Operational technology compromises: Low sophistication, high-frequency
In recent years, operational technology (OT) has been dragged into the news due to an increase in compromises against these technology systems that our critical infrastructure relies on. A new trend observed in attacks on the OT of critical infrastructure has been a sharp increase in attacks that exhibit a low level of sophistication and are frequent.
Cybersecurity firm FireEye has recently released a report exploring this trend. This article will provide a recap of this report and detail how OT security and training can fight against this disturbing trend impacting OT systems.
Learn ICS/SCADA Security
The OT report
FireEye released a report entitled Crimes of opportunity: increasing frequency of low sophistication operational technology compromises. The report presents several findings which demonstrate how low sophistication attacks are not only growing but becoming more attractive to threat actors who have been taking advantage of the significant numbers of internet-connected OT devices. These threat actors are motivated by financial gain, as well as ideology/political and egotistic reasons. It should be noted that it did not take much digging to gather the information for the report as threat actors tend to make it known voluntarily in the form of online braggadocio.
Report findings
Rise in the frequency of incidents
The report mentions that while tracking threat actors offering access to OT systems connected to the internet since 2012, there has been a significant increase in the frequency of incidents against OT within the last couple of years. The most common observed threat activity has been actors trying to make money off internet-connected OT and leveraging well-known TTPs, tactics, techniques and procedures in conjunction with commodity tools. This gives threat actors the ability to access, interact with, and harvest information from internet exposed OT, which was observed hardly ever in the past (mainly due to the standard practice of air-gapping OT systems into segregated networks).
The rise in low sophistication threat actor activity
As touched on in the finding above, the use of TTPs indicates that low sophistication threat actors are populating the burgeoning world of OT threat activity. Other indicators, such as threat actors leaving comments on the internet demonstrating that they do not fully understand OT and the rise of tutorials for those targeting OT systems, leave little to the imagination of just how low sophistication these threat actors are.
The low level of technical sophistication of OT threat actors is well known. Those who are relatively more sophisticated than others try to educate their fellow threat actors with hacktivist tutorials. Observed OT threat tutorials teach simple methodologies such as using VNC tools to connect to identified IP addresses.
Low sophistication threat activity was observed on a wide range of targets, ranging from those that present little risk to critical and sensitive ones in nature — for example, activity impacting security systems and building automation systems to water and energy critical infrastructure. A constant theme that has been observed is the reliance on unsecured remote access services as an exploit to access compromised OT control systems.
HMIs: The low hanging fruit
HMIs, or human-machine interfaces, are the low-hanging fruit for process-oriented OT attack activity because they give a user-friendly look into the complex industrial processes of OT systems. This allows threat actors that lack prior knowledge of industrial processes the opportunity to modify industrial control variables quickly and easily.
Threat actors typically cannot keep quiet about their deeds and share IP addresses, GUIs, system timestamps and videos captured during OT attacks with their online communities.
Some threat actors are truly amateurs
Being of low sophistication is one thing; being an amateur is even worse.
The report observed some embarrassing examples of threat actors claiming to target one thing and end up missing the mark entirely. One incident was when an anti-Israel hacktivist group claimed to be targeting a “gas system” in Israel when instead they were impacting a kitchen ventilation system in an Israeli restaurant.
In another incident, threat actors claimed to be attacking a German “rail control system,” but what they thought was a legitimate railroad control system was a web interface for a model train set.
Other OT takeaways
Some other key takeaways from the report:
- Each new incident provides threat actors with an opportunity to learn from the operations, technology and physical processes to improve their “tradecraft.”
- Low sophistication attacks can impact OT systems, especially those with less mature OT security.
- Publicizing OT incidents normalizes them and encourages other threat actors.
How to combat low sophistication OT attacks
Combatting low sophistication OT attacks is not difficult if you use OT security best practices and provide solid OT security training to your organization’s employees. OT security best practices are:
- When possible, segregate OT assets from public-facing networks that have access to the general internet.
- When remote access is necessary, implement access controls and monitor for unusual traffic activity.
- Apply network hardening techniques to edge devices and those that are remotely accessible.
