When we look at Operational Technology (OT), system failures and outages are a part of running the business and the unavoidable price of complex control system operation. However, hidden in plain sight, leveraging vulnerabilities in technology, process, or visibility, and cloaked as operational 'hiccups', may be indications of OT cybersecurity incidents.
One of the greatest challenges we face as OT security practitioners is the difficulty in distinguishing between a standard system issue and a targeted cyber-attack. This predicament creates operator/responder fatigue and is analogous to the boy who cried wolf: is it a false alarm or a genuine threat? Do we have spares? Do we even know our vulnerable assets? Sometimes, just answering this question may be much more complex than looking at a single asset, class, or condition. This classic fable finds a striking parallel in our OT environments, where the 'wolf' of potential or actual cyber-attacks often masquerades as the 'boy’s cries' of typical operations and system failures, causing confusion and delay in effective attribution and responses.
For example, consider the lessons from the notorious Stuxnet worm attack that unfolded in 2010. While initially appearing to be a common system or process anomaly, it was revealed to be a highly sophisticated and targeted cyber weapon. Stuxnet was an exploit that targeted Supervisory Control and Data Acquisition (SCADA) systems, Siemens' Step7 software, widely used in programmable logic controllers (PLCs). The worm reconfigured these PLCs, eventually causing significant damage to Iran's nuclear program by subtly altering the speed of centrifuges. It did so while sending normal operating values to the control room, making it seem like everything was operating normally.
The 2015 cyber attack on Ukraine's power grid serves as another stark reminder of the complexity and potential impact of OT Cyber Attacks. Initially masked as a mundane power outage, this event turned out to be a well-orchestrated cyber attack, demonstrating a new level of sophistication in OT security threats. The adversaries used spear-phishing emails to gain initial access to the systems of three regional electricity distribution companies. They then moved laterally across the Information Technology (IT) and OT network, eventually gaining access to the HMIs used by operators to monitor and control the distribution substations. Utilizing the KillDisk malware, the attackers wiped critical system files on these control systems, causing about 230,000 people to lose power in the middle of winter.
Norsk Hydro, one of the world's largest aluminum producers, was also hit by a severe cyber attack in March 2019. This ransomware attack, known as LockerGoga, brought the company's operations to a standstill, causing significant disruptions in its worldwide production.
The LockerGoga ransomware infiltrated Norsk Hydro's systems and began encrypting files, rendering critical systems and data inaccessible. Interestingly, rather than primarily focusing on the company's IT systems, the attack went a step further - it targeted the company's OT assets, including the control systems that managed the aluminum production lines.
Once inside the system, the attackers locked out operators from their HMI interfaces, thereby preventing them from monitoring or adjusting the production processes. This resulted in a substantial decrease in Norsk Hydro's production capacity, forcing the company to switch to manual operations wherever possible.
The economic impact of the attack was substantial. Norsk Hydro reported a financial loss of approximately $40 million dollars in the first week following the incident. The total costs, including recovery and lost revenue, exceeded $70 million dollars. Moreover, the attack had a prolonged effect on the company's ability to fulfill orders, impacting its reputation and customer relations.
These real-world incidents illustrate the significant potential for OT Cyber Attacks to cause extensive physical and financial damage. These incidents also underscore the need for advanced and comprehensive security strategies in OT environments, including the use of virtual digital twins and detailed configuration file analysis. As shown by these examples, a deeper and more comprehensive understanding of the ingress and egress points, and the symbiotic relationship between our OT environments and IT, is necessary.
To fully articulate the extent of this issue, we need to explore the Purdue Model, which has remained the gold standard for Industrial Control System (ICS) architecture, despite rumblings that it is outdated. The Purdue Model for Control Hierarchy, an industrial reference model, provides a structured framework for process control, separating network functions and assets into multiple layers. From the physical process layer, where field devices like sensors and actuators are found; moving up to supervisory control with Programmable Logic Controllers (PLCs) and Human-Machine Interfaces (HMIs); all the way to the business planning and logistics system on the top-level, each layer represents a unique set of assets and communication protocols. While this segregation is beneficial for structured operations, it poses a challenge for comprehensive cybersecurity. Security tools, techniques, and procedures (TTPs) effective at one layer might be nonexistent, inadequate, or even incompatible and detrimental, at another. There will always be assets that cannot be "secured" from a technological standpoint.
