It’s Critical Infrastructure Security and Resilience Month, but I think we can all agree that the topic at hand is, uh, more of a long-term necessity. About 85 percent of the nation’s critical infrastructures are privately owned and operated, as cited in NIST’s SP 800-82 Guide to Industrial Control Systems (ICS) Security.
That means much of what our country runs on is heavily interconnected and interdependent, while the security of which may vary greatly from industry to private organization. Not all of the threats to energy and utilities firms are particularly unique, but they could have, needless to say, quite serious consequences.
As a recent Vectra report stated, the threats to energy and utilities firms typically target their enterprise IT networks, rather than the actual industrial control systems (ICS). And while NIST dictates that the ICS network should be logically separated from the corporate network with minimal access points between them, there is always some potential risk to be weighed.
These attacks can take many months and involve a number of different stages, as Vectra outlined in their report on the hidden threat of cyberattacks in the energy and utilities industry, and as I’ve summarized/editorialized a bit below:
Point of Entry
The first step is to gain a foothold into energy and utility networks by stealing a user’s credentials through means of phishing and malware, then maintaining external remote access with tools like virtual private networks (VPNs), Remote Desktop Protocol (RDP) and Outlook Web Access (OWA).
With common remote access tools like VPNs, attackers’ activity often blend in with normal administrative access and actions, making it more difficult for organizations to detect malicious behavior.
With external remote access, attackers then identify file servers within the network and collect information about hosts, users, operator behaviors and other additional data.
During the recon stage, attackers will also conduct scans via RDP to find both accounts and RDP servers that will accept logins via those accounts. This allows attackers to find accounts to access while evading detection, rather than conducting a port sweep or scan that may call more attention to their malicious intentions.
Lateral Movement & Exfiltration
Armed with privileged administrator credentials, attackers move to access domain controllers via RDP, as well as workstations and servers containing data from industrial control systems and supervisory control and data acquisition (SCADA) files.
Other ICS Attack Scenarios
The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) provides a few resources on recommended best practices for security, including an overview of the different types of attackers that commonly target energy and critical infrastructure organizations. Those range from national governments to industrial spies, organized crime groups, hacktivists and more.
ICS-CERT also provides some detailed overviews of common network architecture configurations of production and control systems. One of those diagrams depicts a vendor support agreement with control systems that allows for remote access, typically through a VPN to enable vendors to assist during upgrades or system malfunction. Attackers may gain access via VPNs to connect to the control system’s network, or to vendor resources.
The ICS-CERT site also provides many other potential attack scenarios, from database links to poorly configured firewalls and more. One easy way to establish a connection and issue commands is to connect directly with data acquisition servers that often “lack even basic authentication.”
The common attack themes seen here are centered around gaining access to enterprise networks by means of weak or unsecured remote access points. Protect against these risks by verifying the trust of the user and their device:
- Verify the identity of all users with Duo Security’s strong two-factor authentication, before granting users access to corporate applications and resources.
- Get visibility into every device used to access corporate applications – including both corporate-managed and personally-owned devices.
- Ensure the trustworthiness of user devices by checking that they meet your security standards – not jailbroken, running the latest operating systems and browsers, passcode-protected, etc.
- Protect access to your applications by enforcing policies that limit access to only trusted users and devices that meet your risk tolerance levels – block those outside of your designated geolocation, or prompt users to update before granting them access.
- Streamline the user login experience with single sign-on (SSO) and let users log in once to securely access all of their different cloud and on-premises apps.