Saturday, September 2, 2023

A Chronological Overview Of Cyberattacks On ICS/Critical Infrastructure

 


As the political environment starts to worsen here in the United States, and as the drama starts to unfold next year with all of the trials and new Presidential Elections, Cybersecurity will for sure start ramping up yet once again. 

There will of course be the fears of the Chinese and Russians once again interfering, but now the new fear will be those of attacks onto our Critical Infrastructure.  This is something that I have written about before, and have even written articles on.

We have already seen attacks take place, with the most famous example being that of the Colonial Gas  Pipeline.  But once inside the infrastructure, the Cyberattacker is geared  towards one main thing:  Gaining access to the Industrial Control Systems, also known as the “ICS” for short.  You may be wondering what it is exactly? It can be defined as follows:

“Industrial control system (ICS) is a collective term used to describe different types of control systems and associated instrumentation, which include the devices, systems, networks, and controls used to operate and/or automate industrial processes.”

(SOURCE:  https://www.trendmicro.com/vinfo/us/security/definition/industrial-control-system)

So as you can see, it is not just one system or component, but rather multiple ones of them, which make for example, the water supply system abundant and immediately available when you turn the faucet on.  But what makes these so vulnerable is that they are all interconnected together. 

So if you hit one component, it will have a cascading effect on the others, most likely shutting the whole thing down.

Unlike with digital assets, where you can segment them out into different zones, the same cannot be said of Industrial Control Systems.  The primary reason for this is that the ICS technology is incredibly old, going back all the way to the 1960s.  But attacks to ICS systems is nothing new, as a review of the following attacks demonstrate:

1)     Stuxnet:

This is probably the most talked about attack to an ICS system.  It was not launched by Cyberattackers, but rather by the United States.  The intent here was to target the centrifuges in the key nuclear facilities located in Iran, in an effort to halt their nuclear program.

More details on it can be seen at the link below:

 

https://www.darkreading.com/vulnerabilities-threats/10-years-since-stuxnet-is-your-operational-technology-safe-

 

2)     Havex:

This is an actual security breach in which the Cyberattackers launched different attack vectors, such as using Phishing Emails and defacing the websites of various ICS facilities.  In this instance, legitimate software patches and upgrades were replaced with malicious ones, which were hard to tell from.  Once they were downloaded and applied, the goal was to totally infect the Network Infrastructure of an ICS facility.

More details on it can be seen at the links below:

https://www.cisa.gov/news-events/ics-alerts/ics-alert-14-176-02a

https://archive.f-secure.com/weblog/archives/00002718.html

3)     Black Energy 2 -3:

This kind of attack was launched at the United States directly, focusing upon nuclear power plants, electric grids, water purification systems, and oil and gas pipelines. This same piece of malware was used to attack into the Energy Infrastructure of the Ukraine.  But this time, the Cyberattackers had manually find their way around the IT and Network Infrastructures, and from there, and delivered the malicious payload.

More details on it can be seen at the link below:

https://abcnews.go.com/us/trojan-horse-bug-lurking-vital-us-computers-2011/story?id=26737476

4)     Industroyer Crashoverride:

This piece of malware was designed to specifically cause damage to the Critical Infrastructure in which the Cyberattackers targeted.  This was deemed to be a step up when compared to the other previous three attacks, because the Cyberattackers communicated directly with ICS based protocols.

More details on it can be seen at the link below:

https://www.dragos.com/wp-content/uploads/CrashOverride-01.pdf

5)     Trisis/Triton:

This attack was deemed to be different than the others, in that this threat variant specifically the targeted the safety mechanisms that are in place at the various ICSs.  This was also considered to be a step up than when compared to the other attacks.

More details on it can be seen at the link below:

https://www.darkreading.com/vulnerabilities-threats/schneider-electric-triton-trisis-attack-used-0-day-flaw-in-its-safety-controller-system-and-a-rat

6)     Industroyer2:

This was once again geared towards the energy facilities based in the Ukraine, but this time, the threat variant was aimed at the circuit breakers, by repeatedly turning them on and off, in both random and successive fashions.

More details on it can be seen at the link below:

https://www.dragos.com/threats/the-2022-ics-ot-vulnerability-briefing-recap/

7)     Pipedream:

So far, this has been deemed to be one of the worst pieces of malware to come out against ICS.  It has the ability to directly interact  with other components of the ICS, and even find  its way around it on an automated basis.

More details on it can be seen at the link below:

https://www.dragos.com/threats/the-2022-ics-ot-vulnerability-briefing-recap/

My Thoughts On This:

So as you can see, the threats against ICS and Critical Infrastructure is getting much more sophisticated and covert, as evidenced by the above chronology of events.  But the silver lining in the cloud here is that it does take  time for the Cyberattacker to launch a threat against an ICS.  It is not the same thing as targeting IT or Network Infrastructure,  as the components are far more outdated and require careful study.

But even in this realm, the Cyberattacker is about to catch up, and take the lead. It is absolutely imperative that this does not happen, so that as a society, we can mitigate the risks of anything  drastic happening to our precious resources.  Remember, their goal  is not to steal just PII datasets, but cause as much physical damage as possible.

 

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...