Energy Sector Critical Infrastructure: The Enemy Perspective
May 07, 2020
As the world population continues to expand, and energy demands continue to increase, our energy infrastructure continues to age. Last week, the President of the United States declared a National Emergency, noting that “foreign adversaries are increasingly creating and exploiting vulnerabilities in the United States bulk-power system.” But this threat is nothing new.
In 2005, the IEEE noted that “the occurrence of several cascading failures in the past 40 years has helped focus attention on the need to understand the complex phenomena associated with these interconnected systems and to develop defense plans to protect the network against extreme contingencies caused by natural disasters, equipment failures, human errors, or deliberate sabotage and attacks.”
In a report to the Senate Select Committee on Intelligence in 2019, the Director of National Intelligence noted that both China and Russia currently have the ability to “execute cyber-attacks in the United States that generate localized, temporary disruptive effects on critical infrastructure” and Russia is “mapping our critical infrastructure with the long-term goal of being able to cause substantial damage.”
Over these past two decades, Information Security systems and programs matured dramatically. Secure development processes were implemented and have continued to evolve. Hardware and software technology matured. And yet, here we stand, staring into the face of the ever-present enemy.
The challenges facing the energy sector are vast. The need for always-available power distribution makes testing, repairing and upgrading incredibly difficult. Much of the equipment used in this sector is dangerous and requires particular skills to operate, largely because the equipment is specialized. It is generally expensive, difficult to replace, and for most organizations, building complex test networks that replicate production is seldom in the budget. Information technology has entered into the Operational Technology (OT) and Industrial Control System (ICS) space and exposed new attack paths, surfaces and security complexities – all while razor thin margins limit spending.
Because of this, the mantra “if it’s not broke, don’t fix it” rings true throughout this sector. The industry struggles to take advantage of the technology and security necessary to keep ahead of attackers. Regulations are intense and profit demands drive decision making. This results in piecemeal solutions, disjointed infrastructure and security deficiencies that create opportunities for patient, advanced threat actors with a focused agenda to perform network, device, social engineering and physical security attacks. For example, consider the hotly debated 2018 SuperMicro motherboard malicious chip installation attack. While disputed, it presents a scenario that demonstrates what this national emergency is seeking to defend against.
For threat actors, breaking into an OT environment often requires a higher level of patience and attack sophistication. While the attack chains themselves are often quite simple, the network, hardware and protocol technology of OT networks create unique challenges. Advanced attackers often partner with control system experts to gain context for the infrastructure they’ve found themselves in. Their approach is time-consuming; it can often take months or years to understand a facility’s operations and determine potential weak points. They work to develop caches of backdoors and monitoring nodes, playing the long game and gathering as much intelligence and access as possible.
This white paper discusses how threat actors go about the business of attacking critical infrastructure, the types of systems they target and how they achieve success. By putting a spotlight to these tactics Optiv hopes to help organizations prepare for and respond to attacks.
In this paper, we’ll explore network, human, OT and ICS product and physical security attacks from the perspective of the enemy.
Threat Actors Meet OT Networks
Optiv’s experience delivering adversarial emulation exercises against OT systems and networks exposes vulnerabilities in these environments from a variety of attack vectors, ranging from general flaws observed in many corporate networks to those that only apply to OT environments and devices. As OT environments become centrally connected through IP-based networking, the attack surface expands. Securing these environments from attackers becomes increasingly challenging. When targeting these environments, attackers use some or all of the following vectors.
While spear phishing is a concern for any enterprise security team, phishing attacks targeting operators or other OT personnel can be more damaging than a broad phishing campaign targeting the corporate user community. This is due both to high-value target employees with minimal security awareness training and the sensitivity of the systems that are presented in OT/ICS environments.
During a recent client engagement, Optiv executed a spear phishing campaign against a group of industrial machinery operators. After gaining access to a user’s workstation, Optiv noted that the user was connected to a VPN which granted full access to the Human-Machine Interface (HMI), a control system used to control all pumps and valves within an industrial network.
While broad phishing campaigns are still relatively common, targeted campaigns with a message tailored to an individual or a small group are typically more successful and less likely to be detected.
