Just after the 10th anniversary of Stuxnet, OT environments remain under siege. Here are the latest attacks and how to defend against them.
By Rick Peters, CISO, operational technology, Fortinet
The prevalence of threats targeting supervisory control and data acquisition (SCADA) systems and other types of industrial control systems (ICS) is much less than IT, but that doesn’t diminish their importance. According to recent Fortinet research, 74% of operational technology (OT) organizations experienced a malware intrusion in the past 12 months.
This year marks the tenth anniversary of Stuxnet’s discovery. The malicious computer worm made headlines by targeting SCADA systems. Stuxnet code, notably large and sophisticated at over 500 kilobytes, worked its way into Windows machines and networks, replicating itself several times before seeking out the specific and ultimate SCADA target. The malware targets programmable logic controllers (PLCs), enabling the automation of electromechanical processes such as machinery or industrial processes. Stuxnet’s precision was instrumental in the evolution of threats to, and security of, OT.
A decade later, OT networks remain a target for cyber adversaries. A recent example is the EKANS ransomware, which emerged in December 2019 and reflected how adversaries continue to broaden the focus of ransomware attacks to include OT environments. Written in the GO programming language, EKANS requires longer manual analysis, making it harder to detect. Along with typical ransomware behaviors like encrypting files and leaving a ransom note, the latest June EKANS variant turns off the host firewall. It’s an example of how threat campaigns that target OT networks are evolving for the worse.
Since Stuxnet’s discovery, there have been many instances of equally sophisticated cyberattacks on OT systems worldwide. This may be, in part, because OT networks are now increasingly connected to the internet, making them more vulnerable to attacks.
The convergence of IT and OT networks has significantly diminished the dependence on the air gap to isolate cyber physical assets. ICS and SCADA systems are now exposed to an expanding threat landscape and are targets for hackers involved in terrorism, cyber warfare, and espionage. Beyond the traditional factory plant floor, attacks on critical infrastructures such as power plants, factories, water treatment systems, oil rigs, and traffic control systems can threaten national security, financial loss, brand reputation, and even human safety.
Two significant OT threat developments grabbed attention in the first half of 2020. In January, there was a surge of activity across IPS sensors in the U.S., Brazil and Germany involving Modbus TCP servers and programmable logic controllers (PLCs) that could result in information leakage. This heightened awareness resulted in Modbus-related detections being characterized as the most voluminous within OT systems featured in FortiGuard Labs research. All triggers of this signature aren’t necessarily malicious, but it’s worth monitoring since an attacker infiltrating the SCADA network could cause substantial system disruption by accessing the Modbus controller.
In May 2020, threat researchers discovered Ramsay, an espionage framework designed for the collection and exfiltration of sensitive files within air-gapped or highly restricted networks. A small percentage of OT environments fit those characteristics. It’s unclear how long the Ramsay cyber-espionage malware has been active, but it’s been tied to an older APT entity called Dark hotel. As the name suggests, Darkhotel is more known for exploiting hotel Wi-Fi networks than industrial facilities, but there’s clearly greater interest in Ramsay’s high value targeting potential than its progenitors.
Ten years have lapsed since the Stuxnet event. Unsurprisingly, cybercriminals still show a penchant for being innovative and persistent in seeking different ways to attack OT environments. The evidence of this commitment is underscored by the cyber attacks in the first half of 2020. Data leading into 2020 depicted an upward trend in targeting OT systems. That’s intensified during the global pandemic. A more proactive defensive strategy is needed. Leveraging current threat intelligence to analyze present techniques is valuable. The Mitre ATT&CK knowledge base is a means to start testing your current security controls against these techniques to ensure you can detect or protect against them. Document the instances where gaps are identified, then use this to develop a prioritized plan for improvement.
It’s important to ensure your OT security solutions integrate with threat protection for corporate IT environments, extending from the data center to the cloud to the network perimeter. It’s about applying cybersecurity best practices to gain visibility, control and automated at-speed analytics detection within the OT environment while provisioning built-in support for industry standards. Adopting an ecosystem approach to OT security minimizes complexity while reducing operating expenses, compared to broad integration of discrete point security solutions in siloed IT and OT environments. The good news is there’s an intelligent path forward that serves to counter the adversary. It amounts to achieving visibility, control, and automated awareness while avoiding latency, delivering scalability, and accomplishing rapid analysis to sustain OT system safety and productivity.
About the Author
Rick Peters is the CISO for operational technology, North America for Fortinet, delivering cybersecurity defense solutions and insights for OT/ICS/SCADA critical infrastructure environments. He is charged with overseeing growth of Fortinet’s penetration into the largest global OT marketspace. That charge entails identifying and partnering to gain traction on existing OT business campaigns as well as targeting emerging customer opportunities.
Patti Jo Rosenthal chats about her role as Manager of K-12 STEM Education Programs at ASME where she drives nationally scaled STEM education initiatives, building pathways that foster equitable access to engineering education assets and fosters curiosity vital to “thinking like an engineer.”