In July 2020, the National Security Agency (NSA) and Cybersecurity & Infrastructure Security Agency (CISA) issued a joint cybersecurity advisory recommending “Immediate Actions to Reduce Exposure Across all Operational Technologies and Control Systems.”
The advisory emphasized “cyber actors have demonstrated their continued willingness to conduct malicious cyber activity against Critical Infrastructure (CI) by exploiting Internet-accessible Operational Technology (OT) assets.” It also stressed “Legacy OT assets that were not designed to defend against malicious cyber activities, combined with readily available information that identifies OT assets connected via the Internet (e.g., Shodan1 , Kamerka ), are creating a “perfect storm.”
What is IT/OT Convergence
IT/OT convergence is the integration of Information Technology (IT) networks that manage an organization’s computing and data processes with Operational Technology (OT) networks that control its industrial devices and processes. Traditionally, these networks were separated, functioning as separate entities based on independent strategies and procedures. Today, however, more and more organizations are pursuing opportunities presented by the new era of digitalization and are seeing some of the benefits of integrating these networks together. But while organizations increase their focus on their digital transformation goals, they all too often overlook the intricacies of safely and securely merging legacy assets with “smart” technologies.
Legacy Assets in Critical Infrastructure
The fact and reality is that most critical infrastructure facilities including the electricity, oil, gas, water, nuclear and transportation sectors still heavily rely on legacy assets for their operations. Before we go on though, we must dispel common misconceptions regarding the term “legacy assets”. While “legacy assets” indeed refers to old hardware devices, it also applies to the industrial control system protocols devices use to communicate with one another.
Up to the early 2000s, industrial automation’s standard communication was based on serial connectivity such as RS-232, RS-485 and RS-422 interfaces. Similarly, the protocols designed for the serial interfaces such as Modbus, DNP3, IEC101, Profinet and BACnet MS/TP were widely used through the introduction of TCP/IP communications. Yet, as TCP/IP became more accepted in OT networks, the durable and reliable serial-connected devices still prevailed. Even today, devices such as Field Controllers and Field Devices are still ubiquitous in Industrial Control Systems (ICS) environments due to their long and efficient lifespan. The most remarkable thing however is that ICS vendors are still manufacturing devices based on serial (legacy) connectivity, meaning serial communications will exist in ICS for decades to come.
Why is this an issue? Simply stated, serial protocols are intrinsically insecure. They were developed pre-internet and not designed with security in mind and by connecting a previously siloed OT network to modern routable IT networks exposes these legacy devices to IT cyber threats. Further, because these legacy environments still serve to automate cyber-physical processes, the result, in their unmanaged and monitored connectivity, could be catastrophic.
Among the advisory’s “Recently Observed Tactics, Techniques, and Procedures” was spear phishing tactics, where cyber actors “obtain initial access to the organization’s information technology (IT) network before pivoting to the OT network.” While there is a myriad of examples, the following high-profile attacks should serve as harsh reminders of how easily malicious actors can traverse to an OT network via the IT network and the potential implications:
2013: Havex/ Oldrea/ Backdoor – USA & Europe
In 2013, researchers at F-Secure and Symantec discovered Havex, a remote access trojan (RAT) designed to collect data from supervisory control and data acquisition (SCADA) and ICS. The malware targeted organizations in the energy, aviation, pharmaceutical, defense, and petrochemical industries. Investigators found the adversaries used several attack vectors to infiltrate the targeted networks, including supply chain and watering-hole attacks on ICS vendor websites, as well as spear phishing campaigns to pivot to the OT network.
Havex is widely believed to be a part of a nation-state cyber espionage campaign with F-Secure reporting: “The attackers behind Havex are conducting industrial espionage using a clever method. Trojanizing ICS/SCADA software installers is an effective method in gaining access to target systems, potentially even including critical infrastructure”. Daavid Hentunen, Senior researcher, F-Secure/ June 23, 2014, f-secure.com
2014: Steel Mill Attack – Germany
In 2014, the German Federal Office for Information Security (BSI) reported an attack on an unnamed German steel mill. The attackers used a spear phishing campaign to steal login details to gain access to the plant’s office network and then worked their way to its production network. The attack caused several industrial controllers to fail and eventually prevented a blast furnace from shutting down as usual, which resulted in extensive damage to the plant. “Because of the jump from office network to industrial control system, we can also assume the mill’s office network had to be connected to the industrial control system.” Pamela Cobb, Market Segment Manager, IBM X-Force and Security Intelligence/ January 14, 2015, securityintelligence.com
2015: Ukraine Power Grid Attack – Ukraine
On December 23, 2015, the first known successful cyberattack on a power grid took place. Attackers successfully compromised ICSs of three energy distribution companies in Ukraine and shut oﬀ power at 30 substations, leaving 230,000 people without electricity for up to six hours. Operators had to restore power manually as SCADA equipment was rendered inoperable. Investigators discovered that the attackers used BlackEnergy malware to exploit the Macros in Microsoft Excel documents. The malware was initially installed onto the IT networks using spear phishing campaigns before pivoting into the OT networks.
