Search This Blog

Showing posts with label Operational Security. Show all posts

Analysis of Industrial Control System Security

We are presently experiencing IT/OT convergence, which will reveal new hurdles for both IT and OT divisions to overcome. Site engineers have traditionally overseen operational technology with an emphasis on reliability and stability. However, as OT systems become more integrated, these two worlds must start functioning as a single entity. The panorama of industrial cyber risks changed in 2010. Since Stuxnet targeted crucial supervisory control and data acquisition (SCADA) systems, which immediately gained attention on a global scale. 

Humans can operate and manage an industrial facility utilizing computer systems employing OT, which consists of programmable logic controllers (PLCs), intelligent electronic devices (IEDs), human-machine interfaces (HMIs), and remote terminal units (RTUs). These systems are linked to sensors and devices on the site, which could be a factory or a power plant. 

Industrial control systems are a common name for this set of process control equipment (ICSs). These technologies allow hackers to act based on what they see on the screen, in addition to providing information to them. Operational technologies have always been created with safety and availability in mind, but with relatively minimal care for cyber security. This is a significant contrast between OT and IT. 

Stuxnet: What is it? 

As per reports, Stuxnet influenced countless rotators at Iran's Natanz uranium advancement office to wear out. Afterward, different gatherings modified the infection to explicitly target foundations like gas lines, power stations, and water treatment offices. It is assessed that the US and Israel cooperated to make the malware. 

Industrial facilities have possibly "air-gapped," demonstrating that there is no connection between the organization inside the office and the organizations outside. This postures one of the obstructions in arriving at these regulators. A portion of the world's richer countries has figured out how to get around this countermeasure, regardless. 

 Iran benefited from the assault 

"The attack by Stuxnet opened the world's eyes to the idea that you can now design cyber weapons that can harm real-life target" said Mohammad Al Kayed, director of cyber defense at Black Mountain Cybersecurity. You could gain access to a nation's whole infrastructure and, for instance, turn off the electricity. In just this manner, Russia has twice attacked Ukraine.

Iran gained from the hack that the appropriate tool stash can likely be utilized to target ICS. It likewise noticed the power of those assaults. Somewhere in the range of 2012 and 2018, specialists saw an ascent in cyberattacks against Saudi Arabian modern offices as well as those of different nations nearby. 

"A virus program called Shamoon was one example. Three distinct waves of the virus have struck Saudi Arabian industrial facilities. The original version affected a few other businesses and Saudi Aramco. In a few years, two new variants were released. All of them exploited Saudi Arabian petrochemical firms and the oil and gas sector" stated Al Kayed. Saudi Arabia was a target since it has numerous manufacturing plants and sizable oil production operations. It is Iran's rival in the area and a political superpower. 

Connecting OT and IT invites vulnerability

When ICS is connected to an IT network, hacks on those systems are even simpler. By exploiting the IT network first, malicious actors can remotely attack OT assets. All they need to do is send an expert or employee who isn't paying attention to a phishing email. When industrial control systems are connected to an IT network, attacks on those systems are even easier. 

Al Kayed proceeds, "Anybody can bounce into designing workstations and other PC frameworks inside a modern site. Now that they understand how one can remotely put the malware on such modern control frameworks. Although they don't at first need to think twice about designing workstations at the office, there is a method for doing so because it is connected to the corporate organization, which is in this manner connected to the web. You can move between gadgets until you show up at the ideal design workstation in the petrochemical complicated or the power plant. "

Saudi government takes measures 

The targeted nation can acquire the necessary skills, possibly repair the weapon used against it, and then go after another target. Saudi Arabia, which has numerous manufacturing plants, is the nation in the area with the main threat on its front. Therefore it makes sense that the Iranians exploited what they had learned to strike its strongest rival in the region. 

However, the Saudi government is acting to stop similar attacks from occurring again. The National Cyber Security Authority (NCA) created a collection of legislation known as the Essential Cybersecurity Controls (ECC), which are required cyber security controls, to stop the attack type mentioned above. One of the only nations in the area having a security program that goes beyond IT systems is Saudi Arabia right now. It has also taken into account the dangers to OT infrastructure. 

