Some insights from the report “ENISA Threat Landscape Report 2018 – 15 Top Cyberthreats and Trends” with reference to the systems used on plants in Industry and Utility

Introduction On 29 January 2019, a few weeks ago, ENISA (European Union Agency For Network and Information Security, www.enisa.europa.eu) has released the report entitled “ENISA Threat Landscape Report 2018 – 15 Top Cyberthreats and Trends”, or ETL2018, which you can find on the ENISA website at this link https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-2018

It is a document on the state of CyberSecurity in the European Union and globally, from the point of view of the Agency's experts, who draw up each year a photograph with reference to more perceived threats, cyber crimes and other happenings occurred in the previous year with impact on systems.

The ETL2018 report at a glance

 

Here in summary, according to the 139 pages of the report, the main trends of the cyberthreat landscape in 2018 and some messages to keep in mind:

  • The messages of mail and phishing have become the main malware infection vector.
  • I exploit kits have lost their importance in the cyberthreat landscape.
  • I Cryptominers have become a major monetization vector for cybercriminals.
  • - State-sponsored agents are increasingly attacking banks using the same attack vectors used in cybercrime.
  • Improving Skills and Capabilities are the main objective of those who have to defend themselves. Public organizations struggle to retain staff due to stiff competition with industry in attracting cybersecurity talent.
  • The technical orientation of most of the intelligence aimed at the cyberthreat is considered an obstacle to management awareness.
  • Intelligence must respond to increasingly automated attacks with new approaches and the use of automated tools and skills.
  • The emergence of IoT environments remains a problem due to the lack of protection mechanisms in devices and in low-end IoT services. The need for generic IoT security architectures and best practices is now even more pressing.
  • The absence of cyberthreat intelligence solutions for SMBs and end users it needs to be addressed by both suppliers and governments.
The ETL2018 report and the systems for Industry4.0/Utility4.0

 

Having dealt with the OT/ICS cyber security theme for years, however, we went to see what can be found in the ETL2018 report regarding risks, threats and events related to security problems for automation systems and networks, control and remote control to supervise machinery and plants in industry and utilities.

Here are some of our considerations:

Improve visibility into ICS systems.  

Today, one of the most apt mottos to better protect factory networks and systems is certainly "Security-by-Visibility", in contrast to the "Security-by-obscurity” which for a long time has been one of the mantras of industrial Cyber ​​Security, i.e. trying to “hide” the system to be protected, making it less visible, and covering its characteristics to make it less attackable.

Over time it has been seen that this type of "Security-by-obscurity" approach does not make the system more secure.

So now it's preferred adopt countermeasures appropriate to the critical situation and Importance of the ICS System, ed at the same time have maximum visibility on what is happening on the network and on the system to notice as soon as possible any anomalies of behavior that may give clues about any compromises in progress and impending accidents.

The report on page 95 states that in February 2018, the first episode of was reported cryptomining malware (a server used to carry out chains of cryptocurrencies) found in a water utility's SCADA systems, connected to the Internet.

NB: this incident was not the only one (see figure below).    

 

 

This clearly poses two problems that we report here:

  • A system connected to the Internet, with poor perimeter protection, is therefore easily compromised
  • The need to have visibility into what is happening in the ICS systems, to instantly recognize if any unforeseen and potentially malicious activity has occurred
Securing the ICS perimeter, but also segmenting the network and segregating critical assets

 

We have always suggested segmenting the network and adequately segregating the most critical components of the cont systemroll.

In this respect the standard IEC62443, taking up the so-called PERA model (Purdue Enterprise Reference Architecture), also explored in ISA-95 and ISA99, defines how the subdivision into Zones must be followed and how to limit as much as possible the Conduits that allow communication of information between one zone and another, which must then be adequately manned.

 

 

In the report, on page 102, it appears that “64% of major incidents involving industrial control systems or networks were ransomware” (in 2018).

In the vast majority of such incidents, the ransomware arrives on the network of the OT/ICS system that manages the plant or machine in the factory, as “collateral damage” of an email attachment or surfing on an infected site unexpectedly opened from a PC in the headquarters offices.

Almost always once arrived on the factory network, the ransomware has an easy time to spread, infect other PCs, block operation by encrypting the disks and making the system unusable, and consequently blocking the automation and control systems, stopping production or service delivery.

Now, in our view, they are highlighted here three orders of problems:

  • The policies security awareness/training of the companies involved they are not that effective and someone still opens infected mail attachments or browses dodgy sites
  • Technological countermeasures of security adopted they are not adequate to block these ransomware campaigns
  • The fact that a ransomware targeting the office network is propagated in the factory network highlights the fact that there is no perimeter protection or correct segmentation of the network nor an adequate segregation of the most critical computers in the production departments

And most likely it turns out The practice of properly backing up all systems used in the factory is also incomplete (PCs, PLCs, SCADA, etc.): this, even in the event of an accident, could limit the damage to a few hours of downtime, with fast restarts, without causing days and days of non-production or service delivery as unfortunately happened in many industrial realities both in 2017 and 2018 (as still reported in various parts of the ETL2018 report).