User security awareness and enforcement of the corporate password policy is an ongoing struggle for any security program. Default accounts and bad password hygiene are systemic issues across an OT environment, allowing attackers easy access to sensitive resources. This behavior results in distributed account management where passwords are locally managed, reused or shared across multiple resources and users. Many of these devices do not support centralized password management.
Optiv recently obtained access to the administrative interface of an HMI with a weak password (like “password,” which happens frequently). This portion of the HMI allowed for threshold values of pumps and pressure gauges to be adjusted. Optiv further observed this administrative account was shared by every operator at the site. Due to the isolated account management of the HMI, implementation of multi-factor authentication and enforcement of the corporate password policy was not possible.
Authentication interfaces and associated passwords are a critical line of defense against the attacker, especially when protecting access to OT assets or environments.
OT environments should be isolated from a network design standpoint. This is a good idea both for security reasons and as a design feature to provide maximum reliability. If attackers compromise the broader corporate network, they should not be able to directly access OT resources. OT environments should be fully isolated, and access to them should be provided through a “Jump Device,” or an intermediate device that acts as a gatekeeper to the OT environment, which is configured with limited permissions and multi-factor authentication. Airgaps are an even more effective security control, but they are very difficult to implement with the modern requirements of remote access and centralized monitoring.
These controls have limitations too. As previously discussed, an attacker can leverage a legitimate user connection into the OT environment to breach segmentation controls. That makes the security of the corporate network a critical component of a defense-in-depth strategy for defending OT networks as well.
In addition to being isolated from the corporate network, OT environments should be isolated from each other. Many common industrial protocols require interconnectivity between individual devices in a “mesh” or similar network topology, meaning that it can be difficult to restrict communication between various sites. This often leads to a flat network topology being used for the purposes of functionality. An attacker who compromises a single point within a flat network can communicate with all other devices and potentially intercept or modify traffic promiscuously, posing a continuity or security risk to the entire environment.
Vendor and Software Limitations
Patchwork OT networks filled with aging legacy devices are common in utility companies and the necessity of supporting antiquated communication protocols leaves these organizations with very few upgrade options. These highly specialized environments often have limited software and product vendor options. As a result, establishing interoperability with new software or devices without harming critical infrastructure is an intractable challenge.
Support for legacy protocols, such as Modbus or OPC, presents a significant risk due to sparse support for built-in authentication or encryption. While it may be feasible to “wrap” these communications within an encrypted channel, legacy protocols do not always follow an open standard and support for these security improvements can be proprietary in nature and thus cost prohibitive.
Given that a typical environment can contain hundreds of Programmable Logic Controllers (PLCs), Remote Terminal Units (RTUs) or other ICS devices, it is unlikely that widespread support for modern protocols will exist. Even in cases where OT vendors employ modern security measures such as replay protection or checksum verification within data packets, the lack of vendor interoperability can mean that organizations must continue using legacy devices often no longer supported by their original manufacturers. This lack of security update and product support is a reality that leaves many organizations in a state of perpetual risk.
Lack of Monitoring and Intrusion Prevention
Among the more frustrating factors that aids in an attacker’s advantage is the level of difficulty associated with monitoring and prevention. Industrial devices such as PLCs and RTUs often use embedded operating systems with limited capabilities for endpoint protection software. While upstream devices such as PLCs, RTUs or HMIs, as described above, may run traditional operating systems such as Microsoft Windows, resource constraints and operating system versions may prevent security software from fully protecting the host from threats.
On a network level, centralized logging and monitoring can be difficult to implement due to limited bandwidth at substations or outdated networking devices which do not support monitoring. These challenges allow an attacker to compromise hosts within the industrial network without being detected or prevented by endpoint security software, increasing dwell time and making incident response difficult.
Simple Devices Meet Complex Attackers
The methods discussed to this point describe tried and true tactics that attackers can leverage against a variety of targets, including the energy sector. There are, however, unique attack vectors associated with OT and ICS devices that are not always found on traditional IT assets. OT systems are designed with the end goal of performing mechanical and physical tasks, often with heavy machinery. This can result in safety concerns that are rarely of consequence in an IT context. By their very nature, OT systems diverge from traditional IT systems. With that divergence comes a unique attack surface for threat actors to explore.
