This document discusses tactics for targeted cyber attacks against industrial control systems. It describes how adversaries are gaining greater understanding of critical infrastructure dependencies and focusing attacks on key nodes to cause physical damage and disruption. The document advocates for improved process monitoring, network visibility in ICS networks, and resilience strategies to help detect and recover from such attacks.

1. Principal Adversary Hunter

2. ❑
❑
❑
❑
❑
❑

3. ❑
❑
❑
❑

4. Preparatory Actions
Deny Degrade Destroy

5. Breach victim IT
network
Identify points of
contact with ICS
Enumerate and
categorize control
system
environment
Deliver effects on
objective

8. Focused targeting on a specific stage or aspect of
an industrial process
May be technical (specific equipment, software)
or operational (specific stage of process)
NOT indiscriminate wiping, ransomware, worms,
etc.

9. 2016 Ukraine
2017 Saudi Arabia
2019 Saudi Arabia

11. Penetrate ICS,
place malware
on computers
communicating
to field devices
Schedule
malware
execution to
open breakers
at target
transmission
site
Perform a
limited wipe
and system
disabling event
on infected
machines
Target
protective
relays with DoS
exploit post-
attack*

12. Attackers used “wiper” to delay recovery in 2015 – but
UA operators quickly moved to manual restoration
Assume attackers took note: wiper functionality in
2016 would not delay (near-term) service recovery
2016 “wiper” intended for other purposes: eliminate
logical view and control of SCADA environment

13. https://new.siemens.com/global/en/products/energy
/energy-automation-and-smart-grid/protection-
relays-and-control.html
https://www.littelfuse.com/products/protection-
relays-and-controls/protection-relays/protection-
relay-pages/what-is-a-protection-relay.aspx

16. Induce
widespread
outage, loss of
view condition
Remove line
protection
from
transmission
operations
Anticipate
operator rush
to recovery
Stage
physically
destructive
consequences
with
restoration of
unprotected
lines

18. Gain access to and harvest credentials from IT network (Mimikatz,
‘SecHack’)
Leverage multiple open- or commercial-source tools for post-
exploitation (WMImplant, administrative tools)
Utilize remote access to OT network via stolen credentials
Continue pivoting through network via credential capture
Gain sufficient access to SIS to deploy TRISIS

19. https://realpars.com/wp-
content/uploads/2018/08/What-Is-a-Safety-
Instrumented-System.png
https://www.livingreliability.com/en/wp-
content/uploads/2014/07/EmersonSisCourse1_Depic
tionOfLayersOfProtection.jpg

20. Compromise
SIS and plant
DCS
Modify SIS
safety
settings to
support
desired
impact
Modify or
manipulate
DCS to
create
unsafe plant
state
SIS
modification
allows
unsafe state
to persist or
accelerate

21. Modify SIS to
eliminate safety layer
Leverage DCS
compromise to
produce dangerous
plant status
Maximize potential
damage, plant impact
due to SIS failure

24. World’s largest oil processing and crude
stabilization facility
Primary processing hub for removing
hydrogen sulfide (“sweetening”)
Abqaiq is vital to preparing Saudi oil
for sale/distribution on world markets

25. https://www.phxequip.com/Multimedia/images/plan
t/original/hydrodesulfurization-hds-unit-165-tph-
1675.jpg
https://en.wikipedia.org/wiki/File:HDS_Flow.png

27. Target
hydrodesulfurization
facilities, operations
Significantly limit
Saudi ability to
export oil to market
Maximize disruption
through disabling
critical path node

28. https://static.tvtropes.org/pmwiki/pub/images/Split_Arrow_6053.png

29. Adversaries are
learning about ICS
operations
Increased
knowledge yields
understanding of
functional
dependencies
Adversaries can
engage in focused
targeting of critical
systems

30. Process Protection
Process Safety
Process Dependency

31. Targeted
Attacks
Physical
Damage
Loss of
Life
Increased
Downtime
Process
Disruption

33. https://i1.wp.com/militaryhistorynow.com/wp-content/uploads/2017/05/Maginot-line.jpg

35. ICS
Security
Traditional IT-
Centric
Defense
Process
Monitoring
and Analysis
Resilience
and Recovery
Investment

36. Process data already captured for
operations purposes
Improve host and network visibility in
control system networks
Combine datasets to formulate full-scope,
ICS-aware detection methodology

37. Adapt or modify existing contingencies to incorporate cyber
Identify critical path process nodes to focus defense, recovery,
resilience
Allocate resources to facilitate rapid critical resource restoration in
an incident

38. https://www.mod.go.jp/atla/img/en/center/img_center02.png

39. • Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE – Dragos (https://dragos.com/resource/anatomy-of-an-attack-detecting-
and-defeating-crashoverride/)
• Stuxnet to CRASHOVERRIDE to TRISIS: Evaluating the History and Future of Integrity-Based Attacks on Industrial Environments – Joe
Slowik, Dragos (https://dragos.com/wp-content/uploads/Past-and-Future-of-Integrity-Based-ICS-Attacks.pdf)
• CRASHOVERRIDE: Reassessing the 2016 Ukraine Electric Power Event as a Protection-Focused Attack – Joe Slowik, Dragos
(https://dragos.com/wp-content/uploads/CRASHOVERRIDE.pdf)
• WIN32/Industroyer: A New Threat for Industrial Control Systems – ESET (https://www.welivesecurity.com/wp-
content/uploads/2017/06/Win32_Industroyer.pdf)
• Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure – FireEye
(https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html)