- Identify exposed assets and information and determine if online scanners can discover them.
- Configure your OT system’s HMIs and control system assets, so only acceptable input ranges are enforced and hazardous variable states are excluded.
- Maintain situational awareness of the cybersecurity for your OT system and the development of exploits that will impact your system. This includes being aware of what about your OT system would interest threat actors.
Implementing operational technology cybersecurity best practices is only part of your arsenal against OT attacks. Make sure that your organization’s cybersecurity awareness training dedicates at least a section to OT security. Employees are sometimes the first line of defense against OT threats, so it makes good strategic sense to equip them with as much OT security knowledge as possible.
Learn ICS/SCADA Security
Securing operational technology
Recently, a cybersecurity firm released a report detailing the rise of low sophistication OT attack activity on a level that has never been observed before. These OT threat actors leverage TTPS, online hacktivist tutorials, and the success of others to impact OT systems in critical infrastructure and low-impact environments such as home surveillance systems. These incidents affect OT systems connected to the public-facing internet, reinforcing the need for best practices coupled with OT security awareness training.
Sources
Crimes of Opportunity: Increasing Frequency of Low Sophistication Operational Technology Compromises. FireEye Threat Research Blog.
Learn ICS/SCADA Security
Build your critical infrastructure security skills with hands-on training in Infosec Skills. Train how you learn best:- Practice realistic scenarios
- Build hands-on skills
- Learn live or on-demand
- Get certified
In this Series
- Operational technology compromises: Low sophistication, high-frequency
- Securing operational technology: Safeguard infrastructure from cyberattack
- Operation technology sees rise in targeted remote access Trojans and ransomware
- Vehicle hacking: A history of connected car vulnerabilities and exploits
- ICS/SCADA threats and threat actors
- Incident response and recovery best practices for industrial control systems
- BPCS & SIS
- Security Technologies for ICS/SCADA environments
- Data Loss Protection (DLP) for ICS/SCADA
- ICS/SCADA Wireless Attacks
- Security controls for ICS/SCADA environments
- SCADA & security of critical infrastructures [updated 2020]
- CIP (Common Industrial Protocol): CIP messages, device types, implementation and security in CIP
- Open vs proprietary protocols
- Critical security concerns facing the energy & utility industry
- ICS/SCADA Social Engineering Attacks
- ICS/SCADA Malware Threats
- Biggest threats to ICS/SCADA systems
- SIEM for ICS/SCADA environments
- Intrusion Detection and Prevention for ICS/SCADA Environments
- Firewalls for ICS/SCADA environments
- ICS/SCADA Security Technologies and Tools
- The state of threats to electric entities: 4 key findings from the 2020 Dragos report
- Modbus, DNP3 and HART
- RS-232 and RS-485
- BACnet
- TASE 2.0 and ICCP
- FOUNDATION Fieldbus
- Account Management Concepts for ICS/SCADA environments
- PROFIBUS and PROFINET
- ICS Strengths and Weaknesses (from security perspective)
- Access Control Implementation in ICS
- ICS Components
- Access Control Models for ICS/SCADA environments
- ICS/SCADA Security Specialist/Technician Role
- Credential Management and Enforcement for ICS/SCADA environments
- IT vs ICS
- Process control network (PCN) evolution
- ICS protocols
- Saving lives with ICS and critical infrastructure security
- ICS/SCADA Access Controls
- Types of ICS
- Physical security for ICS/SCADA environments
- Introduction to SCADA security
- ICS/SCADA security overview
- Who Is Targeting Industrial Facilities and ICS Equipment, and How?
- Configuration of Anti-Virus and Anti-Malware Software within an ICS Environment
- MyPublicWiFi – A Windows Utility to manage ICS
- Situational awareness and ICS Using GRASS MARLIN
- Cyber risks for Industrial environments continue to increase
- Advice to a New SCADA Engineer
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Critical infrastructure
Securing operational technology: Safeguard infrastructure from cyberattack
Critical infrastructure
Operation technology sees rise in targeted remote access Trojans and ransomware
Critical infrastructure
Vehicle hacking: A history of connected car vulnerabilities and exploits
Critical infrastructure