Protecting Industrial Control Systems Against Cyberattacks – Part 3 (Virsec Blog)

In the third installment of our series, Protecting Industrial Control Systems Against Cyberattacks, we explore additional risk factors and vulnerabilities facing ICS SCADA systems. If you haven’t already, please go back and read part 1 and part 2 of the series.

Vulnerable Points in the SCADA Structure

Operators use the SCADA system to control large-scale processes that manage up to thousands of field connections and sensors. These processes can involve many sites across large distances. Data feeds from sensors inform supervisors in making key decisions. Managers rely on the SCADA system to alert them of errors. Operators use human machine interfaces (HMIs) to automate machine processes and access data for troubleshooting and investigations.

The SCADA system controls devices and modules that are connected to sensors and actuators out in the field. It carries out logic commands and calculations in real time. SCADA systems also control:

  • Programmable logic controllers (PLCs) to manage peripheral devices
  • Programmable automation controllers (PACs)
  • Proportional integral derivative (PID) controllers
  • Remote terminal units (RTUs) (microcomputers that communicate with HMIs)

Vulnerabilities are present in all parts of the SCADA systems – HMIs, PLCs and RTUs. All have proven to be targets for attackers, especially the HMI. The most common vulnerabilities include:

  • Lack of authentication/authorization and insecure defaults
  • Memory corruption
  • Credential management
  • Code injection

The Never-Ending Patching Problem

All organizations contend with the unwanted and troublesome task of patching. Some deal with it better than others but given its older software, the ICS industry struggles more than most. For most ICS organizations, patching can be largely impossible.

Since many of the legacy systems are no longer supported, patches aren’t available. Or if they are, taking systems offline for a patching schedule is not an option. Especially not with the frequency required to keep up with the onslaught of vulnerabilities. In 2020, there were approximately 20,000 vulnerabilities logged by NIST.

It’s common in all industries to be behind in patching schedules for weeks, months or even years. According to Ponemom, even for “regular” organizations, the average time to implement a patch is 102 days. Meanwhile, attackers are aware of these patching gaps and are poised to take advantage.

In 2016, 15,000 vulnerabilities were reported, up slightly from 2015. In 2020, the number rose to a near 20,000 and we’re on the way to approaching 30,000 vulnerabilities in 2021.

Undetected and Extended Dwell Time Is Common

security

Going after critical infrastructure as a cyber attack target is not new. Cyber criminals invade these systems and dwell inside them. They quietly monitor and observe what’s going on for months or even years. At some point of their choosing, the invaders may choose to do more than just spy.

The United States has numerous cases of discovering Russian hackers inside electrical grids. Nation states are known to do this in critical infrastructures and many more places that have gone undetected. The US does it too. Reconnaissance is bad enough, but the bigger question is, when does reconnaissance become a debilitating attack?

IT/OT Convergence a Key Risk Factor

ICS environments have become increasingly networked and connected through the convergence of IT and OT systems. When IT and OT systems are able to converge successfully, the management teams can seamlessly share information between each other with a more optimized view of both the IT and OT environments. However, as IT and OT teams try to balance the need for increased remote access and automation, any Internet exposure creates numerous risks for these systems that are no longer air-gapped.

Attackers know the risks posed by Internet exposure, as well as by older, unpatched software. Unpatched software always has a plethora of software vulnerabilities just waiting to be exploited.

Ransomware Gangs Pursue ICS Facilities

Nation state attacks are not the only possible threats ICS facilities face. Bad actors behind ransomware attacks consider all industries and critical infrastructures to be a desirable target.

Last year, ransomware attackers struck a natural gas plant, forcing it to shut down. State-backed ransomware groups pursue big targets, including industrial systems, chemical plants, government, DoD and more, in the US and worldwide. Healthcare facilities have always been a primary target, but attackers have aggressively gone after healthcare sites and labs during the COVID-19 pandemic.

The ransomware gangs include Maze, responsible for 57 incidents against ICS. Maze is known for encrypting, exfiltrating and threatening to publish the data of its victims. Other ransomware operators include REvil (Sodinokibi), Ryuk, Snatch, Netwalker, DoppelPaymer and others. And of course, the list is incomplete without including WannaCry.

Reports tracking ICS attacks have shown over 700 attacks on critical infrastructure over seven (7) years, with over half (440) of those happening since 2019. Around five (5) attacks on ICS occur every week.

Supply Chain Attacks

Supply chain attacks happen when applications or software from a third party has been compromised with malicious code and is then distributed on production servers. Customers on the receiving end accept the software believing it to contain benign updates. But when activated, the malware then creates backdoors and downloads dangerous exploits on the customers’ systems.

These sophisticated attacks occur in memory at runtime and include memory-based threats such as buffer errors, DLL injections and hijacking. These techniques handily sneak by traditional security tools and often remain undetected for months. Meanwhile, the perpetrators carry out their plans in secret, whether that’s spying, stealing data, or laying the groundwork for a larger attack.

We saw this exact scenario play out last December in the extensive SolarWinds attack. Risks in the supply chain mean the attackable surface of ICS systems is much larger than an organization’s own network. It expands to include vendors, partners, service providers and third-party cloud environments. For a more detailed analysis on the SolarWinds supply chain attack, please see our blog post The Real Culprit Behind SolarWinds: Remote Code Execution.

ICS infrastructures are also challenged to confirm the security of the supply chain for the OT system devices and sensors they rely on. There is no requirement to comply with the ISO 27001-2013 standard, which means ICS operators must often verify the security of their suppliers themselves. For multiple reasons, supply chains cannot be assumed to be a trusted method of software deliveries.

Virsec Protects ICS Environments from the Inside

The Virsec Security Platform provides memory control flow integrity (CFI) to secure all aspects of SCADA application and underlying workload components running in disparate environments.

Relying on in-depth workload and application awareness, Virsec stops devastating attacks before damage is done. With intrinsic knowledge of acceptable process behavior, visibility into process flow, and ongoing monitoring file systems and memory, Virsec ensures that only approved and expected code is allowed to execute.

Virsec’s Application-Aware Workload Protection

  • Mitigate both known & unknown vulnerabilities with app-aware technology (AppMap), preventing any unknown or unwarranted code changes at runtime without learning.
  • Zero dwell time defense through the full stack.
  • Ensures only legitimate libraries load whenever an application process is spawned.
  • Distinguishes between authorized and unauthorized processes to detect library injections or code not part of either an executable or core app component.
  • Curtails malicious efforts to hijack, compromise, or leverage critical system files.
  • Provides runtime visibility of process memory to prevent memory-based threats, fileless malware, and unknown zero-day attacks.