The control system kill chain: understanding external ICS cyber threats — Part 2

Greater connectivity between industrial control systems, business IT systems and the internet promises to provide great advances in industrial efficiency — but comes with greater cybersecurity risk.

In Part 1 of this article reviewing some of the currently published literature on the subject of ICS cyber threats, the types of advanced threats to Australian industrial businesses were reviewed and explored in the light of current industry trends, and the concept of the intrusion kill chain was introduced.

The intrusion kill chain

To recap, it is important to understand in a general sense the process an adversary may take to achieve their goal. In Part 1, the military concept of a kill chain was defined as follows¹:

“A kill chain is a systematic process to target and engage an adversary to create desired effects. US military targeting doctrine defines the steps of this process as find, fix, track, target, engage, assess (F2T2EA): find adversary targets suitable for engagement; fix their location; track and observe; target with suitable weapon or asset to create desired effects; engage adversary; assess effects…”

The reason it is called a chain is because it is an end-to-end process — a failure at any point in the chain interrupts the process. Hutchins et al (2010)¹ proposed a six-step kill chain model specifically for explaining the methodology for cyber intrusions, defined as reconnaissance, weaponisation, delivery, exploitation, installation, command and control (C2), and actions on objectives:

• Reconnaissance: At this point the intruder is researching, identifying and selecting targets. The steps involved can be relatively difficult to detect because they may involve steps as simple as crawling websites, mailing lists, forms and blogs, or exploiting social relationships and researching relevant technologies.
• Weaponisation: Today this often involves developing a remote-access bot to be delivered as a payload via some tool. The tool for delivery (the weaponiser) may be as simple as a PDF, a Word document or malicious code behind a URL link.
• Delivery: This is the delivery of the ‘weapon’ to the target environment. Currently the three most common forms of delivery are email attachments, website links and USB removable media.
• Exploitation and installation: After the weapon has been delivered, its code is triggered. It may exploit a target system vulnerability or simply deploy itself and connect back to the adversary for further commands, allowing the adversary to establish a presence inside the target environment.
• Command and control (C2): Once the adversary has established a presence, they can exploit the remote access they have given themselves. They then have effective ‘control’.
• Actions on objectives: Once this step has been reached, the adversary can now take action on their original objectives. In most cases this involves covert data exfiltration (theft), but may alternatively simply as act as a hop to compromise other systems laterally inside the network or through to a partner network.

The ICS kill chain

The aforementioned intrusion kill chain is a theoretical model used by IT cybersecurity experts to model the general process of IT infrastructure intrusion by a cyber adversary. Understanding the process that an advanced cyber adversary may take to effect an intrusion allows cybersecurity experts to evaluate the necessary response depending on where the intruder is in the chain when the breach is discovered.

In its paper The Industrial Control System Cyber Kill Chain, the SANS Institute² describes the above model as not directly applicable to ICS cyber attacks, but is it useful as a foundation to understand the process. The authors recommend a two-stage model — the first stage being the cyber espionage step, which is modelled very closely on the Lockheed Martin model. Stage 2 is the process for an actual attack on an ICS. The reason for this is the inherently greater difficulty for the adversary in accomplishing an ICS breach (if the ICS is well designed).

“The authors believe ICS networks are more defensible than enterprise information technology (IT) systems. By understanding the inherent advantages of well-architected ICS networks and by understanding adversary attack campaigns against ICS, security personnel can see how defense is doable.”²

The problem for the cyber adversary, in relation to attacking an ICS with significant effect, is that they must become well versed in the process being automated and the engineering design of the ICS and safety system. This is necessary in order to have a predictable and controllable effect on the target system. They also need to become familiar with the specific hardware and software technologies being used. This gives defenders more time to study and predict the nature of the attack:

“The multiple stages, or exaggerated kill chain, provide additional opportunities for defenders to increase the adversary’s cost of an attack and to position themselves to detect and disrupt attackers before they reach their goal.”²

Where this assumption of lower vulnerability breaks down is in systems where the ICS has some form of remote access or internet connectivity independent of the organisation’s IT infrastructure. These are historically not generally as well protected as those that go through various other protective mechanisms when traversing via the IT network and internal firewalls. Backup connections to remote SCADA sites have been known to have been exploited in the past, for example. Plant wireless networks that are not well secured may also be a potential attack vector in some cases.

Stage 1 — intrusion

Similar in form to Lockheed Martin’s Cyber Kill Chain model, stage 1 of an ICS attack involves a cyber espionage intrusion to gain information about the ICS (see Figure 1).

The planning phase involves mostly passive reconnaissance, also known as ‘footprinting’. The techniques used involve taking advantage of the large amounts of information that can be found via the internet and other sources (including social engineering) to build up information about the target organisation. The information your company makes publicly available about itself, both deliberately and inadvertently, can often be a rich source of (at least initial) information for further investigation. Hiding within the noise of common internet activity, attackers can map the target’s network entry points, patterns of activity, protocols used, etc.

The preparation phase involves weaponising and targeting, usually involving the development of a remote-access bot or some other form of code to be delivered as a payload via some tool. The tool for delivery (the weaponiser) may be as simple as a PDF, a Word document or malicious code behind a URL link. Delivery may be in the usual ways, via phishing emails and USB devices, but if the preparation phase has revealed excessive information, an attacker may be able to compromise a VPN or gain entry via a partner network (supply chain, vendor, etc) that has previously been compromised. If direct entry has been achieved, weaponisation may not be necessary. In any case, the preparation phase mainly involves preparing the weapon and identifying the target to be exploited to deliver the weapon.

