This document discusses tactics for targeted cyber attacks against industrial control systems. It describes how adversaries are gaining greater understanding of critical infrastructure dependencies and focusing attacks on key nodes to cause physical damage and disruption. The document advocates for improved process monitoring, network visibility in ICS networks, and resilience strategies to help detect and recover from such attacks.
5. Breach victim IT
network
Identify points of
contact with ICS
Enumerate and
categorize control
system
environment
Deliver effects on
objective
6.
7.
8. Focused targeting on a specific stage or aspect of
an industrial process
May be technical (specific equipment, software)
or operational (specific stage of process)
NOT indiscriminate wiping, ransomware, worms,
etc.
11. Penetrate ICS,
place malware
on computers
communicating
to field devices
Schedule
malware
execution to
open breakers
at target
transmission
site
Perform a
limited wipe
and system
disabling event
on infected
machines
Target
protective
relays with DoS
exploit post-
attack*
12. Attackers used “wiper” to delay recovery in 2015 – but
UA operators quickly moved to manual restoration
Assume attackers took note: wiper functionality in
2016 would not delay (near-term) service recovery
2016 “wiper” intended for other purposes: eliminate
logical view and control of SCADA environment
16. Induce
widespread
outage, loss of
view condition
Remove line
protection
from
transmission
operations
Anticipate
operator rush
to recovery
Stage
physically
destructive
consequences
with
restoration of
unprotected
lines
17.
18. Gain access to and harvest credentials from IT network (Mimikatz,
‘SecHack’)
Leverage multiple open- or commercial-source tools for post-
exploitation (WMImplant, administrative tools)
Utilize remote access to OT network via stolen credentials
Continue pivoting through network via credential capture
Gain sufficient access to SIS to deploy TRISIS
20. Compromise
SIS and plant
DCS
Modify SIS
safety
settings to
support
desired
impact
Modify or
manipulate
DCS to
create
unsafe plant
state
SIS
modification
allows
unsafe state
to persist or
accelerate
21. Modify SIS to
eliminate safety layer
Leverage DCS
compromise to
produce dangerous
plant status
Maximize potential
damage, plant impact
due to SIS failure
22.
23.
24. World’s largest oil processing and crude
stabilization facility
Primary processing hub for removing
hydrogen sulfide (“sweetening”)
Abqaiq is vital to preparing Saudi oil
for sale/distribution on world markets
29. Adversaries are
learning about ICS
operations
Increased
knowledge yields
understanding of
functional
dependencies
Adversaries can
engage in focused
targeting of critical
systems
36. Process data already captured for
operations purposes
Improve host and network visibility in
control system networks
Combine datasets to formulate full-scope,
ICS-aware detection methodology
37. Adapt or modify existing contingencies to incorporate cyber
Identify critical path process nodes to focus defense, recovery,
resilience
Allocate resources to facilitate rapid critical resource restoration in
an incident
39. • Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE – Dragos (https://dragos.com/resource/anatomy-of-an-attack-detecting-
and-defeating-crashoverride/)
• Stuxnet to CRASHOVERRIDE to TRISIS: Evaluating the History and Future of Integrity-Based Attacks on Industrial Environments – Joe
Slowik, Dragos (https://dragos.com/wp-content/uploads/Past-and-Future-of-Integrity-Based-ICS-Attacks.pdf)
• CRASHOVERRIDE: Reassessing the 2016 Ukraine Electric Power Event as a Protection-Focused Attack – Joe Slowik, Dragos
(https://dragos.com/wp-content/uploads/CRASHOVERRIDE.pdf)
• WIN32/Industroyer: A New Threat for Industrial Control Systems – ESET (https://www.welivesecurity.com/wp-
content/uploads/2017/06/Win32_Industroyer.pdf)
• Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure – FireEye
(https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html)