting down breakers (Zetter, 2016). When he attempted to gain control, the system was unresponsive. He even tried to enter his credentials but found his password had been changed. After the investigation, no adversary could be positively identified. Earlier in the spring, a spear phishing campaign was launched against the power station staff, which appeared to compromise key credentials necessary for the more advanced attack later in the year. Attached to the emails was a macro-enabled document that allowed for the compilation of BlackEnergy3 on key systems. Then, the attackers mapped and reconfigured backup power systems to ensure that the main attack would be successful. Another portion of the attack involved creating firmware for the serial-to-Ethernet converters that disabled the components of targeted devices. As the main attack commenced with the shutdown of substations, the attackers also uploaded this firmware to critical devices, bringing them offline. This required manual intervention of the operators to get the breakers back online. This first-of-its-kind attack on a power substation showed the world that these systems are vulnerable to cyberattacks.

Behavior and Motivation

The analysis of this attack showed that there were varying degrees of behavior. This was pieced together by the various logs of the Ukrainian firewall systems (Zetter, 2016). What was first hit was the corporate network. This led the attackers to perform significant reconnaissance to find a way around the segmented networks and gain access to the operational technology. As the attackers already had access to the corporate network, which contained the domain controllers, they used these systems to obtain user credentials for the VPNs that protected but allowed remote access to the ICS/OT networks. Once they had access to the remote connections, performing the previously mentioned reconfigurations was a matter. On the day of the attack, a telephone DDoS attack was launched to disrupt customer communications, preventing them from reporting the outages. Once they stopped communication, they initiated the primary attack to shut down the breakers. After this step, they began using a malware called KillDisk to wipe operator stations (Zetter, 2016). The motivation for this attack appeared to coincide with Russia’s attack on Crimea, which had a similar attack launched. While the intelligence community has inferred that the attack came from Russia, there is no direct evidence to correlate this with a nation-state attack.

Incident 2: Attack Against Oldsmar, Florida Water Supply

At the beginning of 2021, an attacker remotely accessed a SCADA system controlling the water treatment levels for Oldsmar, Florida. The operator reported that he saw a remote user attempting to raise the levels of a caustic chemical used to adjust the pH levels of water to an unsafe level (Greenberg, 2021). The normal level for this is 100 parts per million, but it was raised to 11,100 parts per million, which may have put the population at risk. The operator was able to move the levels back to normal. The attack was confirmed through system logs.

Behavior and Motivation

The adversary appeared to gain access to the system through a remote viewing and control application called TeamViewer. This application is widely used in various industries for remote support, as it enables remote control, file transfers, and even VPN connections (Greenberg, 2021). During the investigation, it is still unknown how the attacker exploited the application to gain remote control. The system logs indicate that the attacker was located over the Internet, rather than internally within the plant. No location indicates even where the attack may have originated. The motivation for the attack seemed clear, as the attacker wanted to either make a statement or demonstrate their ability to control this system.

Framework and Standards

A security framework and standard help an organization understand what is necessary to implement a successful security plan. Several frameworks exist, including an Industrial Control System (ICS) Security Framework from Verve (Verve, 2024). The National Institute of Standards and Technology (NIST) has introduced guidelines for operational technology security (OT). This publication, dated 2023, provides information on developing an OT Security program, OT Cybersecurity Architecture, and applying the Cybersecurity Framework to OT (Stouffer et al., 2023). Ultimately, understanding who the adversaries are will help develop the appropriate controls to mitigate the risks with ICS/OT networks.

Threat Intelligence Examples and Threat Hunting

There are numerous sources of threat intelligence in the IT world. The ICS/OT world is significantly more specialized and requires a more specialized approach. MITRE ATT&CK has developed a framework and intelligence source specifically for ICS/OT systems (Dragos, 2024). Dragos is an industrial security company that maps its knowledge framework to the MITRE ATT&CK framework for Industrial Control Systems (ICS). Another framework is the ICS Cyber Kill Chain. This framework enables an organization to manage an incident from start to finish thoroughly. There are two stages to this framework. In the first stage, reconnaissance is conducted against an organization, an initial foothold is gained, and the network is mapped. The second stage is where the information gained from the first stage enables the attacker to develop a methodology for the attack to be successful. Additional sources of threat intelligence will include coordination with traditional IT resources, utilizing OT-specific network monitoring, and collaborating with other OT partners.

Conclusion

Industrial Control Systems and Operational Technology (ICS/OT) provide vital services to communities around the globe. These systems are vulnerable due to the evolution of Internet-connected systems. Even if systems are segmented through firewalls and air-gapping, some methods have been demonstrated in recent years that adversaries have developed techniques to gain access to these systems and disrupt services. Through the development of a robust ICS/OT Security Framework and the utilization of ICS Threat Intelligence, an organization can effectively mitigate the risks inherent in daily operations.

References

Dragos, Inc. (2024, June 20). What Is OT Cyber Threat Intelligence? Dragos. https://www.dragos.com/blog/what-is-ot-cyber-threat-intelligence/

Greenberg, A. (2021, February 8). A Hacker Tried to Poison a Florida City's Water Supply, Officials Say. Wired. https://www.wired.com/story/oldsmar-florida-water-utility-hack/

Stouffer, K., Pease, M., Tang, C. Y., Zimmerman, T., Pillitteri, V., Lightman, S., Hahn, A., Saravia, S., Sherule, A, & Thompson, M. (2023, September). Guide to Operational Technology (OT) Security. National Institute of Standards and Technology. https://doi.org/10.6028/NIST.SP.800-82r3

Verve. (2024, July 18). What is ICS? A Comprehensive Guide to Industrial Control System Protection. Verve Industrial. https://verveindustrial.com/resources/blog/what-is-ics-security/

Zetter, K. (2016, March 3). Inside the Cunning, Unprecedented Hack of Ukraine's Power Grid. Wired. https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/