The recent report by Enisa, the European agency which deals with the security of networks and information, also mentions the trends and threats to the security of automation, control and remote control systems dedicated to machinery and plants
by Enzo Maria Tieghi
At the end of January Enisa, the European agency for Network and Information Security, released the “Enisa Threat Landscape Report 2018 – 15 Top Cyberthreats and Trends”. This is a document on the state of cyber security in the European Union and on a global scale. Generally speaking, the Enisa report highlights that: mail messages and phishing have become the main vehicle for malware infections; exploit kits lost importance on the cyberthreat scene; cryptominers have become an important money-making vector for cyber-criminals; State-sponsored agents increasingly turn to banks using the type of attack vectors widespread in cybercrime; increasing skills and capabilities is the main objective of those who need to defend themselves, and public organizations fight to increase the loyalty of personnel because of the strong competition with industries in attracting cyber security talents; the technical orientation of the best part of intelligence concerned with cyberthreats is considered an obstacle to raising management’s awareness; intelligence must respond to increasingly automated attacks with new approaches and the use of tools and skills which are in turn automated; the emergence of IoT environments remains an issue on account of the lack of protection mechanisms in lower bracket IoT devices and services, so the need of generic IoT protection architectures and best practices is increasingly felt; the absence of intelligence cyberthreat solutions for SMEs and end users must be tackled both by suppliers and governments.
Preferring visibility to obscurity
Having dealt with the OT/ICS cyber security theme for years, we tried to find out what the Enisa report has to say with specific reference to risks, threats and occurrences regarding security issues for automation, control and remote control systems and networks designed to protect machines and plants in the industrial and utility sectors.
Here are three tips which all operators in the industrial and utility sector should keep in mind.
The first is, preferring visibility to obscurity: today, one of the most fitting mottos to describe at best factory networks and systems is by al means “Security-by-Visibility”, as opposed to “Security-by-Obscurity” which for a long time was a guiding principle of industrial cyber security, that is, trying to “hide” the system requiring protection, making it less visible, and covering up its properties to lessen attack opportunities. Over time it has become evident that this type of “Security-by-obscurity” approach does not make the system more secure. Now it is therefore considered preferable to adopt countermeasures to match the criticality and importance of the ICS system, while providing the maximum visibility as to what happens on the net and system so as to notice as soon as possible any behavioural anomalies which could provide clues regarding any current impairments or possible accidents.
In February, 2018, the first cryptomining malware episode was reported (a server was used to unravel cryptocurrency chains) found in the SCADA systems of a water utility connected to the Internet. This accident was not isolated. It follows that a system connected to the Internet, with scare perimeter protection, may easily be impaired. Secondly, it is necessary to provide visibility as to what goes on on the ICS systems to realize instantly whether any unforeseen and potentially malevolent activity is occurring.
Not just perimeter protection but segmentation and segregation too
We always suggested to segment the network and segregate adequately the most critical components of the control system. In this respect the IEC 62443 standard, based on the so-called PERA (Purdue Enterprise Reference Architecture) model, developed further even in ISA-95 and ISA99, defines that the subdivision in areas must be carried out, and explains how to limit as much as possible those conduits which allow the communication of information from one area to another, which will then have to be adequately protected.
In the report it is stated that “64% of the main accidents which concern industrial control systems or networks were about ransomware” (in 2018). In the best part of cases, ransomware reaches the network of the OT/ICS system which manages the plant or the machine in the factory, as “collateral damage” of an e-mail attachment or of navigation on an infected website opened by a PC in the company’s offices. Almost always, once it reaches the factory network, ransomware finds it easy to circulate, infect other PCs, block functioning by encrypting discs and making the system impossible to use, blocking automation and control systems as a consequence.
Three main issues
Now the way we see it, there are here three types of issues. Security awareness/training policies in the companies concerned are not so effective and someone still pens infected mail attachments or surfs on disreputable websites.
Technological security countermeasures adopted are not adequate to block these ransomware campaigns. The fact that ransomware which strikes the office network circulates in the factory network highlights the fact that there is neither perimeter protection, nor a correct network segmentation nor an adequate segregation of the most critical computers in the production departments.
And it is very likely that even the practice of correctly saving backups of all the systems used in the factory (PC, PLC, SCADA and so on) is faulty; such a practice could limit damages, even in case of faults, to a few hours of down time, without causing several days of interrupted production or denial of service.
Limiting remote access to industrial systems
In Enisa’s ETL2018 report it is shown that the indiscriminate distribution of RATs (Remote Access Tools) on ICS systems is a widespread practice and that it causes considerable nuisances. They are installed on 40% of computers in ICS systems.
But if we examine in further detail the Kaspersky research mentioned in the ETL2018 report, we discover that these tools are legitimately installed on less than one third of ICS systems.
A problem of scarce “visibility” on the ICS system therefore surfaces again.
Figure 2 is derived from a recent report which reveals the twenty main countries where RATs were involved at least once in espionage accidents during the first term of 2018.
Autore: Enzo Maria Tieghi, Ceo, ServiTecno, and member of Clusit’s scientific committee.