Joe Slowik / @jfslowik Dragos, Inc. | May 2019
Student
Student Officer
Student Officer Network Defender
Student Officer Network Defender ICS Defender
➢ ➢ ➢ ➢
https://ics.sans.org/media/An-Abbreviated-History-of-Automation-and-ICS- Cybersecurity.pdf
http://www.a2n.net/site/wp-content/uploads/2017/03/IoT_04.png
Increasing Adoption of IT Technology in ICS Environments Perimeter Extension and Greater Connectivity Increased Vendor Interest in ICS Security
Increased Efficiency and Cost Savings by Incorporating COTS Hardware/Software into ICS Equipment Elimination of (some) custom environments, airgaps, and traditional separation from enterprise IT Result: IT threat surface imported to IT environment – WITHOUT the same security capabilities
Vendor and Contractor Access Traditional ICS Increased Remote Work Perimeter and Administration Cloud and Off-Prem Products
Increased vendor interest in ICS space Attempt to leverage “IT -ification ” as justification to extend existing IT products to industrial Fails to recognize operational and technical differences in how IT technologies are deployed for industrial use
Enumerate and Identify points Breach victim IT categorize Deliver effects of contact with network control system on objective ICS environment
Preparatory Actions Deny Degrade Destroy
Deny, Recon & Initial Degrade, Access Destroy Many Few Attempts Examples
Disruptive/Destructive ICS-Focused Malware ICS Disruptive Events Malware • STUXNET • 2005-2010 (?): STUXNET • STUXNET • HAVEX • 2014: German Steel Mill • CRASHOVERRIDE Attack • BLACKENERGY2 • TRISIS • 2015: Ukraine • CRASHOVERRIDE BLACKENERGY3 • TRISIS • 2016: Ukraine CRASHOVERIDE • 2017: Saudi Arabia TRISIS
Greater Heightened More Pursuit of Adversary Danger to Aggressive Physical ICS Risk Asset Attacks Attacks Tolerance Owners
Legacy • Custom Malware and Specific Tools • Exploit Use for Movement and Access (pre-2016) • Manual Operations for ICS Impact • “Commodity” Techniques until ICS Attack Current • Credential Theft and System Tool Use to Spread • ICS Effects and Manipulation Codified in Software
Initial Intrusion & Lateral ICS-Specific Disruption Movement • Leverage “Commodity” • Attacks are Unique to Tools Target, Environment • Deploy “Living off the • Requires Building Land” Techniques Custom Attack Software • Avoid Custom Tools and • Little Scope for Direct Tradecraft Replay
ICS Environments are “Brittle” • Little scope for direct testing • Asset owners are conservative ICS Attacks have Pre-Requisites • Focus on enabling factors for testing • Imperfect for complete security, but valuable for defense in depth Multiple Paths to Security Testing • Notional/Logical testing has value • Direct penetration testing may be least valuable option
Asset Owner • Clear communication and requirements necessary • Be prepared for extensive discussion on ROE Trust • What experience, certifications, and training do you need to enter environment? Technical • Determine scope and direction of test • ICS tools vs. IT tools – depends on type and extent of assessment Capability • Are custom tools/capabilities required? Identifying End- • Delineate goals in advance relative to ICS operations: • Improve security State • Enhance recovery • Minimize downtime
Initial Intrusion IT-ICS Pivot Enterprise IT access ICS Impact Enumerate and scope Identify mechanisms environment to migrate to ICS Two mechanisms: Identify and gather Requires continuous • Manual manipulation (legacy) information of interest connectivity to • Automated interaction to ICS operations adversary (current) infrastructure Goal is to manipulate physical processes via logical means
• Essentially a standard penetration test IT Intrusion •For industrial organizations, may need to assign “special attention” to operationally-significant groups • Identify and assess IT-ICS links IT-ICS Boundary • Still represents an IT-centric test, but determines ICS environment external risk • Options include Windows-centric lateral movement testing, or process- ICS Penetration specific assessment • Identify tools and techniques needed in advance in light of ROE • Notional/logical only ICS Impact • Demonstrate mechanisms through which impact could occur – rather than creating such an impact
Confidentiality Integrity Availability
Process Safety ICS Operations Process Process Integrity Reliability
Physical-process nature of ICS limits ability to directly assess impacts Focus instead on pathways to ICS impact When desired, leverage notional testing through table tops and walk-throughs for direct impact assessment
Initial • Essentially the same as a “normal” penetration test Intrusion • Identify ingress points to the organization Lateral • Identify and map routes to reach control systems Movement • What pathways exist enabling ICS access • Once ICS accessed, what options are available to an ICS Breach adversary • Test visibility, response, and monitoring
Recognize limitations in ICS environments for direct testing Leverage whole-of-kill chain approach for comprehensive assessment Build off of known ICS attacks to develop methodologies
Table Top Exercise Attack Surface Interactive Pen Test Assessment • Walk through • Logical and • Risky in the plans and interactive sense of possible responses probing of ICS- “unforeseen facing assets consequences” • Least invasive, also likely to • Determine and • Most valuable in have least evaluate risk accurately value* with minimally- gauging defense invasive techniques
Opportunistic IT Infections spreading to ICS Direct Disruptive ICS Events ICS Integrity Attacks
Identify IT- • Assess monitoring and access controls ICS Links • Identify work-arounds Lateral • How can additional systems in ICS be reached Movement • What is the scope of spread from IT in ICS • Table top or discussion only ICS • Plans and procedures for Recovery restoring operation
Launcher • Select Payload Start • Initiate ICS Impact Payload • Connect to Control Systems Execution • Manipulate State • Wait for Timer Wiper • Delete Files, Remap Services, Reboot System •Leave behind “Backup” Post- Backdoor Attack • SIPROTEC DDoS (Fail)
Determine Table top or walk- Interactive lateral accessibility of Test C2 capability through of possible movement within critical systems from ICS impacts enabled by ICS environment (DCS, RTU, access Historian, etc.)
Gain access to and harvest credentials from IT network (Mimikatz , ‘ SecHack ’) Leverage multiple open- or commercial-source tools for post-exploitation (WMImplant, administrative tools) Utilize remote access to OT network via stolen credentials Continue pivoting through network via credential capture Gain sufficient access to SIS to deploy TRISIS
Map out critical Determine Walk through Evaluate systems for ICS access and integrity attack monitoring and operational communication scenarios based auditing safety and possibilities to on access mechanisms integrity these systems findings
IT Skills have a Role in ICS Testing • Audit and test links and communication • “IT -ification ” means production networks feature similarities to IT Scope Needs and Purpose • What is actually being tested? • How will the actions better the organization? Identify Core Interests and Values • Safety, Reliability, and Integrity are critical • Ensure methodologies respect and aim to secure these values!
Evolution of ICS Attacks and Prospects for Future Disruptive Events – Dragos (https://dragos.com/wp- • content/uploads/Evolution-of-ICS-Attacks-and-the-Prospects-for-Future-Disruptive-Events-Joseph-Slowik-1.pdf) Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE – Dragos • (https://dragos.com/whitepapers/CrashOverride2018.html) TRISIS – Dragos (https://dragos.com/blog/trisis/TRISIS-01.pdf) • Industroyer – ESET (https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf) • TRITON – FireEye (https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework- • triton.html) Analysis of the Cyber Attack on the Ukrainian Power Grid – SANS (https://ics.sans.org/media/E- • ISAC_SANS_Ukraine_DUC_5.pdf)
Recommend
More recommend