Figure 1: Stage 1 cyber intrusion preparation and execution. Source: SANS Institute².

The cyber intrusion phase involves the actual delivery of the software weapon, if necessary, by one of the well-known mechanisms. The weapon is then utilised in the ‘exploit’ step to perform initial malicious actions, such as deployment of the code. For example, an employee opens a compromised PDF document, which initiates the exploit. The exploit itself may install a malware bot or remote-access Trojan, or may take advantage of operating system scripting capabilities such as PowerShell. While antivirus and malware detection are important, the following points should be remembered:

• A high-level adversary specifically targeting an organisation may create new code not known to antivirus software.
• Defenders should not assume that malware is the only way it can be done, and that inherent operating system capabilities can also be directly exploited.
• More than one intrusion path may be developed over time to reduce the risk to the adversary, should one path be detected and closed down.

Once the intrusion has been established, the adversary now has the opportunity to command and control, using a deployed agent or via compromised direct access. This does not always imply two-way real-time communication, but can be a slow step-by-step one way communication ‘from the inside out’, hiding in normal internet traffic.

The final stage is open-ended. Once command and control has been achieved, an attacker has the freedom to perform any number of acts. If they are a skilled adversary, they will be very careful to attempt not to be discovered and hide their tracks.

So far, this first stage has involved IT system cyber espionage. However, once a covert presence is established — and while it remains undetected — the intruder enjoys ample opportunity to perform espionage and traverse the network at will, including using it as a launching point to attack other networks.

Stage 2 — attacking the ICS

As stated above, in most cases it is not really feasible for a cyber attacker to skilfully attack an ICS without site- and equipment-specific knowledge, making industrial control systems inherently more defensible if designed well.

They also need to be very careful not to unintentionally initiate an attack when they are only at the information gathering stage, as it may have unforeseen consequences. The SANS Institute uses the following example:

“For example, an attempt to actively discover hosts on an ICS network may disrupt necessary communications or cause communication cards to fail. Simple interactions with ICS applications and infrastructure elements may result in unintentional outcomes.”²

For this reason, the stage 2 process is considerably different from stage 1 (see Figure 2).

Figure 2: Stage 2 ICS attack development and execution. Source: SANS Institute².

It would be a very foolish attacker that would just dive in and attack an ICS and expect not to be detected. This is why stage 2 begins with a development step, to develop a capability specifically targeted at the specific ICS in question. This will involve data collected in stage 1, and there will therefore be generally a long delay between stage 1 and any explicit action occurring in stage 2.

The obvious benefit for defenders here is that if the intruder has been detected in stage 1, there should be ample opportunity to take actions to defend against stage 2 — either by eliminating the initial intrusion (removing the adversary’s control) or by studying the adversary’s actions in order to ‘track them down’ and take some other form of retaliatory action through law enforcement or other actions.

The validation step for the adversary will involve testing their attack capability against an offline test system, as it would be foolhardy to test on the real target. Even network scanning needs to be tested against an equivalently configured test system before attempting it on the target.

In order to validate, an advanced adversary will need to acquire equivalent technology as the target system — physical hardware and software components — in order to test properly. It may be possible, through government agencies, to determine if unusual automation system purchases are being made, especially if information about the attacker is discovered in stage 1.

The ultimate end goal — the actual cyber attack — will only be possible after the above steps have occurred. In this step the adversary will deliver and install the capability developed in the development and testing phases, which will allow them to modify existing control system functionality and execute an actual attack. It may involve triggering conditions to manipulate the process, changing process set points and spoofing state information to fool plant operators.

Conclusion

Obviously, the end goal of a sophisticated external cyber attack on an industrial control system could be devastating and potentially terrifying. It should be clear from the above that while many in industry are concerned that this may occur, it is nevertheless the domain of well-equipped and sophisticated adversaries.

Because the attacker ultimately needs to be able to manipulate the process (except for the option of simple disruption through a denial-of-service attack), the attacker’s goal is significantly difficult to achieve if the system is well designed.

The current trend towards implementing the interconnection of industrial control systems with business IT systems and the internet, along with cloud services and remote access, creates cybersecurity challenges for businesses — particularly for those industries of national interest that may be more likely to be targets for sophisticated attackers. In a rapidly changing and more unstable world, with an increasing speed of technological development, it is necessary for industrial organisations to look to making sure that network designs — both OT and IT — fully take into account the threats and risks that greater connectivity implies, and that companies at the highest levels of management acknowledge the risk and invest in the appropriate skills and technology to protect their businesses.

References:

1. Hutchins EM, Cloppert MJ & Amin RH 2010, Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains, Proc 6th Int’l Conf. Information Warfare and Security (ICIW 11), Academic Conferences and Publishing Ltd 2011, pp 113–125.
2. Assante MJ & Lee RM 2015, The Industrial Control System Cyber Kill Chain, SANS Institute.

Glenn Johnson is the editor of What's New in Process Technology magazine and a freelance writer.

Image credit: ©stock.adobe.com/au/Jürgen Fälchle