Amateur threat actors have been able to compromise critical infrastructure like industrial control systems (ICS) and other operational technology (OT) assets more often lately. Compromises of exposed OT assets rose over the past 18 months, according to threat researchers at Mandiant, with attackers using readily-available tools and common techniques to gain access to the systems. Attackers can get into those because they’re often connected to the internet without authentication and visible via connected-device search engines, like Shodan.
Why else is this happening more now? And what can businesses with a lot of OT involved in their critical infrastructure do against attacks like this?
Critical Infrastructure Attacks Follow a Known Pattern
It’s not uncommon for attack trends to begin with waves of poorly planned, amateur action. This wave grows in volume and evolves as threat actors learn from experience.
We’ve seen this in the recent surge in ransomware, too. It has its roots in the phishing email-driven, malware-based, ‘spray and pray’-style campaign strategies that threat actors leveraged a few years ago. Since then, it has developed into multi-stage, human-engineered attacks. Today’s ransomware actors use highly individualized targeting, lateral movement across networks and frequent credential and data theft into their tactics.
Security researchers have witnessed a major increase (up 171% from 2019 to 2020) in the average ransom demanded. They’ve also seen noteworthy growth in the number of so-called double-extortion attacks, in which attackers both encrypt and exfiltrate data. Attackers then threaten to publish it to a leak site on the dark web if the victim doesn’t pay. These types of attacks require much more care and precise targeting than the simpler, encryption-only attacks that used to be popular. They need to explore network infrastructure, learn topologies, discover data storage locations and exfiltrate data in order to be successful.
Ransomware threat actors are also choosing their targets more carefully. According to IBM Security X-Force, these attackers are now seeking out victims with little tolerance for downtime. That includes critical infrastructure. While overall ransomware attack numbers exploded in 2020, they hit the manufacturing sector hard. That vertical accounts for nearly a quarter of all the incidents that X-Force responded to last year. It’s noteworthy — and troubling — that 41% of all the ransomware incidents IBM Security X-Force analyzed in 2020 involved OT networks.
Today’s ransomware attack trends may well be a harbinger of what’s to come in the OT/ICS landscape.
Critical Infrastructure in the Sights
The threat researchers at Mandiant note that they saw very few amateur attacks like this in the past. Today’s low-end threat activity targets critical infrastructure control systems in a variety of industries. Their targets range from energy (solar panels) and water control systems to home security and building automation systems. The attackers are using familiar tactics, techniques and procedures and commodity tools to target at-risk, internet-exposed assets. They’re opportunistic, with threat actors seeking out the ‘low-hanging fruit’ in OT systems.
Many of the attackers appear to be rank amateurs who clearly lack expertise and a deep knowledge of critical infrastructure. Mandiant reports that one threat actor published screenshots they claimed showed the controls of a German rail control system. However, they really depicted the web interface of a command module for model train sets. In another instance, a threat group posted a video of an attack they claimed had compromised an Israeli ‘gas system’ in response to an explosion at a missile facility in Iran. Upon inspection, the video showed a compromised kitchen ventilation system in a restaurant in Israel.
It’s tempting to laugh at the failures of these bad actors. However, the fact that they’re widely showing such exploits both normalizes them and increases the likelihood that they’ll be repeated — with much more severe effects — by cyber criminal groups with more resources and know-how.
It’s possible that what appears to be amateur work is in fact a test, done by criminals who are concealing their research and reconnaissance by appearing inept. But it’s more likely the attackers are really newcomers. Tutorials on how to find and compromise online OT assets are now widely available. It’s easy to find at-risk systems with Shodan or Censys searches. So, increasing numbers of hacktivists, script kiddies and other amateurs are jumping on the bandwagon.
Best Practices for OT Defenders
Mandiant presents a set of best practices for defenders tasked with protecting critical infrastructure and OT assets alongside its report on the recent threats. Most of this advice will be familiar to the people running on-site security operations centers (SOCs) for industrial control systems, but it bears repeating. Many OT security programs struggle to maintain visibility, keep systems patched and implement robust access controls.
Here are a few suggestions:
- Consider air-gapping OT systems that cannot be patched routinely, where known vulnerabilities are present or where it’s impossible to implement access controls. When air-gapping is not feasible, remove the assets from public-facing networks.
- Employ access controls and traffic monitoring for all critical infrastructure or OT assets connected to the public internet.
- Segment OT and IT networks and leverage hardening techniques to protect devices workers can access remotely. These include disabling unused services, changing default credentials, reviewing asset configurations and creating whitelisting policies.
- Maintain situational awareness by adding current, industry-relevant threat intelligence into your plans for which security controls and measures to focus on first. Figure out whether your own assets are visible from scanners like Shodan and Censys.
- Consider applying the zero trust model to all operator control input. In this model, all operator control input is treated as potentially malicious until proven otherwise.
The risks that cyber-physical and critical infrastructure attacks pose now extend to impact human health and safety. They’ve never been more pressing than they are today and it’s of vital importance for national security, as well as enterprise risk management, that OT security leaders enforce consistent adherence to best practices. No one should be at the rear of the pack, ready to be picked off by even new attackers.