FortiGuard Labs Perspectives
In 2010, researchers were made aware of an unusual computer worm, dubbed Stuxnet. It quickly made international headlines as it targeted important supervisory control and data acquisition (SCADA) systems.
Stuxnet code, notably large and sophisticated at over 500 kilobytes, managed to work its way into Windows machines and networks, replicating itself several times over before seeking out additional software. It targets programmable logic controllers (PLCs), which enable the automation of electromechanical processes such as machinery or industrial processes.
Since the Stuxnet discovery, there have been many instances of equally sophisticated cyberattacks on operational technology (OT) systems worldwide. This may be due in part to the fact that OT networks are now increasingly connected to the Internet, making them more vulnerable to attacks by cybercriminals, nation-states, and hackers. In fact, in the “2020 State of Operational Technology and Cybersecurity Report” by Fortinet, 74% of OT organizations had experienced a malware intrusion in the past 12 months, causing damages to productivity, revenue, brand trust, intellectual property, and physical safety.
By evaluating the most significant attacks on operational technology over the past decade, we can witness just how far threat actors have come in their technical capabilities. Perhaps more unsettling, however, is their willingness to cause harm not only to digital infrastructures but physical infrastructures – even impacting workers and communities. Stuxnet is perhaps one of the first in a series of malicious attacks on industrial control systems (ICS) that have enlightened organizations around the globe regarding the extent and impact cyberattacks can have on the physical world.
This rise in new threat and attack mechanisms have radically altered the way ICS and SCADA systems function. Here, we recap some of the most significant cyberattacks on ICS that have taken place over the past decade, as well as their influence on modern security strategies across critical infrastructure.
In 2011, Hungarian cybersecurity researchers discovered malware, identified as Duqu, which closely resembled Stuxnet in terms of its structure and design. Duqu was designed to steal information by disguising data transmissions as normal HTTP traffic and transferring fake JPG files. The key takeaway from the Duqu discovery was understanding the importance of reconnaissance work in a threat actor’s cyber campaign, where information-stealing code is often the first cyberthreat enacted in a planned series of additional attacks.
Havex is a notable Remote Access Trojan (RAT) malware that was initially discovered in 2013. Tied to the threat actor group known as GRIZZLY STEPPE, Havex targets ICS systems and communicates with a C2 server that can deploy modular payloads.
Its ICS-specific payload gathered open platform communications (OPC) server information, including CLSID, server name, Program ID, OPC version, vendor information, running state, group count, and server bandwidth – and was also capable of enumerating OPC tags. By communicating with a C2 infrastructure, Havex malware was significant in its ability to send instructions that provide enhanced and unknown capabilities to the malware.
In 2015, it was discovered that BlackEnergy malware had been used to exploit macros in Microsoft Excel documents; the malware entered networks via spear-phishing emails sent to employees. While the tactics employed by these attackers were relatively unsophisticated, the event proved that cybercriminals could indeed manipulate critical infrastructure on a large scale.
TRITON malware, discovered in 2017, targeted industrial safety systems. Specifically, it went after a safety instrumented system (SIS), modifying in-memory firmware to add malicious functionality. This allowed the attacker to read or modify memory contents and implement custom code – along with additional programming to disable, inhibit, or modify the ability of an industrial process to fail safely. TRITON is the first known malware specifically designed to attack the industrial safety systems that protect human lives.
ICS comprises a large segment of the OT layered architecture, encompassing many different types of devices, systems, controls, and networks that manage industrial processes. The most common of these are SCADA systems and distributed control systems (DCS).
While most organizations have been implementing IT security measures for years, OT cybersecurity is somewhat new territory. With the rise of the Industrial Internet of Things (IIoT) and subsequent IT/OT convergence, industries have lost the “air gap” that protected their OT systems from hackers, malware and data breaches. As a result, adversaries have increasingly begun targeting OT systems to steal proprietary information, disrupt operations, or commit acts of cyber terrorism against critical infrastructure. This is because existing malware works effectively against legacy systems deployed in OT networks that have likely not been patched or updated given the absence of additional development or programming.
Several challenges have played a role in the evolution of cyberattacks that have impacted OT systems over the years, including:
Lack of OT device inventory: It’s impossible for organizations to defend assets – whether by deploying patches or running security audits – if they do not have complete visibility and control of the environment.
Lack of remote network accessibility: Most technology underpinning ICS relies on restricted physical access and obscure components and communications protocols.
Outdated hardware and software: Many ICS and SCADA systems rely on aging hardware or obsolete operating systems that are incompatible with or too delicate to support modern defense technologies. Many of that hardware is deployed in environments where systems cannot be taken offline for patching or updating.
Poor network segmentation: OT environments tend to operate under the assumption of inherent trust – a model that does not translate well to new converged IT/OT environments. The standard security practice of partitioning networks into functional segments that limit the data and applications that can migrate from one segment to another is largely underutilized within ICS as a whole.
Limited access control and permission management: As previously isolated or closed systems become interconnected, the controls and processes that prescribed access often become convoluted
Thankfully, the risks that lead to security threats targeting ICS/SCADA are becoming more widely recognized – and, as a result, more heavily prioritized – by many leading organizations. Government bodies, including the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) in the US and the Centre for Protection of National Infrastructure (CPNI) in the UK, now publish advice and guidance on security best practices for ICS.
Standards have also been developed by the International Society of Automation (ISA), with a “zones and conduits” framework that addresses the most pressing deficiencies of ICS network security and provides guidelines for improved management. Likewise, the non-profit ICS-ISAC organization is focused on sharing knowledge about risks, threats, and best practices to help facilities develop situational awareness in support of local, national and international security.
Learn how Fortinet secures the convergence of OT and IT. By designing security into complex infrastructure via the Fortinet Security Fabric, organizations have an efficient, non-disruptive way to ensure that the OT environment is protected and compliant.
Read these customer use cases to find out how Houston County Electric Cooperative used Fortinet’s OT Security Solutions to protect their distributed networks and critical infrastructure