Chip Level Vulnerabilities
Vulnerabilities in hardware can be among the more newsworthy issues when they become public. A frightening example of these are Spectre and Meltdown, the “unfixable” CPU bugs from early 2018 called that affected Intel, AMD, ARM-based and IBM processors. Because of how low-level these vulnerabilities were, it was necessary to develop software workarounds. Additionally, bugs in the Intel Converged Security and Management Engine (CSME) being reported so far this year will be similarly tricky to fix.
These issues are especially significant in OT and Industrial Internet of Things (IIOT) networks because devices are intended to remain deployed for years, if not decades. More importantly, the limited vendor pool means widespread adoption. It’s not unreasonable to assume a chipset vulnerability from a major manufacturer could be present in majority of the nation’s critical infrastructure. These devices are not typically Internet-facing and don’t get the attention of “Bug Bounty” programs. The people looking for this type of vulnerability are very well financed and dangerous.
Malicious firmware updates are another viable way that an attacker can take control of a device and turn it into an ongoing attack vector for an extended period. Traditional network and system detection techniques will often not work on specialized OT hardware. It’s imperative to investigate how devices receive firmware updates. Attackers can often load and execute their own unsigned firmware onto improperly secured devices. Unencrypted firmware updates, either recovered from over-the-air (OTA) updates or downloaded from the vendor, are a perfect avenue for a threat actor to start reversing software before even opening a device.
One example of the perils associated with firmware updates: Supermicro, a motherboard manufacturer, charged a $30 out-of-band license fee for their update fixing the Spectre and Meltdown vulnerabilities. In his blog, a security researcher who found the process burdensome even after paying the fee describes how he circumvented Supermicro’s vendor lock-in. By reverse-engineering the firmware and calculating the secret keys used to create a Supermicro license key he would be able to update the firmware on his device. While in this benign example a researcher circumvented a vendor’s process to address a vulnerability on his system, an attacker could similarly reverse-engineer, manipulate and publish dangerous firmware updates.
Failed Security Control Implementations
What if something that was supposed to be read-only was actually read-mostly, but if you really want to write that’s okay, too?
Attackers don’t follow the rules, so implementations of security controls need to do what they say 100% of the time. A recent blog post talks about Optiv’s experience where “memory read back protection” on NRF51 System-on-Chips (SoC) didn’t actually prevent memory read back. This kind of attack can impact security by permitting attackers to perform actions previously thought impossible or cause more significant upstream controls to fail. It’s very tough for manufacturers and customers to know what’s secure – data sheets don’t report what’s been successfully attacked.
Available Security Features Not Used
Just because something can be secure doesn’t mean it is. While simulating threat actor behaviors, Optiv has observed numerous products where available hardware security features such as secure boot, flash encryption and secure key storage weren’t being used. Similarly, software built with security controls such as Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR) and stack canaries can be disabled. These manufacturer-provided features are intended to thwart a variety of malicious activities. Some SoCs vendors provide new revisions of products with improved security when their controls don’t work the way they’re intended, but these are seldom applied to production OT environments.
Backward Compatibility / Interoperability Requirements
Continuing to support legacy protocols is often necessary for interoperability with older systems or systems outside of the organization. This can mean weaker, more easily attacked devices or in many cases a fallback to completely insecure/unencrypted behavior.
For example, the complexity of moving from the Inter-Control Center Communications Protocol (ICCP) to secure ICCP can include a myriad of problems. Installing the secure ICCP components on an existing ICCP server can cause the system to be broken and a fresh install required. Every device will require certificates, creating a noticeable workload – connecting 20 entities with four ICCP servers per entity would require approximately 240 certificates.
Plant Security and Line Operators meet the Modern Threat Actor
Physical security is often overlooked when an organization addresses their security posture. The attack vectors for the physical environment are less likely to be exploited and are much riskier to an attacker. However, gaps in physical security can lead to full compromise from a competent, capable and determined adversary.
