Evolution of Cyber Threats in OT Environments

FortiGuard Labs Perspectives

This year marks the 10^th anniversary of the discovery of Stuxnet. The malicious computer worm made headlines by targeting supervisory control and data acquisition (SCADA) systems. 

Stuxnet code, notably large and sophisticated at over 500 kilobytes, managed to work its way into Windows machines and networks, replicating itself several times over before seeking out additional software. It targets programmable logic controllers (PLCs), which enable the automation of electromechanical processes such as machinery or industrial processes. 

Since the Stuxnet discovery, there have been many instances of equally sophisticated cyberattacks on operational technology (OT) systems worldwide. This may be due in part to the fact that OT networks are now increasingly connected to the Internet, making them more vulnerable to attacks by cybercriminals, nation-states, and hackers. In fact, in the “State of Operational Technology and Cybersecurity Report” by Fortinet, 74% of OT organizations had experienced a malware intrusion in the past 12 months, causing damages to productivity, revenue, brand trust, intellectual property, and physical safety.

Significant Cyberattacks on OT Environments and ICS 

By evaluating the most significant ICS cyberattacks over the past decade, we can witness just how far threat actors have come in their technical capabilities. Perhaps more unsettling, however, is their willingness to cause harm not only to digital infrastructures but physical infrastructures – even impacting workers and communities. Stuxnet is perhaps one of the first in a series of malicious attacks on ICS that have enlightened organizations around the globe regarding the extent and impact cyberattacks can have on the physical world. 

This rise in new threat and attack mechanisms have radically altered the way industrial control systems (ICS) and SCADA systems function. Here, we recap some of the most significant cyberattacks on ICS that have taken place over the past decade, as well as their influence on modern security strategies across critical infrastructure. 

2011: Duqu 

Hungarian cybersecurity researchers discovered malware, identified as Duqu, which closely resembled Stuxnet in terms of its structure and design. Duqu was designed to steal information by disguising data transmissions as normal HTTP traffic and transferring fake JPG files. The key takeaway from the Duqu discovery was understanding the importance of reconnaissance work in a threat actor’s cyber campaign, where information-stealing code is often the first cyber threat enacted in a planned series of additional attacks. 

2013: Havex 

Havex is a notable Remote Access Trojan (RAT) malware that was initially discovered in 2013. Tied to the threat actor group known as GRIZZLY STEPPE, Havex targets ICS systems and communicates with a C2 server that can deploy modular payloads. 

Its ICS-specific payload gathered open platform communications (OPC) server information, including CLSID, server name, Program ID, OPC version, vendor information, running state, group count, and server bandwidth – and was also capable of enumerating OPC tags. By communicating with a C2 infrastructure, Havex malware was significant in its ability to send instructions that provide enhanced and unknown capabilities to the malware. 

2015: BlackEnergy

In 2015, it was discovered that BlackEnergy malware had been used to exploit macros in Microsoft Excel documents; the malware entered networks via spear-phishing emails sent to employees. While the tactics employed by these attackers were relatively unsophisticated, the event proved that cybercriminals could indeed manipulate critical infrastructure on a large scale.  

2017: TRITON 

TRITON malware, discovered in 2017, targeted industrial safety systems. Specifically, it went after a safety instrumentedsystem (SIS), modifying in-memory firmware to add malicious functionality. This allowed the attacker to read or modify memory contents and implement custom code – along with additional programming to disable, inhibit, or modify the ability of an industrial process to fail safely. TRITON is the first known malware specifically designed to attack the industrial safety systems that protect human lives. 

Addressing ICS/SCADA Security Challenges

ICS comprises a large segment of the OT layered architecture, encompassing many different types of devices, systems, controls, and networks that manage industrial processes. The most common of these are SCADA systems and distributed control systems (DCS). 

While most organizations have been implementing IT security measures for years, OT security is somewhat new territory. With the rise of the Industrial Internet of Things (IIoT) and subsequent IT/OT convergence, industries have lost the “air gap” that protected their OT systems from hackers and malware. As a result, adversaries have increasingly begun targeting OT systems to steal proprietary information, disrupt operations, or commit acts of cyber terrorism against critical infrastructure, in part because existing malware works effectively against legacy systems deployed in OT networks that have likely not been patched or updated given the absence  of additional development or programming.

Several challenges have played a role in the evolution of cyberattacks that have impacted OT systems over the years, including: 

• Lack of OT device inventory: It’s impossible for organizations to defend assets – whether by deploying patches or running security audits – if they do not have complete visibility and control of the environment. 
• Lack of remote network accessibility: Most technology underpinning ICS relies on restricted physical access and obscure components and communications protocols.
• Outdated hardware and software: Many ICS and SCADA systems rely on aging hardware or obsolete operating systems that are incompatible with or too delicate to support modern defense technologies. Many of that hardware is deployed in environments where systems cannot be taken offline for patching or updating.
• Poor network segmentation: OT environments tend to operate under the assumption of inherent trust – a model that does not translate well to new converged IT/OT environments. The standard security practice of partitioning networks into functional segments that limit the data and applications that can migrate from one segment to another is largely underutilized within ICS as a whole. 
• Limited access control and permission management: As previously isolated or closed systems become interconnected, the controls and processes that prescribed access often become convoluted.

Thankfully, the risks that lead to security threats targeting ICS/SCADA are becoming more widely recognized – and, as a result, more heavily prioritized – by many leading organizations. Government bodies, including the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) in the US and the Centre for Protection of National Infrastructure (CPNI) in the UK, now publish advice and guidance on security best practices for ICS. 

Standards have also been developed by the International Society of Automation (ISA), with a “zones and conduits” framework that addresses the most pressing deficiencies of ICS network security and provides guidelines for improved management.  Likewise, the non-profit ICS-ISAC organization is focused on sharing knowledge about risks, threats, and best practices to help facilities develop situational awareness in support of local, national and international security.

The Need to Support Critical Infrastructure

Security considerations for ICS/SCADA should be made a top priority due to the potential repercussions of an attack on the physical safety of employees, customers, and communities. This also means that regulatory compliance must not be ignored. Fortunately, by taking a multi-layered approach to ICS/SCADA security, organizations can significantly improve their overall security posture and risk mitigation strategy.  

Learn how Fortinet can help you extend security and maintain compliance in any ICS/SCADA-connected environment.

Read these customer use cases to find out how Echoenergia and this major oil and gas company used Fortinet’s OT Security Solutions to protect their distributed networks and critical infrastructure.