Some of the OT Asset discovery and management solutions on the market today use Deep Packet Inspection (DPI) to gather asset information. This technology emerged from the IT world as a tool for examining the data part (and not just the header) of a packet as it passes an inspection point. This process looks at identifying its content to determine whether the packet complies with predetermined rules. In another wrinkle, these rules typically rely on known conditions for which to search, doing little for a zero-day exploit. In the realm of Operational Technology, DPI tools safeguard and monitor the network traffic within and across the upper layers of the Purdue Model. These layers are undergoing a transformation into more open IT-like hardware and software, influenced by the Industrial Revolution 4.0. However, the complexity and diversity of protocols used deeper down in OT, the latency sensitivity, and the physical differences between "Programming IT" and "Configuring OT" assets require more of a "CMDB for OT" approach to cybersecurity. The ability to safely and seamlessly access the configuration files of OT assets for quick "drill down" examination is imperative, based on the sheer nature of OT systems, for cybersecurity incident response or research and is extremely beneficial in supplementing operational efficiency. Relying solely on DPI-gathered asset information can fall short of providing the complete tapestry of risk, vulnerability, and asset visibility. This might be akin to reading every fourth page of a novel. It obfuscates vital plot developments, characters' motivations, or subtle foreshadowing, all crucial to understanding the complete story.
The packet headers, serial numbers, and network information gathered through DPI network analysis tools provide valuable insights into networked asset system communications, adversarial movement, and potential anomalies. For instance, they can help identify an unauthorized device attempting to communicate within the boundaries of the system or flag unusual data transmission patterns. However, they don't necessarily illuminate the complete operational context of these communications. Without understanding the interplay of all devices capable of being captured (up and down the layers) within a control system, along with the operational conditions at the time of an incident, we find these data points can leave analysts wanting, generating more questions than answers.
Configuration files provide a much richer source for understanding a system's setup, including the roles and behaviors of various devices, their communication patterns, and the expected operational parameters and conditions. Analyzing these files can yield much more detailed insights, enabling a quicker, more effective response to potential issues or attacks. Configuration files - the DNA of our systems - hold a wealth of untapped data. They can reveal the system's design, architecture, and potential vulnerabilities. It's like having a comprehensive synopsis of the novel, including all characters, their motivations, and the entire plot.
By employing emerging virtual digital twin technology, a digital replica of the target system, we could go further and analyze these configuration files in a safe, non-disruptive environment. Using the configuration files, we can definitively tell "what's connected to what", "what applications are running", and at what revision level. We can look at the up and downstream effects of a change. With the power of configuration file analysis, we gain visibility into configuration baselining. We can see "what keys were changed" and when (what sequence, etc.). Traditionally, a small adjustment to the tolerance gap of a process that produced unwanted production results could elude discovery without the ability to drill down, examine and compare config files.
When configuration file analysis is paired with a virtual twin of the system, researchers and analysts can safely investigate issues, test hypotheses, and develop countermeasures without risking the live system. In the continuously evolving landscape of OT security, these techniques offer a promising way forward. It offers an unprecedented opportunity for deep analysis akin to forensic examination without the usual confines. It propels us from being reactive to proactive, from battling uncertainty to commanding confidence.
Unfettered access to, and analysis of, the configuration files illuminates the system's inherent structure and significantly increases our success rate for streamlining our response time (MTTR) in mitigating OT cyber events. In our constant pursuit of enhanced OT cybersecurity, the pairing of virtual twins and the last known "good" configuration files becomes a potent tool to unmask the 'wolf' and defend our systems effectively.
No comments:
Post a Comment