Badge Exposure Policy
Organizations must consider the human aspect of security from both intentional and unintentional misuse perspectives. While the NIST standards define how to provide access to ICS/OT systems, it is an organizational responsibility to ensure that employees perform their duties with security in mind. It's not uncommon for employees to perform seemingly harmless actions such as going to lunch with exposed access control cards. The average person won't think anything of it. But to an attacker, they're the perfect target for off-site card cloning attacks. While these attacks can result in unauthorized physical access, the largest concern is that it occurred off-site and tracking down when and where it occurred could be impossible.
When discussing physical policies and procedures with our clients, there is often a common theme – they lack a well-defined badge exposure policy. It is recommended that all organizations implement an "Inside-Out & Outside-In" badge exposure policy.
- Deliver Security awareness training targeting non-technical personnel such as OT operators
- Inside-Out – enforce the above-the-waist display of access control cards while inside any corporate/protected facility.
- Outside-In – prohibit employees from exposing their access control cards outside their designated place of duty. This includes leaving the access cards in plain sight while inside employee vehicles (e.g., hanging from the rearview mirror). Signs can be attached to facility exits that remind employees to remove and store their access control card before exiting the facility. Additionally, photographing access control cards should be strictly prohibited.
Legacy Access Control Card Technology
Replacing legacy access control systems and issuing new cards is a costly and labor-intensive process. However, with readily available hardware and exhaustive amounts of publicly available research, attackers can assemble low-cost, long-range readers that can capture access control data. With the captured credential data, an attacker simply needs to make an aesthetically accurate replica of the compromised access control card that contains the captured data to facilitate unauthorized access. The techniques mentioned above rely on legacy card technology that lacks encryption or, in some cases, where the master keys have been leaked.
Spot check: If your access control system uses technology that was developed prior to 2011, review the installed technology and update accordingly. If your access control system uses technology developed in 2011 or later, ensure that legacy support is disabled.
Logical Segmentation of Physical Security Assets
OT/ICS systems are prioritized for protection and segmented segmented from the corporate user network. However, physical security assets are again often overlooked in this regard. A determined attacker would not need to target an organization's employees to gain physical access, but instead, focus efforts on obtaining a logical foothold and targeting the access control administration systems to gain full access. As such, video surveillance and access control systems should reside on a network that is isolated from all other corporate assets.
Physical Access to OT/ICS devices
Some OT/ICS systems rely on security through network air-gapping. Generally speaking, these devices do not need to be on the same IP network. An air-gapped system can go a long way to help network security, but it's only as strong as the physical security controls. Determined attackers can gain access to facilities and sensitive equipment with replicated badges. Once an attacker has gained physical access, many devices lack healthy security controls and contain out of date software and firmware. With physical access, OT/ICS devices and their associated networks can be compromised, and airgaps defeated.
Proactive vs. Reactive Monitoring
Whether your organization is in a proactive or reactive posture may determine the severity, impact and investigation of a real-world incident. Security cameras, anti-piggybacking sensors, and multi-factor access control systems are excellent investments. However, without active monitoring, organizations are often left trying to recreate possibilities that led to a compromise – the chances of tracking down the origin of an attack decreases over time. While real-time monitoring of access control and surveillance systems can come with a hefty cost, it provides the ability to respond to incidents as alerts are generated, which can be the difference between intervention or catastrophe.
Where to begin?While prevention and protection against the attack risks described in this document can take time and requires a comprehensive strategy, there are many low-cost / no-cost solutions that organizations can implement now to reduce their attack surface and the likelihood of a successful, undetected attack immediately.
- Deliver Security awareness training targeting non-technical personnel such as OT operators
- Inventory and Document existing OT devices and facilities
- Perform adversarial security testing at the device level
- Enforce a strict badge exposure policy
- Actively monitor surveillance systems and access control logs
- Isolate physical control systems from the corporate network
- Enforce segmentation controls between the corporate and OT environments, require MFA for access where possible
- Ensure OT environments follow the corporate security policy for centralized password management, strong password requirements and privilege delegation
- Ensure activity and authentication logs are pulled for critical OT management equipment and access terminals
- Focus on aligning your wellness strategy to the NERC CIP-002-5.1 & CIP-005-5 requirements