ICS Information Security Assurance Framework 5

ICS Information Security Assurance Framework 5

January 19, 2020 | Mina Hao

Typical ICS Security Incidents

As ICSs are increasingly informatized and open, more and more attacks are hitting ICSs, doing an increasing harm. ICS-targeted attacks use the IT network as a springboard to affect the operating of OT systems. Currently, attacks against ICSs are carried out to achieve three purposes: disrupting the normal operating of ICSs, obtaining ICS data, and making financial gains.

The Stuxnet virus incident and Ukrainian power grid incident are typical attack cases to disrupt the normal operating of ICSs.

The Stuxnet virus is seen as the earliest attack against ICSs. During this attack, the hacker used the Stuxnet virus to target uranium enrichment devices in Iran, including the master devices and physical systems (i.e., centrifuges) so as to shorten the service life of the devices, slow down the uranium enrichment process, and finally wreck Iran’s nuclear plan. The hacker expected to finally reach the SIMATIC WinCC system which is provided by Siemens and deployed in the dedicated internal LAN (local area network) for ICS data collection and monitoring. In the early phase, for penetration into the internal network, the hacker first infected an external host through social engineering, then infected a USB flash disk drive, and finally exploited a shortcut file parsing vulnerability to spread the virus to the internal network. Within the intranet, the virus exploited three different vulnerabilities to spread between networked hosts to finally reach the host installed with the SIMATIC WinCC software. Then the attack kicked off, which took advantage of three 0-day vulnerabilities and used many attack techniques and methods that are almost impossible to be implemented in common attacks.

Ukraine’s power grid was hit many times in a year or so, causing power outages. These attacks used two types of malware, namely the BlackEnergy trojan and KillDisk, to compromise files, rendering the system unable to run plug-ins. Directly interacting with the system, the attacker sent power cutoff commands and used KillDisk to make power restoration more difficult. Likewise, the Industroyer malware uses industrial communication protocols used worldwide to control the energy switches and circuit breakers of substations all over the country, aimed at compromising the normal operating of ICSs. Arguably, attacks against ICSs no longer merely focus on general-purpose parts like PLC and OPC, but have turned to special-purpose parts (such as substation systems) as their targets.

Attacks aimed at obtain ICS data are mainly initiated to steal the production process, so as to spy on enterprises’ or countries’ industrial behavioral patterns. VPNFilter, a type of multi-stage modular malware which has infected at least 500,000 networked devices around the world, is a typical example of such attacks. Among malicious components added for extension in the third stage of this malware, some are used specially to sniff industrial control protocols, collecting intelligence based on the Modbus SCADA protocol as well as sniffing HTTP-based login credentials and authorization information.

The malware HAVEX infects the SCADA system and OPC among ICSs to steal information and data within the system, including the operating system, computer name, user information, files, and directory list of the infected host, before uploading such information to the remote command and control (C&C) server for the purpose of spying on enterprises’ or countries’ industrial behavioral patterns.

Attacks motivated by financial gains are a new type of attacks emerging in recent years. These attacks usually resort to ransomware such as WannaCry and ClearEnergy. On November 28, 2016, San Francisco MUNI’s rapid transit system was hit by ransomware. As a result, all ticketing machines displayed the following message: “You Hacked, ALL Data Encrypted.” The attacker asked for 100 bitcoins which is equivalent to 70,000 dollars according to the exchange rate then.

On May 13, 2017, Renault announce to suspend production at factories in Sandouville in France and Romania to prevent the propagation of this ransomware in the system. Besides, NISSAN’s
manufacturing plant in Sunderland in the UK was also affected. In March 2018, Atlanta suffered a ransomware attack which left its urban services paralyzed for several days. In response to this attack, Atlanta spent nearly 5 million, dollars to access emergency IT services which cover incident response services, crisis public relations, support personnel addition, and expert
consulting services around certain topics.

On August 3, 2018, TSMC’s 12-inch wafer factory and operational headquarters in Hsinchu Science Park encountered an attack launched by a variant of the ransomware WannaCry which suspended the assembly line, incurring an economic loss of 170 million dollars. This incident in the separated network of the assembly line was the result of misoperation. As machines scan for viruses only after going live, new machines that were unpatched were infected with this virus and finally all machines got infected.

As targeted machines were not networked, they did not pop up a ransomware window after being infected, but stopped running. This incident, though occurring within ICSs, was caused by an ordinary virus in essence, which demonstrates that even an ordinary virus can lead to a production incident. From all above, we can see that ransomware is setting its sights on ICSs. Some incidents, though not causing production incidents or personal accident, may result in a data restoration cost that is far higher than the ransom asked by the attacker, incurring a great loss and impact to enterprises and the society.

Ransomware viruses and traditional ICS-targeting viruses (like Stuxnet) can all lead to ICSs being unable to operate properly. However, a big difference lies between the two types of viruses. Firstly, ransomware viruses are intended to target ordinary IT systems, while ICS-targeting viruses aim to hit industrial control devices, with explicit attack targets and expected results. Secondly, currently, ransomware viruses are designed to infect general-purpose operating systems like Windows, and therefore they usually run on a human-machine interface of an ICS. Traditional ICS-targeting viruses, however, used to strike specific ICS devices such as PLC and DCS. Lastly, the former viruses are crafted to gain economic benefits, while the latter ones are mainly used to compromise the integrity of ICSs, making them unable to run properly. With the development of ICSs, some research indicates that ransomware viruses targeting industrial control devices like PLC can make a profit while rendering ICSs unable to operate properly.

Besides ransomware, attacks in other forms have occurred to reap illegal profits. For example, a user’s illegal unlocks of heavy machinery of SANY Heavy Industry Cooperation Limited led to a sales loss to this company.

All in all, with IT and OT are converging at a rapid pace, ICSs will be exposed to more and more threats.

To be continued.