chungking - Fotolia
Last year was a watershed year for industrial control systems (ICS), largely because of the discovery of new capabilities and a significant increase in ICS threat activity groups, according to a threat report by industrial cyber security firm Dragos.
Cyber security risks to the safe and reliable operation of industrial control systems have never been greater, the report said, but although numerous incidental infections regularly occur in industrial networks, ICS-specific or ICS-tailored malware is rarer.
Overall, the scope and extent of malicious activity either directly targeting, or gathering information on, ICS networks increased significantly throughout 2017, according to Dragos researchers.
Wormable ransomware such as WannaCry and NotPetya gave notice to ICS owners and operators that industrial networks are far more connected to the IT environment than many realised, said the report, which comes just a month after research by UK-based security firm Positive Technologies warned that the number of internet-accessible ICS is increasing every year.
Before 2017, only three families of ICS-specific malware were known, Dragos said, which were Stuxnet, BlackEnergy and Havex, but in the past year, two new ICS-specific malware samples were discovered – Trisis and CrashOverride.
CrashOverride was the first malware to specifically target and disrupt electricity grid operations and led to operational outages in Kiev, Ukraine in 2016, although it was not definitively discovered until 2017.
Trisis was the first malware to specifically target and disrupt safety instrumented systems (SIS) that are designed to avoid dangerous situations, and is the first malware ever to specifically target, or accept as a potential consequence, the loss of human life, the report said.
By targeting SIS, an adversary can achieve multiple, potentially dangerous impacts, ranging from extensive physical system downtime to false safety alarms, physical damage and destruction.
Although Trisis is profoundly concerning and represents a significant new risk for defenders to manage, the report noted that Trisis-like attacks require substantial investments in both capability development and network access before adversary success.
Read more about ICS security
- Airbus is helping to drive the cyber security market for industrial control systems used throughout industry, including many providers of critical national infrastructure.
- There is a pressing need to improve cyber security in industrial control system environments, according to security certification body Crest.
- Vulnerabilities in industrial control systems commonly used by suppliers of critical national infrastructure are potentially the biggest threats to UK cyber security.
- Organisations should mitigate six key vulnerabilities in industrial control systems to reduce the risk of cyber attack, warns security firm FireEye.
At the same time, the report warned that Trisis has created a “blueprint” for adversaries to follow concerning SIS attacks and noted that the very extension of ICS network attack to SIS devices sets a worrying precedent because these critical systems now become an item for adversary targeting.
“The impact of these events cannot be overstated,” the report said, adding that the number of adversaries targeting control systems and their investment in ICS-specific capabilities is only growing, with five current, active groups known to be targeting ICS systems.
The report predicted that this activity will only drive a hidden arms race for other state and non-state actors to mature equivalent weapons to affect industrial infrastructure and ensure parity against possible adversaries.
“We regrettably expect ICS operational losses and likely safety events to continue into 2018 and the foreseeable future,” the report’s authors said.
Joe Slowik, adversary hunter at Dragos, said 2017 was a defining year in ICS security, with two major and unique ICS-disruptive attackers revealed, five distinct activity groups targeting ICS networks identified, and several large-scale IT infection events with ICS implications taking place.
“While this represents a significant increase in ‘known’ ICS activity, Dragos assesses that we are only scratching the surface of ICS-focused threats,” he said. “Therefore, 2017 may represent a breakthrough moment, as opposed to a high-water mark – with more activity to be expected in 2018 and beyond.”
Slowik said that while defenders’ visibility and efforts at hunting are increasing, adversaries continue to grow in number and sophistication.
“By identifying and focusing on adversary techniques – especially those that will be required in any intrusion event – ICS defenders can achieve an advantageous position with respect to identifying and monitoring future attacks,” he said.
Slowik said that by adopting a threat-centric defensive approach, defenders can mitigate not just the adversaries that are currently known, but also future malicious actors.