First steps in developing critical infrastructure defense methodology
A new knowledge base released by MITRE Corporation aims to help build knowledge in how to protect industrial control systems (ICS) against cybersecurity threats.
‘ATT&CK for ICS’ has been released at a time that critical infrastructure such as electricity distribution and water management systems have become sensitive and valuable targets for nation-state actors.
Just last week, ICS security firm Dragos released a report in which it detailed new malicious activities by Iranian hackers against critical US national infrastructure. According to the report, Iranian APTs have been trying to gain access to the US electricity grid.
ICS vulnerabilities can be extremely damaging because they enable hackers to manipulate the physical world. A stark example is the hacking of the Ukraine power grid in 2015, the suspected work of hackers with ties to Russia, which led to widespread power outages in the winter cold.
Another attack in late 2017, where Iran was a prime suspect, targeted the safety control systems of a Saudi oil facility.
“In the last few years, we’ve seen threats like Industroyer, that was used to attack Ukraine’s power grid; and Triton that was used to attack a petrochemical complex in Saudi Arabia,” Otis Alexander, lead cybersecurity engineer focusing on ICS cybersecurity at MITRE, told The Daily Swig.
“Events like these have led to growing interest in ICS security by cybersecurity professionals; vendors, including threat intelligence vendors; and throughout government.”
ATT&CK for ICS aims to establish guidelines and a common language to better understand, concentrate, and disseminate knowledge about the behavior of malicious actors in the ICS domain.
Industrial control systems offer rich pickings for nation-state threat actors
Building on previous efforts
ATT&CK for ICS builds up on the success of MITRE’s original ATT&CK knowledge base, a matrix that maps adversary tactics and techniques (ATT) to specific threats.
The knowledge base enables security teams and threat hunters to better assess risks to organizations. It also assists post-compromise investigation by setting up a methodology for uncovering evidence to answer questions such as how the attackers got in, and how they’re moving around inside an organization’s network.
Since its release in 2015, ATT&CK has become very popular in the cybersecurity community. But the original ATT&CK focused on enterprise IT systems, which led MITRE to develop ATT&CK for ICS.
“ATT&CK for ICS has a primary focus on the actions that adversaries take against the non-IT based systems and functions of ICS,” Alexander explains in a blog post outlining the launch of ATT&CK for ICS.
ATT&CK for ICS zeroes in on threats to safety, control, and monitoring of physical assets, unlike its previous release, which helped deal with threats related to data destruction/manipulation, denial-of-service, and firmware corruption.
“This knowledge base is designed to support those who operate some of the nation’s most critical infrastructure – including energy transmission, oil refineries, and wastewater treatment facilities,” Alexander explained.
“ATT&CK for ICS builds on the MITRE ATT&CK base to systematically advance defensive capabilities and mitigate catastrophic failures that affect property or human life.”
Austin Scott, industrial penetration testing principal at Dragos, described ATT&CK for ICS as “the world's first encyclopedia of publicly-observed industrial adversary threat behaviors.”
“Before ATT&CK for ICS, you would have had to collect up all the public and non-public reports from numerous sources and create a dataset to understand the industrial adversary landscape,” Scott told The Daily Swig.
“Over the past two years, MITRE has worked behind the scenes to develop and carefully organize that dataset for the benefit of industrial network defenders everywhere.”
Scott also said that what makes the ATT&CK knowledge base uniquely important is its focus on threat behavior instead of indicators such as binary signatures and network addresses.
“It is trivial for an Activity Group to change out IP addresses, domain names, file hash values, and network artifacts.
“However, it is challenging to change Tactics, Techniques, and Procedures (TTPs) behind attacks,” he said.
“Changing TTPs requires investment in new technology and retraining, which is considerably more expensive and time-consuming than acquiring a new domain name.”
Room for improvement
Marina Krotofil, an experienced ICS security professional and one of the several contributors to ATT&CK for ICS, told The Daily Swig in written comments: “MITRE had a very difficult task at hands, and they have done incredible work under the existing circumstances.”
Krotofil, who has been specializing in cyber-physical systems and ICS security for almost a decade, notes, however, that there’s also room for improvement.
Most techniques included in the current version of ATT&CK for ICS are from the cyber layer (e.g., blocking command/reporting messages, denial of service, program download, manipulating I/O images).
But these techniques do not lead to physical damage per se and need to be complemented with other techniques that relate to the control and physical layers of operational technology systems.
Examples of such techniques include reaction place shift, equipment wear, locking the system in stale data, taking advantage of skip frequencies and more – Krotofil has discussed these techniques extensively in a talk at the Kaspersky ICS conference in December 2019.
“To date, we have not accumulated enough systematic knowledge to have representative pools of techniques from physical and control layers and especially in designing defenses for these ATTs,” Krotofil said, adding that the discovery of ATTs and engineering defenses for physical and control layers are active research areas at present.
“Progress in this area is crucial for ensuring [the] defense-in-depth [of] industrial security programs.”
ATT&CK for ICS is currently a work in progress and will rely on the contribution of ICS security practitioners to further develop, MITRE acknowledges.
“We’ve chosen to launch ATT&CK for ICS in a wiki that’s separate from the general ATT&CK site to allow for a development cycle more tailored to the release of a new and very different domain,” Alexander said.
“As ATT&CK for ICS matures based on community feedback, we will be working to integrate it into the [main] ATT&CK site.”