Resilient SCADA & OT Cybersecurity Guide for Critical Infrastructure
In an age marked by relentless technological advancements, critical infrastructure is facing an ever-growing threat from cyberattacks. Among the most vulnerable components of our infrastructure are Supervisory Control and Data Acquisition (SCADA) systems and Industrial Control Systems (ICS).
These systems ranging from essential services such as energy distribution to water treatment, require a proactive and multifaceted approach to security. In this era of escalating cyber threats, it’s important that we navigate the terrain of SCADA and Operational Technology (OT) cybersecurity with diligence and innovation.
Methodology: Decoding SCADA and ICS Threats: Tactics with MITRE AT&CK
The diversity of threat actors and their targets means that there is no one-size-fits-all attack methodology. Each attack is shaped by specific goals and the distinct attributes of the target, particularly in SCADA and Industrial Control Systems (ICS).
Both threat agents and security professionals employ similar techniques to probe networks and systems for vulnerabilities. This aids in identifying the most effective defense-in-depth measures.
The methodology used in this article is from the MITRE ATT&CK framework, focused on the following stages:
- Initial Access
- Privilege Escalation
In this stage, the threat actor conducts a thorough analysis of target systems and assembles, and manages infrastructure resources, incorporating data from environmental preparations and various intelligence sources.
This phase entails gathering intelligence about potential targets, assessing their vulnerabilities, and formulating a detailed plan of action. This includes identifying targets, collecting pertinent information about their infrastructure and personnel, analyzing vulnerabilities, and creating attack strategies. Additionally, coordination with other threat actors or entities may be necessary for larger campaigns. Target development is a critical precursor to executing a cyberattack, demanding a thorough understanding of the target’s environment and potential weaknesses to enhance the chances of a successful compromise.
In the example below, the threat actor employs various tools to probe for open ports and services which will assist them in compromising the target.
The threat actor identifies an open port that allows them to gain access to a fuel tank inventory. This allows them to plan further attacks and look for a foothold into the system.
1-A: The threat actor identifies open ports
1-B: Threat actor scans port 10001 and identifies a fuel tank inventory system
After gathering significant information on the target’s systems and services, the threat actor then proceeds to begin the exploitation and pivoting phase. This stage entails the actual process of taking advantage and exploitation of vulnerabilities, while pivoting involves using the initial access to explore and potentially compromise other parts of the network. This phase is crucial for identifying and addressing security weaknesses in SCADA environments, helping organizations strengthen their overall security posture.
In our current threat scenario, the attacker has performed OSINT (Open-Source Intelligence Gathering) and studied documentation related to the TLS-350 Fuel Tank Gauge service running on port 10001. The attacker simply performed a Google search for documentation and user manuals for the system and it was discovered that commands may be issued to the port which can control the behavior of the backend server. Screenshot of TLS-3XX Operator’s Manual below.
Below, we can see an example of an attacker issuing a command to the open port 10001, which opens an unauthenticated shell on port 2222 and grants them the initial foothold into the system as a low-privileged user.
2-A: The threat actor issues a command on port 10001 (ctrl + A) which opens port 2222 on the target
2-B: The threat actor then gains unauthenticated access to a low privileged account
At this stage, the actor must gain full privileges to completely control the target system. The threat actor will then conduct local enumeration using various tools and manual methods to identify potential routes for administrative access.
In the current scenario, the attacker has identified a publicly available exploit to grant them administrative access and full control of the target system.
Exploring the local services running on the compromised machine, the attacker does a Google search to identify a publicly available exploit from exploit db. here: https://www.exploit-db.com/exploits/46978
The exploit takes advantage of a security vulnerability involving the “lxd” group membership on a system. When a user is part of this group, they can quickly gain root privileges on the host operating system, even without pseudo rights or password input. The issue arises from the fact that LXD, as a root process, performs actions for anyone with write access to its UNIX socket, without considering the user’s privileges.
Looking at the service version of the target machine and confirming, the attacker transfers over their exploit from their server to the target and attempts to execute it on the system.
3-A: The threat actor downloads an exploit from their attacker server to the target
3-B: The threat actor then executes the exploit and gains root access to the target server.
After a threat actor successfully exploits a vulnerability to enter a target system, they will establish a mechanism to ensure continued access, even if the initial connection is severed.
Sustaining this access can be achieved through various means, often by utilizing administrative privileges to generate covert accounts or by initiating unauthorized processes that grant the attacker an entry point.
These actions may occur within the ICS application layer, the operating system, or within a background process that may not be linked to either the core OS or the specific control system.
