ICS MITRE ATT&CK Technique


ABOUT DTS SOLUTION

Securing OT and ICS environments has always remained a priority for DTS Solution. Having performed OT cyber security risk assessment and built cyber security management systems (CSMS) for major enterprises operating OT facilities across the region. There is a not a single industry where OT plays a major role that DTS has not assessed; airports, nuclear, petrochemical, power generation and transmission, water desalination, manufacturing, agriculture, oil and gas and even maritime and marine and the list continues to grow. As we continue on the mission on helping our customers secure their environment; it is clear to see the importance of OT cyber security given we live in a very connected world.

Traditional OT OEM vendors are now also challenging this exact tradition by introducing virtualization and micro-services in the OT environment, introducing remote diagnostic service to remotely monitor and perform preventative maintenance of the OT environment; deploying functional service that are not plant critical into the cloud and so on. Digital transformation in the IT has already started and we can clearly see pace gathering for the OT environment.

In this series of blogs; we will be introducing the important OT cyber security and how MITRE ATT&CK framework can support in cyber-threat management.


Introduction

ICS/OT networks continue to be targeted by cyber-attacks as the stakes are higher and the damage is greater, compared to enterprise networks. MITRE has recently published its first ICS MITRE framework which highlight the differences between ICS /OT and IT network in term of attack tactics and techniques used by adversaries. The publishing of the framework recognizes the growing concern of cyber threats on OT environment. The MITRE ATT&CK is a global knowledge base framework that could be easily accessed by organization and individuals.


The Purdue Model

Despite the OT environments heavy dependence on IT infrastructure and network components (predominantly from Level 3.5 to Level 2) - MITRE Enterprise ATT&CK technique will not yield significant results when applied to OT networks; the OT environment is different in perspective.

To understand how the ICS MITRE ATT&CK framework work you need to understand how the ICS/OT network is designed and segmented to ensure secure network. The Purdue model is good starting point as to how to design and segment the OT network.

The Purdue model defines segregating the ICS/OT into different level from level 0 up to level 5 depending on the functionality of each device on the network and level. A typical example of the Purdue model is illustrated below;

 

  • Level 0 Basic Control such Sensors, Actuators, Pumps, Valves etc. from the field mostly hard-wired devices connected to the field
  • Level 1 DCS Controllers and PLC
  • Level 2 Engineering Workstation (EWS) and HMI
  • Level 3 ICS Management Applications, OPC Servers, Historian
  • Level 3.5 Patch Management and Windows System Updates and Anti-Virus Server
  • Level 4 Business Network, Business Intelligence
  • Level 5 Internet Edge

Example of the Purdue Model

An Example of the Purdue Model

The Purdue Model – Security Zoning and Conduits

The Purdue Model – Security Zoning and Conduits


The Purdue Model – Security Zoning and Conduits

It is also worth mentioning that many existing OT environments were not built with security in mind, which makes them very vulnerable to cyber-attack. Each level of the network within the Purdue model poses a cyber-threat if not properly secured.

The Purdue model ensures secure network architecture by defining security zones and isolating networks or creating segments based on industrial process and its criticality in terms of safety and functionality; thereby minimizing cyber risks should an attack occur at the business network or within the plant itself.



ICS MITRE ATT&CK

Segregating and segmenting the OT network as per the highlighted Purdue model gives a pictorial architecture representation of the network. Introducing security zonings and conduits ensure Purdue model also follow “restriction of data flow”, a key requirement in implementing security assurance levels in OT environment.

The ICS MITRE ATT&CK framework provides a detailed outlook in term of attack tactics and techniques used by adversaries targeting ICS environments. Malware targeting ICS environments generally follow a unique set of tactics and techniques as they are designed to target OT environment that have very unique characteristics.

In terms of ICS environment; the ICS MITRE ATT&CK framework is a breakthrough as ICS security vendors, practitioners and consultants now have a framework to use when understanding ICS targeted cyber-attacks. The framework has many benefits; can be used to reverse engineer the exact tactics and techniques used by malware to impact industrial facilities; can also be used to design ICS environments and networks to counter measure against these techniques.

Securing the attack surface within the ICS environment using various hardening techniques will ensure defense-in-depth security. The ICS MITRE ATT&CK technique has defined eleven techniques is to how an adversary could attack OT network;

  1. Initial Access: The attacker needs to establish a foot hold on the ics network
  2. Execution: The attacker executes a code on the network
  3. Persistence: The attacker continues to maintain his foothold on the network
  4. Evasion: The attacker continues to remain hidden in the network and avoid to be detected
  5. Discovery: The attacker use techniques to survey the ics network
  6. Lateral movement: The attacker use techniques to enter and control the network
  7. Collection: The attacker collects information about the ICS system that will aid him in launching attack
  8. Command and Control: The adversary is trying to communicate with and control compromised systems, controllers, and platforms with access to your ICS environment.
  9. Inhibit response function: The adversary is trying to prevent your safety, protection, quality assurance, and operator intervention functions from responding to a failure, hazard, or unsafe state.
  10. Impair process control: The adversary is trying to manipulate, disable, or damage physical control processes.
  11. Impact: The adversary is trying to manipulate, interrupt, or destroy your ICS systems, data, and their surrounding environment.

Leverage ICS MITRE ATT&CK Model to Improve Cyber Defense

In terms of ICS environment; the ICS MITRE ATT&CK framework is a breakthrough as ICS security vendors, practitioners and consultants now have a framework to use when understanding ICS targeted cyber-attacks. The framework has many benefits; can be used to reverse engineer the exact tactics and techniques used by malware to impact industrial facilities; can also be used to design ICS environments and networks to counter measure against these techniques.

DTS Solution has used the ICS MITRE ATT&CK model to solve various problem statements at customer sites and some of them are listed below;

  • Identification of technical gaps in ICS cyber security controls and creation of defensive strategies to identify attacks during each phases of the attack-lifecycle (tactics in ICS MITRE ATT&CK)
  • Development of effective ICS/OT monitoring use cases for the SOC / SIEM – ensuring that specific security events mapped to the ICS MITRE ATT&CK techniques trigger an alert.
  • Develop effective ICS threat intelligence and ICS incident triage and response activities by understand how malware compromise occurs and its lifecycle
  • Help train field and OT field workers and site operators in understanding of ICS threat behaviors
  • Help your red, blue and purple team to perform adversary emulation; testing of security controls and defenses in an OT testbed if you have one

An example of a real-world cyber-attack scenario is shown below; where each technique being executed across the different stages / tactics of the cyber-attack lifecycle to eventually cause business loss or damage.


OT ICS MITRE ATTACK MODEL

OT ICS MITRE ATT&CK MODEL - SAMPLE ADVERSARY SIMULATION


Conclusion

It is extremely practical for organizations to use the ICS MITRE ATT&CK framework in order to design and build a secure OT network. The framework is a good starting point when conducting cyber risk assessment to identify gaps in defense, prevention and monitoring controls, reverse engineering and analyzing attack surface and doing OT incident response.

Several recent ICS cyber-attack malwares where analyzed using this framework to provide context in to how each malware functions and what tactics and techniques it uses to infiltrate and damage industrial facilities; giving great insight into what was unknown before.

It’s vital for international standard, security vendors, consulting and advisory firms that regulates ICS cyber security to adopt such a framework to improve overall cyber security posture.