Restrict remote access to industrial systems

 

The ETL2018 report highlights how the indiscriminate distribution of RAT (Remote Access Tool) on ICS systems is a widespread practice and causes great concern.

A remote administration tool (or RAT) is a program used by operators and other people to connect to a remote computer over the Internet or across a local network, and then perform certain maintenance or even system management tasks without having to go in person on the system to have physical access to the system itself: a tool for remote administration installed on the ICS system and which can replicate the video, keyboard and mouse on another PC connected to the network

The ETL2018 report on page 109 reminds us that “OT Networks of Industrial Enterprises are a Glory Field for Espionage Threat Actors”.

These actors use remote administration tools (RATs) that are already installed on industrial control systems (ICS). Below is a figure from a recent report revealing the top 20 countries where RATs were used at least once in espionage incidents during the first half of 2018.” (https://securelist.com/threats-posed-by-using-rats-in-ics/88011/)

The following figure shows that Remote Access Tools (which are RDP, Remote Desktop, VNC, Teamviewer, etc.) are installed on 40 computers of ICS systems out of the total of all computers, and this is already indicative and symptomatic of the custom to put it everywhere.

But if we then go into detail on the Kaspersky research referred to in the ETL2018 report, we also discover that these tools are legitimately installed only on less than a third of ICS systems:In practice, on almost 70% of the systems in question, these RATs have been installed and are active without the operators and owners of the systems being aware of it!

Then again a problem of poor "visibility" on the ICS system.  

The discovery of the first malware targeting a SIS system The ETL2018 report highlights how between 2017 and 2018 the first malware targeted directly at the security systems of critical infrastructures was detected: Triton is in fact the first malware whose primary objective is SIS systems (Safety Instrumented Systems).

SISs are designed to shut down and secure industrial processes when they reach unsafe operating conditions.

Targeted incidents on such SIS systems, which are usually used in dangerous plants (refineries, off-shore platforms, gas plants, chemical plants, power plants, etc.) could lead to serious implications (remember Stuxnet and Industroyer?).

And ICS/SCADA are expected to be increasingly targeted by advanced threat actors who have the ability and intent to perform such operations. Paper and web publications (https://bit.ly/2NgBpVL) have spoken extensively about Triton/Trisis, even those not exactly from the technical press, as it is now proven that the control systems as the last safeguard of the safety of people, the environment and the plant itself can also be violated and controlled from the outside by actors that could be controlled by crime or by hostile governments.

The objectives are now also "physical": IoT, IIoT and ICS are "objects" and systems that manage "objects"

 

As already reported at the beginning “The emergence of IoT environments remains a problem due to the lack of protection mechanisms in low-end IoT devices and services. The need for generic IoT security architectures and best practices is now even more pressing.”

And again, as reported on page 25: “Malware authors are increasingly interested in IoT devices.

One of the noteworthy events of 2018 was VPNFilter malware.

VPNFilter is multi-stage malware that targets home routers, small offices, and NAS devices.

At the time of writing this report, compromised around 500.000 devices worldwide, thus creating a huge anonymization network for its creators.

Just like what happened with Mirai, VPNFilter malware is expected to be replicated, like so many attacks and vulnerabilities related to router and IoT devices throughout 2018.”

And on page 47: “On the other side, the increase in the number of interconnected services globally and their reliance on IOT to run and facilitate those services, they have raised concerns about threats such as DoS attacks which can potentially cause damage on a national scale to Critical Companies and Infrastructures.

An example of such services are connected hospitals and connected services. However, despite ongoing mitigation and prevention efforts around the world, research gives us a number of DDoS activities increasing (+16%). "

Definitely "The uncertainty on the successful implementation of information security and quality standards will continue, especially due to the emergence of the IoT that connects cyber and physical spaces. Threat landscape emerging from supply chain attacks is a major concern for cybersecurity, especially for low-cost devices.”

AI (Artificial Intelligence) for security and the AI+IoT combination AI (Artificial Intelligence) is seen as an indispensable tool for protection and for keeping abreast of threats and vulnerabilities (which in turn see the use of AI tools for their research and development). ENISA released in 2018 an intelligent search engine for information security called Open-CSAM43: it is a tool developed aiming at the continuous monitoring of sources, highlighting trends and news regarding threats to cyber security, using artificial intelligence (AI ).

Vulnerabilities introduced by emerging technologies, such as Artificial Intelligence (AI) and the Internet-of-Things (IoT) they also generate interest from governments to support cyber espionage through exploitation.

Un recent report revealed a letter from Israeli government targeted at US-based exploit developers who were asking about “Advanced Vulnerabilities R&D and zero-day exploits across a broad range of target platforms and technologies to enable use by law enforcement and security agencies.”