Such examples can be:
- Creation of additional administrative accounts (refer to figures 4-A and 4-B)
- Rootkits to modify system code
- Obfuscated malware on system memory
- Scheduled tasks to re-initiate access on boot
The following example illustrates an attacker gaining access to Active Directory controls as the Administrator user and creating a duplicate account for persistence.
4-A: The attacker accesses the active directory panel of the target and duplicates the Administrator account.
4-B: The attacker confirms and creates an account on the system for persistence
For attackers aiming to evade detection, erasing any trace or evidence of system infiltration is crucial. They must consistently eliminate their digital trails, making minimizing exposure an integral component of every stage of the attack. Certain ICS assets may not support the logging and capturing of system anomalies that could serve as indicators of a cyber incident or attack.
Having gone through the attack methodology, it is important to implement measures to improve the security of our ICS/SCADA infrastructure. In the following section, we will explore a range of strategies aimed at improving our systems against potential threat actors. By proactively addressing vulnerabilities and implementing robust security protocols, we can safeguard critical industrial processes and ensure the resilience of our ICS/SCADA environment from future threats.
Passive and Active Security Monitoring: Setup passive and active security monitoring tools for network packet sniffing, collection and correlation of event logs, network scanning and endpoint protections.
For passive monitoring, tools like Wireshark can be used for network packet sniffing at network chokepoints. A chokepoint is a strategic location in the network where inter-zone traffic is tunneled through. This allows the defender to sniff traffic between several servers and subnets in the network.
For active monitoring, tools like Nessus or Qualys VMDR can be used to scan networks at scheduled intervals to identify vulnerabilities across different devices and services in the network. Additionally, endpoint protection platforms like Cortex XDR can be used to detect malicious activity on workstations and prevent them from executing.
To effectively protect your ICS/SCADA environment, it is important to have as much visibility on your environment while having a proactive approach at identifying threats.
Threat Intelligence: By actively monitoring and analyzing data from various sources, such as indicators of compromise, attack patterns, and emerging vulnerabilities, organizations can gain valuable insights into potential risks. This intelligence empowers security teams to proactively implement measures like intrusion detection systems, firewalls, and access controls tailored to the specific threats targeting ICS/SCADA environments.
Architecture Risk Analysis: This involves an in-depth review of existing architecture diagrams, dataflow, and design, along with an evaluation of the industrial/operational communication protocols in use. Organizations must review and implement proper network segmentation to protect the internal network from external threats.
Next, develop a threat model through collaborative workshops with IT and operations/engineering teams. Then, construct visual representations of potential control system attacks using the NIST Cybersecurity Framework. This approach helps prioritize security control implementations by identifying the most critical attack vectors, thereby reducing your company’s risk and exposure
Threat Hunting: By actively seeking out signs of potential threats or anomalies within the network, organizations can uncover hidden risks that may not be detected by traditional security measures alone. This method involves analyzing data logs, network traffic, and system behavior to identify patterns indicative of malicious activity. By employing specialized tools and techniques, threat hunters can swiftly detect and respond to emerging threats, reducing the dwell time of potential attackers within the ICS/SCADA environment.
Vulnerability Assessments: By systematically evaluating the potential vulnerabilities, threats, and impacts associated with ICS/SCADA systems, organizations can gain insights into their security posture. Continuing from the previous topic of active monitoring, this process involves identifying and prioritizing assets, analyzing potential threats and vulnerabilities, and assessing the potential consequences of security incidents.
Through this comprehensive evaluation, organizations can allocate resources effectively, implementing tailored security measures that address the most critical risks. Risk assessments provide a roadmap for developing and prioritizing security initiatives, ensuring that mitigation efforts are focused on areas with the highest potential impact.
With the increasing sophistication of cyber threats on ICS/SCADA systems, a proactive and multi-faceted approach to security is essential. Implementing robust network segmentation, employing continuous monitoring, architecture risk analysis and leveraging threat intelligence are critical steps towards improving security across ICS/SCADA systems. Embracing vulnerability assessments and proactive threat hunting techniques empowers organizations to stay ahead of potential threats.
Altimetrik is your trusted partner in navigating the landscape of ICS, SCADA, and OT (Operational Technology) cybersecurity. As technology advances so do the threats to critical infrastructure. We are committed to empowering organizations with tailored solutions that enhance security, reduce vulnerabilities, and fortify their ICS, SCADA, and OT environments. With a comprehensive suite of services, spanning from architecture risk analysis, vulnerability management, penetration testing, threat hunting, incident response planning and compliance, we provide the expertise and support needed to safeguard operations, protect assets, and maintain the resilience of business-critical services.