Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Past and future of integrity based attacks in ics environments


Published on

Investigation into integrity-focused attacks on ICS environments, and implications for future cyber security and industrial operations.

Published in: Technology
  • Be the first to comment

Past and future of integrity based attacks in ics environments

  1. 1. Joe Slowik / @jfslowik Dragos, Inc. | October 2019
  2. 2. id jslowik uid=1000(jslowik) gid=1000(jslowik), 05(philosophy), 09(US_Military), 14(US_DOE), 17(Dragos_Inc)
  3. 3. ICS- Specific Security Threat Intelligence Dragos Platform IR and Assessment Services
  4. 4. ➢ ➢ ➢ ➢
  5. 5. Cybersecurity.pdf
  6. 6.
  7. 7. Confidentiality Integrity Availability
  8. 8. ICS Operations Process Safety Process Reliability Process Integrity
  9. 9. ICS Operations Process Safety Process Reliability Process Integrity
  10. 10. Output Validation • Manufacturing tolerances • Product quality • Product consistency Long-Term Operations • Process control and understanding • Maintenance, upkeep, and modification Safety • Integrity is vital to reliability which enables safety • Unsafe processes are non-functional processes
  11. 11. ICS Attack Turn off the power Blow up the plant Destroy centrifuges
  12. 12. ICS Attack Degrade process in hard- to-diagnose fashion Introduce defects or lack of reliability Undermine process safety
  13. 13. Preparatory Actions Deny Degrade Destroy
  14. 14. Breach victim IT network Identify points of contact with ICS Enumerate and categorize control system environment Deliver effects on objective
  15. 15. Recon & Initial Access Many Attempts Deny, Degrade, Destroy Few Examples
  16. 16. More Aggressive Attacks Greater Adversary Risk Tolerance Pursuit of Physical ICS Attacks Heightened Danger to Asset Owners
  18. 18. • Use lots of zero days! • Destroy centrifuges! • Eliminate Iranian nuclear enrichment activity Popular Conception • Increase operational variation in centrifuges, increasing failure rate • Modify process telemetry to hide defect • Create hard-to-diagnose uncertainty in enrichment process Reality
  19. 19. Direct Impact •Some process disruption •Equipment failure Indirect Impact •Operators could no longer trust the process •Leadership no longer trusted scientists, supply chain Result •Uranium still enriched •Rate of production slowed •Trust in the process reduced
  20. 20. Increase cost of enrichment program Combined with physical measures* emphasized risk of current activity Likely facilitated JCPOA negotiations
  21. 21. Penetrate ICS, place malware on computers communicating to field devices Schedule malware execution to open breakers at target transmission site Perform a limited wipe and system disabling event on infected machines Target protective relays with DoS exploit post- attack*
  22. 22. Attack Operations • 2015: Manual interaction with control systems • 2016: Interactions encoded in malware* Attack Impact • 2015: Disrupt electricity distribution, inhibit recovery • 2016: Disrupt electricity transmission, inhibit recovery, attempt to impact protection systems Attack Success • 2015: • 3 distribution companies • 225k customers • Several hours • 2016: • Single transmission/distribution site • <225k customers • Approx. 1-2 hours
  23. 23. • Serial-to-ethernet firmware modification • Killdisk wiper deployment on workstations, HMIs 2015 • File and service wiper on impacted workstations • Attempted protective relay DoS 2016
  24. 24. Attackers used “wiper” to delay recovery in 2015 – but UA operators quickly moved to manual restoration Assume attackers took note: wiper functionality in 2016 would not delay (near-term) service recovery 2016 “wiper” intended for other purposes: eliminate logical view and control of SCADA environment
  25. 25. /energy-automation-and-smart-grid/protection- relays-and-control.html relays-and-controls/protection-relays/protection- relay-pages/what-is-a-protection-relay.aspx
  26. 26. Create hazardous situation for personnel and equipment Induce islanding among affected substations Create pre-conditions for a possible physical impact on reconnect
