The document discusses the evolving threats to industrial control systems (ICS) and the challenges in addressing these risks, highlighting the increase in cyber attacks targeting ICS from 1998 to present. It emphasizes the lack of adequate threat intelligence, training, and technology dedicated to ICS, alongside specific milestones of attacks that caused physical damage. Recommendations for improving ICS security include enabling two-factor authentication, monitoring systems, and managing third-party risks.

1. Industrial Control
System Threats
Sergio Caltagirone
Vice President, Threat Intelligence & Analytics
@cnoanalysis
sergio@dragos.com

2. Dragos Ecosystem
Dragos Platform
Monitoring system that
utilizes behavioral
analytics to identify
threats as they occur and
workflow automation for
Incident Response
Dragos WorldView
Expertise and
knowledge in ICS threat
identification and
understanding
Dragos ThreatView
Experienced ICS Threat
Hunting, Incident
Response and Training

3. The Problem
IOIO
IOIO
IOIO
IOIO
IOIO
IOIO
LACK OF THREAT INSIGHTS
No collection and analysis in industrial
networks; no threat intel
LACK OF TECHNOLOGY
Unique industrial challenges demand
industrial tech not repurposed IT
LACK OF PEOPLE
Few People Worldwide Know How to
Protect the ICS that Run Our World

4. ICS Threat “Hockey Stick”
1998 - 2009
2010 - 2012
2013 - 2015
2015-2017
Lack of Collection
• Campaigns: APT1
• ICS Malware: None
New Interest in ICS
• Campaigns: Sandworm
• ICS Malware: Stuxnet
Campaigns Target ICS
• Campaigns: Dragonfly
• ICS Malware: BlackEnergy 2
and Havex
• First attack to cause physical
destruction on civilian
infrastructure (German Steel)
Adversaries Disrupt ICS
• Campaigns: 10 Unique
• ICS Malware:
CRASHOVERRIDE
and TRISIS
• First and second ever electric
grid attacks that disrupt
power
• First malware to target human
life

5. ICS Cyber Threat Kill-Chain
• Dec 18, 2014 German Government’s
BSI released annual report
highlighting incidents
• Identified “massive damage” in a steel
facility due to a cyber attack
• 2nd publicly known case of physical
damage to control systems from
cyber attacks

6. Ukraine 2015
• 1st Ever cyber attack on a
power grid to lead to
outages
• 3 power companies across
Ukraine
• SCADA Hijack scenario by
a well funded team

7. Ukraine 2016 - CRASHOVERRIDE

8. Middle East 2017 - TRISIS
• TRISIS was delivered into a
petrochemical facility in the Middle
East by a well funded attack team
• Targeted Safety Instrumented System
(SIS) and failed causing a stop in
operations
• 1st malware to specifically target
human life

9. HOW DID WE GET HERE? TARGETED ICS MATURITY
01
INTEREST
• Acquisition
• Funding
• Training
02
RESEARCH
• IT-focused
• Access Ops
03
ACCESS
• ICS access
• OT Ops
04
EFFECTS
• Loss of Control
• Loss of View
• Process
05
COUNTER-
SAFETY
• Death
• Destruction
• Environment

10. ICS Cyber Threat Score Matrix

11. MODERATE
EXTREME
HIGH

12. ICS Cyber Threat Score Matrix
Xt
Ra
Al Cv
El
Mg Ch
Electric Sector O&G Sector
Both Sectors
Dy

13. Midpoint Access and Attack

14. Attack via Third Parties/Vendors

15. Commodity Malware

16. You Cannot Just Patch Away the Problem
DRAGOS’ 2017 IN REVIEW REPORTS REVEALED
THAT FOR ICS VULNERABILITIES:
• 64% of all vulns didn’t eliminate the risk
• 72% provided no alternate mitigation to the
patch
• Only 15% could be leveraged to gain initial
access

17. You Cannot Just Patch Away the Problem
• 204 total ICS vulnerability advisories
• 25% increase from 2017
• 30%+ of vulnerability advisories are
INCORRECT

18. What Can You Do Today?
1 Enable two-factor (not phone factor) authentication across internal assets and services
2 Control IT-OT boundary
3 Audit and monitor high-value systems: HMI, VPN, safety systems, routers
4 Add OT monitoring, look for behaviors, not indicators
5 Get ICS threat intelligence
6 Manage 3rd Party Risk

19. ICS Cyber Threat Kill-Chain
STAGE1
STAGE2

20. Questions?
Sergio Caltagirone
Twitter: @cnoanalysis
Email: sergio@dragos.com
Web: www.dragos.com