Future attacks on industrial control system (ICS) networks may inflict even more damage in the long run, according to new research. Analysts expect them to evolve from attacks that have immediate, direct impact to those with multiple stages and attack vectors that are more stealthy.
While it remains extraordinarily difficult to mount successful attacks on critical infrastructure because of the complexity of industrial environments, it doesn’t mean adversaries with these targets are going to stop trying, according to the report, published Thursday by security firm Dragos.
If attacks such as Stuxnet and Triton/TRISIS are any indication, bad actors already have the ability to create malware that can disrupt operations at power and manufacturing plants, according to Joe Slowik, report author and threat hunter at Dragos.
Attackers aim to take the knowledge they’ve already collected from past attacks to launch more ambitious, multi-stage attacks that could potentially be even more dangerous, Slowik told Threatpost in an email interview.
“Future attacks will include future, direct-disruption events (such as Ukraine 2015), but the most ambitious adversaries will increasingly migrate toward sequenced or staged events where alteration of process integrity is leveraged to produce more significant, potentially dangerous impacts,” he said.
Threats on critical infrastructure are particularly terrifying to imagine, not just in terms of system or financial damage, but also in terms of potential death and physical destruction. This is particularly true when faced with cyberattacks on nuclear power plants like the one that occurred this week in India.
In fact, the 2017 TRISIS attack on a Saudi Arabian petrochemical facility was designed specifically to cause physical damage and loss of human life by attacking a key safety system; however, while it shut down the system, the expected attack never came — it was missing a third stage, which baffled researchers.
This potential to create great loss has a considerable shock-and-awe factor—and is exactly what bad actors behind this type of attack are after, according to Slowik.
“While these attacks are complex and difficult to execute — resulting in multiple adversary failures in execution — all available evidence indicates attackers continue to work on developing and deploying such attack types given their outsized impacts,” he wrote in the report.
Indeed, bad actors will only be buoyed by the success of past attacks, which have been aimed at removing process protection, safety and accuracy within ICS networks. These incidents show both attackers’ ambition as well as an understanding of industrial processes, Slowik said.
“Based on past events, adversaries — whether those conducting such attacks or those simply observing while developing their own capability — can learn from what worked (and what did not) to refine techniques and develop more complex, more damaging attack vectors,” he said.
Those attacks may play out in various scenarios that build upon what’s been learned by previous outcomes, but which have a less direct yet more pervasive effect, Slowik outlined in the report.
For example, a future attack against the oil-and-gas industry could build upon some of the functionality seen in the TRISIS attack vector, according to the report. In the TRISIS attack scenario, adversaries aimed to compromise plant safety or alter safety instrumented system (SIS) equipment while engineering a disruptive scenario to cause physical damage, Slowik wrote.
“Previous discussions of such attack paths have focused on either application-layer attacks (e.g., compromising a device via a vulnerability to gain access and directly modify it); or inadvertent change concerns as being most-likely scenarios in this realm,” he wrote in the report.
However, this scenario demonstrated that attackers have the potential to develop far more subtle attacks that go beyond direct manipulation of control, to carry out “modifications that are potentially invisible to plant operators,” Slowik wrote.
This could lead to a future attack in which bad actors can either leverage known responses to plant operations to facilitate an attack — a scenario similar to what was seen in Industroyer/Crash Override, which disrupted the Ukrainian power grid in 2016 — or use additional access to create unsafe conditions that go undetected by automated systems, he wrote in the report.
To help protect against this and other future attack scenarios, ICS operators can take some immediate steps that would help improve their security posture. The first and most obvious is to “improve visibility within industrial environments to identify potential malicious activity,” Slowik told Threatpost.
To do this, operators should “combine IT-centric security views with process-specific information to develop a more complete view of the interaction between cyber-nexus activity and industrial processes,” he said.
“Based on this approach, operators can begin diagnosing events where alterations in the process environment tie to network or related activity to facilitate root cause analysis, incident identification and recovery,” Slowik told Threatpost.
What are the top mistakes leading to data breaches at modern enterprises? Find out: Join experts from SpyCloud and Threatpost senior editor Tara Seals on our upcoming free Threatpost webinar, “Trends in Fortune 1000 Breach Exposure.” Click here to register.
