The OT team is doing its best to make sure the plant’s safety and availability are assured. Well, confidentiality and integrity of data come next, if there are budget and resources available!
Of course, the IT team deployed a firewall, Antivirus is working and email/web gateways are in place. Does that stop Ransomware, fileless attacks, and zero-day exploits?
Since Microsoft products are commonly used throughout ICS environments, including HMI stations and Historian database servers, and patch management in OT networks is not as easy as IT, ICS networks are at great risk. In fileless attacks, malicious code is either embedded in a native scripting language or written straight into memory using legitimate administrative tools such as PowerShell, without being written to disk.
It could start from a user browser, malicious website, or spear-phish email with an attachment (let’s assume delivering the malware by USB is out of this discussion). Then, a vulnerable application is exploited or in other cases, a macro starts in memory, as the malicious attached document is opened. As soon as the macro starts or the vulnerable application is exploited, the command line starts running PowerShell in memory. Next, PowerShell downloads some more scripts and the encryption key, and guess what, encryption starts.
3 ways Ransomware can damage ICS networks:
- It can Freeze SCADA configuration and management abilities
- It can damage HMIs ability to monitor and send commands to the controllers
- Or it can paralyze Historian-dependent operations
How to protect ICS networks against such advanced attacks:
- Security awareness among the OT team is a key factor.
- Deployment of technologies that can detect Indicator of Attack (IoA) and Indicator of Compromise(IoC). IoA’s are not focused on attack tools or codes, but rather on steps taken in attack methods that lead to compromise.
- Vulnerability and Patch Management.
- Backup and shadow critical systems and databases.
- Deployment of access management, up to process’ level on critical assets.(Micro-Segmentation)
- Deployment of ICS security audit frameworks such as; NIST 800-82a, ISA/IEC 62443, or NERC CIP.