  27. 27. Create large-scale transmission outage • Timing coincides with 2015 event • Pressures utility to restore ASAP Wiper event products loss of view, loss of control • Wiper delays restoration • More importantly degrades visibility into SCADA DoS SIPROTEC Protective Relays • Remove transmission protection on de- energized line • Loss of view makes this difficult to ascertain Anticipate rush to physical restoration • Create conditions for overcurrent event • SIPROTEC DoS results in physical damage
  28. 28. Anticipate rush to recovery Create unsafe state at time of restoration Produce physically- destructive impact
  29. 29. Gain access to and harvest credentials from IT network (Mimikatz, ‘SecHack’) Leverage multiple open- or commercial-source tools for post-exploitation (WMImplant, administrative tools) Utilize remote access to OT network via stolen credentials Continue pivoting through network via credential capture Gain sufficient access to SIS to deploy TRISIS
  30. 30. Media and Conference Circuit • Emphasis on plant operations disruption • ‘Malware that can kill’ Actual Implications • SIS interaction introduced an in-memory rootkit allowing adversary access • Access could enable arbitrary modification of SIS • Integrity of SIS compromised to unknown effect
  31. 31. content/uploads/2018/08/What-Is-a-Safety- Instrumented-System..png content/uploads/2014/07/EmersonSisCourse1_Depic tionOfLayersOfProtection.jpg
  32. 32. Compromise SIS and plant DCS Modify SIS safety settings to support desired impact Modify or manipulate DCS to create unsafe plant state SIS modification allows unsafe state to persist or accelerate
  33. 33. Record safe conditions as unsafe (plant DoS) Directly trip SIS for multiple possible reasons Record unsafe conditions as safe (possible destructive event)
  34. 34. Modify SIS to reduce safety effectiveness Leverage DCS compromise to produce dangerous plant status Maximize potential damage due to SIS failure in impacting plant
  35. 35. Stuxnet: Mostly* worked CRASHOVERRIDE: Largely failed TRISIS: Failed
  36. 36. Integrity attacks undermine confidence in process while potentially producing impact Delayed direct impact can produce effects at time of adversary choosing Immediate direct impacts are least flexible and likely to scale
  37. 37. Process Manipulation Manufacturing Operations Electric Generation and Distribution Oil & Gas Production
  38. 38. Introduce defects into manufacturing process Add difficult-to-diagnose errors to process Increase likely product failure rate Manipulate testing tolerances for equipment quality control
  39. 39. • Target equipment and process safety • TRISIS-like attacksSafety • Undermine ability to protect personnel and equipment • CRASHOVERRIDE-like DoSProtection • Impact frequency consistency to introduce process variability • Generate oscillating conditions to produce AURORA-like eventReliability
  40. 40. Electric Utility Operation Attacks Generation Frequency Instability Protective Relay Disabling Translate loss of Frequency Stability into Physical Damage
  41. 41. ICS Security Traditional IT- Centric Defense Process Monitoring and Analysis Resilience and Recovery Investment
  42. 42. Identify indications of ICS breach Correlate IT intrusion information to anomalous process data Deploy knowledge to investigate process disruptions Facilitate post-incident recovery and analysis
  43. 43. Continued Adversary Interest in ICS Increased Acceptance of Physical Damage Need for Defenders to Embrace Logical and Process Monitoring, ICS- Focused Defense
  44. 44. • Evolution of ICS Attacks and Prospects for Future Disruptive Events – Dragos ( content/uploads/Evolution-of-ICS-Attacks-and-the-Prospects-for-Future-Disruptive-Events-Joseph-Slowik-1.pdf) • Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE – Dragos ( • CRASHOVERRIDE: Reassessing the 2016 Ukraine Electric Power Event as a Protection-Focused Attack – Dragos ( • Industroyer – ESET ( • Analysis of the Cyber Attack on the Ukrainian Power Grid – SANS ( ISAC_SANS_Ukraine_DUC_5.pdf) • Staged Cyber Attack Reveals Vulnerability in Power Grid – CNN ( • Common Questions and Answers Addressing the Aurora Vulnerability – Mark Zeller ( df?v=20150812-151908) • Myth or Reality – Does the Aurora Vulnerability Pose a Risk to My Generator? – Mark Zeller ( 0181015-210359)