2020: Natural Gas Compression Facility – USA
On February 18, 2020, CISA issued a security alert regarding a ransomware attack that affected the (OT) network of a natural gas compression facility.
The attackers “used a Spearphishing Link to obtain initial access to the organization’s information technology (IT) network before pivoting to its OT network.”
Once the adversaries had access to the organization’s networks, they proceeded to encrypt data, causing assets to experience a loss of availability. The attack affected assets in the OT network, including HMIs, data historians, and polling servers, and consequently, the organization decided to “implement a deliberate and controlled shutdown” to operations that lasted approximately two days.
Among the six recommendations issued by NSA and CISA in the advisory was “Implement a Continuous and Vigilant System Monitoring Program.” This is of particular relevance when it comes to legacy assets. Legacy communications, like the serial protocols mentioned above, are susceptible to spoofing, man-in-the-middle and false feedback attacks. If a cyber adversary or insider were to intercept or interrupt communications between a legacy Field Controller and Field Device, they could spoof the data to show normal operations while simultaneously exploiting the industrial physical processes. In other words, serial communications provide flawed visibility; therefore, operators should not trust serial-related data points unless they are tapped directly from the serial line with a secure device.
Where serial communications are concerned, the only way to accurately and securely “monitor for unauthorized controller change attempts” is by passively monitoring the data that is being transmitted between the Field Controller and Field Device. Being able to safely and securely monitor this sustains the integrity of the communications while providing real-time visibility into the devices’ behavior, thus enabling the detection of anomalous communications indicative of malicious data or unauthorized controller change attempts. Regardless of what is be represented by proxy systems (converters and gateways).
You Can Defend Yourself: Detecting Unauthorized Controller Change Attempts with the SerialGuard AnalytICS Platform
The SerialGuard AnalytICS Platform is specifically designed to provide real-time monitoring of legacy assets in order to detect malicious data and advanced attacks that are a subset of sophisticated tactics such as “man-in-the-middle” and “living off the land” techniques.
The platform consists of a hardware sensor (SerialGuard) that passively monitors serial ICS communication traffic between Field Controllers and Field Devices, together with an intrusion detection and data analytics platform (AnalytICS Engine) that enables ICS operators to baseline normal operations and implement integrity checks of their legacy assets.
The SerialGuard sensor is a fully passive and fail-safe serial packet sniffer that sits in-line between a Field Controller and Field Device to provide the real-time capture of serial communications. ‘Fully passive’, meaning it employs proprietary transceiver technology to isolate its signal from the control network, enabling it to securely capture the serial communications without affecting the integrity of the signal on the serial bus. The sensor offers protocol-agnostic support for legacy serial networks (RS-232, RS-485 and RS-422), and currently provides near real-time deep packet inspection for common ICS protocols such as Modbus, DNP3, Profibus, BACnet MS/TP, IEC101, and is configurable to accurately frame all bytes into messages even if the data it captures is unknown. SerialGuard secures the data by encapsulating the captured communications into encrypted TCP data packets before transmitting them to AnalytICS Engine.
The Cynalytica AnalytICS Engine gathers and stores the encrypted serial data packages and performs thorough deep packet inspections to contextualize the assembled data. The software operates as an End Point Protection (EPP), End Point Detection and Response (EDR) and Intrusion Detection System (IDS) and data validation tool by enabling operators to baseline normal operations and create simple, and complex, rule-based alerts to support early detection of anomalous behavior. Alert rule-sets can easily be adapted to the operators needs to reveal operational irregularities or malicious cyber intrusions. Its intuitive graphical user interface (GUI) provides straight forward visual components and data filters that allow in-depth evaluations of the captured communications. The platform also seamlessly integrates alerts and metrics with most third-party SIEMs to optimize visibility across the OT network.
By enabling integrity checks of legacy assets behavior, the SerialGuard AnalytICS Platform can serve as your last line of defense to attack vectors. The platform brings true visibility to critical serial communications data, enabling organizations to reduce the security risks and achieve their digital transformation objectives.
To see the platform in action, download Cynalytica’s Use Case ‘Detecting Malicious Data and Advanced Attacks’ here.
NSA & CISA Cybersecurity Advisory, July 2020
F-Secure: Havex Hunts For ICS/SCADA Systems by Daavid Hentunen, June 23, 2013
Securityintelligence.com: German Steel Mill Meltdown: Rising Stakes in the Internet of Things by Pamela Cobb, January 14, 2015
CISA Alert (AA20-049A): Ransomware Impacting Pipeline Operations, February 18, 2020