The challenge of APTs targeting Industrial Control Systems continues to evolve and escalate. It is true that a number of the ICS-specific attacks in the years immediately following Stuxnet (e.g. Duqu, Flame, Shamoon) are not so interesting as derivatives of Stuxnet or in how they utilize more general, IT-centric exploits. However, 2014 was a milestone year in that we saw two APTs that uniquely expanded on the initial methods used by Stuxnet: Energetic Bear/Dragonfly (Havex) and Sandworm (Black Energy campaign).
The most recent campaigns from these APTs have upped the bar in terms of “craftiness” with techniques combining more sophisticated social engineering, ICS protocol exploits, and exploits to automation-specific HMI software. In the case of the APT attack to the German steel mill, also disclosed in 2014, we are reminded of potentially destructive cyberphysical effects that could occur when ICS systems are breached. (In this case, the destruction of a blast furnace.)
The “people, process, technology” discussion around security is very relevant here. As always, the human element involved in social engineering is a particularly difficult challenge. Most advanced attacks will employ some form of social engineering. Education goes a long way in terms of mitigating the issue but motivated attackers will always find a way to trick a targeted individual into opening the malicious email attachment, loading and infected file on the free USB thumb drive, or visiting a seemingly innocent website housing drive-by malware, unknowingly initiating the APT attack.
To add, on the technology front, these attacks by well resourced actors like nation states and cybercriminal organizations typically use both known attacks and zero-day exploits and/or malware which conventional methods cannot detect nor prevent. Combine social engineering and zero days, and you have a very effective methodology for establishing a beachhead for an ICS attack whether it is first into the IT side of the house or directly in the OT side.
Is APT Prevention a Holy Grail?
Many organizations assume they will breached, and think preventing advanced attacks is not feasible. Hence, they try their best to isolate the SCADA/ICS network and stop known threats. Capabilities to stop more advanced threats are typically non-existent or just starting to be deployed by some more forward-thinking organizations. Considering the high costs to organizations that are breached and the people and safety concerns associated with cyberphysical processes going awry in critical infrastructure, an inability to stop advanced threats should be something asset owners take seriously and address.
At Palo Alto Networks we believe that preventing attacks from APTs is possible. No security solution is ever 100% effective, but we have a strong platform that makes it extremely hard for the bad guys, even the very sophisticated ones behind APTs, to successfully implement their attacks. It is based on a platform approach that combines the power of the next-generation firewall, our threat intelligence cloud and advanced endpoint protection to prevent attacks and provide increased automation of security functions while providing correlated threat intelligence and logs.
Get up to Speed on APTs in ICS
We take a closer look at APTs in ICS and methods for protecting your organization against them using a platform approach in an upcoming webinar co-hosted by Mike Assante, Director of ICS at the SANS Institute, and myself. Join us on Wednesday, July 22, to learn more about:
- The evolution of APTs in ICS from the original Stuxnet to the recent Black Energy
- The model of the APT attack lifecycle with a focus on the different phases and associated “kill points” which are critical to understand from a defensive standpoint
- Best practices and technologies that help organizations better protect themselves from such attacks, particularly those using zero-day techniques
Register for the webinar at this link. Thanks, and we hope to see you there!