Despite being decades old, SCADA control systems remain well-designed to this day. They bring multiple moving parts together - computers, networks, data communications and user interfaces - to manage machinery and engineered components of industrial systems.
These systems weren’t originally unsafe. The system developers weren’t overly preoccupied with security because they had no conception of something called the Internet. With no Internet in existence at the time, the systems were “air gapped” – meaning not connected to other systems or the outside world, for years.
Now decades later, these complex systems are running on legacy software and operating systems. Air gapping is not a reliable protection due to widespread Internet connectivity. Networks can also be easily breached by social engineering, password theft, or tainted USBs, as in the Stuxnet attack.
The Dangers of ICS Memory-Based Attacks
The class of cyberattacks aimed at Industry Control Systems (ICS) networks is particularly dangerous because the attack takes place in the system’s runtime memory. No files are implanted into the OS file system. Instead, hackers inject code directly into process memory using stolen privileges and the system’s own administration and security tools.
This renders the attacks undetectable and able to bypass conventional security solutions such as EDR, antivirus and other traditional security lines of defense. This alarming methodology has been deemed “indefensible” by many security experts. It shows how ICS systems are in dire need of immediate protections against these types of threats.
Who’s Behind ICS Threats?
Internet-sourced threats are the primary means of attacks on ICS systems. Connection points and interfaces such as mobile phones and Wi-Fi routers also present points of vulnerability.
ICS attacks are carried out by sophisticated attackers, including well-funded nation-state bad actors. Below are examples of severe cyberattacks and tactics that have taken advantage of the vulnerabilities in ICS networks.
BlackEnergy is a Trojan capable of distributed denial of service (DDoS), cyber espionage and information destruction attacks. A few years ago, a group of attackers used the Trojan to deploy SCADA-related plugins against victims in energy and ICS/SCADA networks in Ukraine and around the world. Their tactics went beyond the typical DDoS attack.
In later rounds, the Trojan spread through spear-phishing emails with malicious Excel or Word files. When opened, they triggered macros that infected the victim’s system.
Industroyer, also called CrashOverride, is believed to be the malware that shut down the power grid in Kiev, Ukraine’s capital, in December 2016. It was the first malware capable of attacking power grids automatically, versus BlackEnergy, which was used in manual attacks against the Ukrainian power grid and others.
Industroyer infects the computers that run ICS/SCADA management software, giving hackers the ability to control equipment that generates and distributes power. They were able to cause overheating, disruption, risk of permanent equipment damage and other problems. After an Industroyer attack is complete, it’s programmed to erase its footprint. It overwrites critical files and changes registry settings on the infected machine so it cannot be rebooted again.
Industroyer can still be tweaked to inflict further harm to electric power systems in the EMEA region and other areas of the world, even the USA. A new vulnerability, CVE-2019-19279, has emerged that also allows for a DDoS attack. Other types of critical infrastructure like water plants, gas utilities or transportation control systems could also be targeted.
The Sandworm malware strain gets into a victim’s system through a Windows vulnerability known as CVE-2014-4114. A patch was released in 2014 but systems without the patch are still vulnerable. The malware comes in through a PowerPoint file that references a remote .INF file. It’s so named due to the sci-fi movie Dune, referring to a long worm-like creature beyond destruction except from nuclear weapons.
In 2016, a malware gang called the TeleBots released a malicious toolset against financial and transportation targets in Ukraine. Cyber sabotage was their apparent goal. The TeleBots share many similarities with the group behind the BlackEnergy attacks and are thought likely to be an evolution of the same group. Spearphishing email campaigns were enclosed in Excel attachments, which contained infected macros.
The Telebots tools initially took advantage of the Telegram messenger service and later used a Meterpreter backdoor.
The Triton attackers gained control and then made moves to disrupt and take down the industrial process. Fortunately, the attack accidentally triggered a plant shutdown, which led to the discovery of the attack and subsequent further investigation. Because the attack was intercepted, the full plot the attackers had planned remains unknown. But signs indicate they intended harm not only to property but also to people.
Stuxnet has the distinction of being the first cyber weapon as well as the most well-known malware to target critical infrastructure. A 500KB computer worm, Stuxnet was unleashed on a nuclear refinery in Iran. Estimated to have been around since 2005, Kaspersky Lab discovered Stuxnet in 2010.
The attack forced changes in speed on the rotors, speeding them up then slowing them down. This caused excessive vibrations, distortions, and increased pressure so the centrifuges literally tore themselves apart. The attack wreaked the intended havoc on Iran’s nuclear program it was supposed to have.
Like other ICS malware, Stuxnet targeted PLCs, which as noted above, automate processes, control peripherals, and manage machinery operating in different environments. In this case, it was controlling rotor speeds.
Stuxnet executes in three phases: 1) the worm that executes the attack, 2) a link file that automatically propagates copies of the worm, and 3) a rootkit that hides the malware and processes, thereby preventing detection of its presence. This made it extremely difficult to detect.
Even though mistakes were made in the software, without which much more damage would have been done, Stuxnet was believed to be the most complex malware ever written up to that point.
How to Protect ICS Systems Against Evasive Attacks at Runtime
Sophisticated attacks continue to show us that the conventional security tools at ICS sites (and all organizations) are not enough to provide adequate protection. Attackers have numerous means of getting to critical control points. Threat actors use calculated techniques that target programmable logic controllers (PLCs), human machine interfaces (HMIs), industrial process devices, communicationsinfrastructure, and the environment.
With Virsec, critical infrastructure operators gain confidence that they have proven security in place tosafeguard vulnerable plants, refineries, and city grids against malicious exploits. Virsec protects the frontlines of these most critical industries, detecting and stopping the most sophisticated attacks without any prior knowledge.
The Virsec Security Platform provides memory control flow integrity (CFI) to secure all aspects of SCADA application and underlying workload components running in disparate environments. Relying on in-depth workload and application awareness, Virsec stops devastating attacks before damage is done. With intrinsic knowledge of acceptable process behavior, visibility into process flow, and ongoing monitoring file systems and memory, Virsec ensures that only approved and expected code is allowed to execute.
ICS security teams also gain intelligent forensics that ensure full context visibility into the entire attack lifecycle. Virsec enables infrastructure operators and owners to protect vulnerable legacy systems and critical infrastructure operations in the face of known and unknown exploits, zero-day threats and severe cyberattacks.
Virsec Protects ICS Environments from the Inside
Monitoring file systems for unplanned file changes and malware installations
Ensuring only legitimate libraries load whenever an application process is spawned
Distinguishing authorized processes and detecting library injections or code not part of either an executable or core app component
Curtailing malicious efforts to hijack, compromise, or leverage critical system files.
Providing runtime visibility of process memory to prevent memory-based threats, fileless malware, and unknown zero-day attacks
Stay tuned to our blog for our next installment in this series.