The subject article in your July 2015 issue of Control Design by Dan Herbert (“Tear Down This Wall,” Control Design, July 2015, p20), has given me cause for concern as it ignores fundamental security issues that can be introduced when connecting control system environments to other environments such as business networks. While the world is becoming more and more interconnected and “connecting machines to IT systems provides a number of benefits,” such connectivity, if not installed properly, can introduce many security challenges. These inter-connections can enable security vulnerabilities and potential pathways for compromise of the control environment by malicious threat actors.
The mission of the Department of Homeland Security’s (DHS’s) National Cybersecurity and Communications Integration Center (NCCIC), and specifically the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) is to assist critical infrastructure asset owners to reduce cyber risks to control systems and processes that operate the nation’s critical infrastructure. ICS-CERT responds to cybersecurity incidents on a daily basis, almost all involving compromises of control system environments via connections to the corporate network. Once on the network, intruders often move laterally looking for other connected zones or networks. Without proper network segmentation and monitoring of communications, the control system environment can potentially be compromised, in some cases providing the ability for the intruder to take control of the process.
When it comes to protecting control system networks from these types of incidents, ICS-CERT recommends three basic principles.
1. Do not allow direct connectivity from the Internet into your ICS network.
2. Never allow any machine on the control network to talk directly to a machine on the business network or Internet. This means controlling communications flows through intermediary networks such as de-militarized zones (DMZs), virtual private networks (VPNs), thorough access controls and in some cases utilizing one-way traffic devices.
3. Configure firewalls to allow only required and specific devices/ports to communicate with one another through the firewall. Block everything else by default.
In 2014, ICS-CERT responded to two malware campaigns launched by sophisticated threat actors specifically targeting control systems: Havex and BlackEnergy. Following the principles above would have prevented these intrusions along with other potential compromises of industrial control systems. ICS-CERT is concerned with the recent rise in targeted and successful malware campaigns against industrial control systems (ICSs).
Also read: How to link machine controls to IT systems
These campaigns were associated with sophisticated threat actors with demonstrated capabilities to compromise control system networks. The depth of intrusion into the control system network provided the threat actors with the ability to potentially manipulate control system settings, control the process and even potentially destroy data and/or equipment.
Havex is an ICS-focused malware campaign that uses multiple vectors for infection. These include phishing emails containing redirects to compromised websites and, most recently, compromised software installers on at least four software vendor websites, which were delivering malware to unsuspecting customers when they downloaded software updates to their systems. These are known as watering hole-style attacks where the attacker “poisons the well” and all visitors to the website could potentially be infected with a virus or trojan.
The malware is a remote access trojan (RAT) with demonstrated capabilities to access control system environments. Once infected, the threat actor has ready access to the victim’s network and can intrude at will to steal data and, if access is obtained to the control system environment, manipulate the process.
The BlackEnergy malware targets the human-machine interface (HMI) directly. All of the known victims of the BlackEnergy malware campaign were infected via Internet-facing HMIs. With access to the HMI, an intruder can turn on/off equipment, see the status of the process and, in some cases, change the set points of the system such as the allowable level of a tank or the maximum temperature of a batch. This depth of intrusion into a control system poses a serious threat to the stability of the process and the potential for physical consequences.
Analysis of the threat actor’s techniques used in the BlackEnergy campaign reveals a focused effort to find and exploit previously unknown vulnerabilities in control system devices and software. This effort required specific research into control system devices/software, along with testing to gain the capability to launch a successful intrusion.
Scanning modules within the BlackEnergy malware
Once a network is infected, the malware sets up communications back to a command and control server to download additional capabilities, referred to as modules. ICS-CERT is aware of two separate modules designed to scan the victim’s network looking for control system devices. These two modules are of concern because they are the first ICS-specific modules (capabilities) that ICS-CERT is aware of post-Stuxnet. In 2010, the Stuxnet virus was discovered and became known as the first sophisticated malware directly targeting Siemens Step 7 programmable logic controllers used to operate variable speed drives in industrial processes. The following provides a brief description of these modules.