Guidelines for ICS security 

The protection of industrial control systems is currently a global priority. A thorough set of recommendations for defending industrial technology against cyber security risks was released in 2015 by the US National Institute for Standards and Technology (NIST). Four important lessons can be learned from the attack on Iran and the ensuing attacks on Saudi Arabia:

  • The first step is to separate OT from IT networks. 
  • Utilize an industrial intrusion detection and prevention system and anti-malware software. 
  • The main targets of attacks on OT networks are HMIs and PLCs. Use specialized technologies, such as data diodes, which accomplish what a network firewall accomplishes logically but in a physical way.
  • Monitoring is a crucial step: "Security monitoring" is a frequent IT practice. But not many OT facilities do that currently.

Researchers Learn from ITG18 Group's OpSec Mistakes

 

A team of IBM X-Force security experts analyzed attackers' operational security mistakes to disclose the core details of how the group functions and launches attacks in their analysis of a group known as ITG18, also identified as Charming Kitten and Phosphorous. 

ITG18 has a history of targeting high-profile victims, journalists, nuclear experts, and persons working on the COVID-19 vaccine research. It is linked to Iranian government operations. It was related to an assault in late 2019. 

Richard Emerson, senior threat hunt analyst with IBM X-Force stated, "How we define this group is they're primarily focused on phishing and targeting personal accounts, although there's evidence that they may also go after corporate accounts as well." Based on the amount of infrastructure it has registered, researchers believe it to be a "rather sizable organization" - Emerson adds that they have over 2,000 indicators connected to this group alone during the last couple of years. 

According to Allison Wikoff, a senior strategic cyber-threat analyst at IBM X-Force, the team achieved "a major breakthrough" in studying ITG18 behavior while examining an attack on executives at a COVID-19 research center. 

Researchers collected indicators that are linked with attackers' activities on a regular basis; when investigating ITG18's activity, the team discovered flaws in the attackers' infrastructure, resulting in a plethora of fresh information. 

"When we saw this open server, we collected videos and exfiltrated information. Over the course of the last 18 months, we've continually seen the same errors from this group," she added. 

Researchers discovered training videos used by the group among the data they gathered. These details include how the organization maintains access to hacked email accounts, how attackers exfiltrate data, and how they build on compromises with stolen data. The videos gave investigators a better understanding of the procedures, yet the mistakes persisted. 

ITG18 has a habit of misconfiguring its servers to leave listable folders, according to Emerson. Anyone with access to the IP address or domain can read the files without requiring authentication. The group keeps their stolen data on numerous of these servers, where anybody might find massive, archived files ranging from 1GB to 100–150GB — all of which could be related to a single targeted individual. Researchers have also discovered ITG18 storing tools on these misconfigured servers, some of which are genuine and others which are custom. 

According to Emerson and Wikoff, the group's new Android remote access Trojan is used to infect the targets they track on a regular basis. The code was dubbed "LittleLooter."  

ITG18's blunders have benefited Emerson and Wikoff in painting a more comprehensive view of how the organization functions and speculating on what its future activities would entail. Wikoff points out that the assaults aren't particularly complex, and that the study shows they aren't likely to evolve. 

"The interesting thing about this particular group is that the tactics haven't really changed all that much in the four to five years [we] have been laser-focused on it," she added. 

Others have previously reported on ITG18's misconfigured servers, so the attackers are likely aware of the problem but haven't rectified it. It appears that the group either does not want to fix the error, does not want to modify their operating tempo, or that another factor is at play. 

While many defensive suggestions aren't specific to ITG18, multifactor authentication is a significant deterrent for these attackers, Wikoff points out that this group is complicated because they primarily target personal resources. 

Even though companies control their workers' personal information, these attacks may compromise corporate security. Emerson advised that businesses should examine how they would respond if an employee is harmed in one of these assaults and how they can teach staff to be aware of the dangers they face.