November 4, 2014 • Matt Kodama
Last week, we presented a webinar with the ICS/SCADA experts from Cimation. Industrial control systems (ICS) are the “nervous systems” that manage facilities and operations, everything from robotic assembly lines to HVAC systems to power plants. SCADA is the data-intensive technology at the heart of a modern factory or refinery. This webinar was an “encore” of the Cimation presentation at RFUN 2014, our annual user conference.
Cimaton’s Cyber Threat Intelligence Analysts, Eddie Ferguson and Brian Wilson, set the stage by explaining their approach to threat intelligence, and how Recorded Future supports their work. With that context, they dug into several security trends that should be top of mind for ICS/SCADA system defenders.
Traditionally, there was complete separation between the operational technology (OT) network (devices and control processes) and the information technology (IT) network (business and desktop applications). Today, companies are bridging the air gap to get benefits like remote monitoring and administration – and, as an unfortunate consequence, taking on increased cyber security risks.
Eddie and Brian emphasized how critical secure network design and following standards such as NIST SP 800-82 are to avoid severe incidents. The recent Target breach, where an estimated 40 million debit and credit card numbers were stolen, is a case in point. The attackers exploited the system access of an HVAC supplier en route to compromising endpoints on the Target point-of-sale network.
OT networks are full of legacy systems with unpatched vulnerabilities. This is driven by the economics of production downtime and the risks of patching brittle computer systems.
Eddie and Brian identified an emerging trend that also follows the economics, but from the opposite perspective of threat actor tools and techniques. Threat actors invest in malware and attack methods for targets in finance or the defense industrial base. Long after those targets have hardened their defenses, the same vulnerabilities linger in OT networks – meaning malware is a cost-effective base for new attacks. Two recent examples are the retooling of the HAVEX remote access trojan, used by Energetic Bear, and the refresh of the BlackEnergy rootkit, to deploy against industrial targets.
Looking beyond the malware, increased use of watering hole attacks is also part of this trend. The “security through obscurity” of ICS/SCADA technologies allows attacks to flip the script, by poisoning websites that focus precisely on this niche interest, and therefore are frequented by ICS system operators.
We’ve heard lots of discussion about high severity risks, like cyber attacks that sabotage critical infrastructure such as power generation. Fortunately attacks of that type remain hypotheticals. Their actual likelihood and business impact are hard to assess.
However, Eddie and Brian pointed out there’s a less sensational but very compelling motive for attacks on ICS/SCADA systems, which is simple economic gain through industrial espionage. There is a huge gap between leaders and laggards in manufacturing and production industries, so insights into closing that gap have great economic value. The attacker’s objective in penetrating the OT network could be a lateral movement into the IT network for conventional intellectual property theft of engineering documents, or more directly to reverse engineer the industrial process by eavesdropping on supervisory data.
If you found this brief recap interesting, we invite you to watch the full recording of this webinar. And don’t forget to visit the Cimation website and sign up for their VuRTIS threat intelligence reports!