Here we report the current state of the ICS threat landscape, as presented at the IT&Automation 2018 conference in Böblingen.
To learn more about Kaspersky Lab's ICS CERT, visit https://kas.pr/e34v
2. THE NATURE OF
THE THREAT
KICS is a portfolio of technologies and services
designed to secure Industrial Control System
environments
Launched at the end of 2015
More than 15 customers globally since launch
4 official references
KL ICS Cyber Emergency Response Team is a special
non-commercial project that offers a wide range of
information and research services
Officially launched at the end of 2016
OUR INDUSTRIAL CYBERSECURITY ACTIVITIES IN A NUTSHELL
Regularly contributes to Industrial cybersecurity, e.g.
helping prepare IIFS v 1.0
Found more than 100 ICS vulnerabilities
Raising awareness through hackathons, CTF,
Workshops and demos worldwide
5. CYBER-PHYSICAL ATTACKS: ENERGY
WHEN: DECEMBER 2016
WHERE: UKRAINE, KIEV
DIGITAL SUBSTATION
«NOTHERN».
PHYSICAL: POWER OUTAGE FOR 1HOR 15 MIN
History repeating: CRASHOVERRIDE
CYBER: (possibly?) CRASHOVERRIDE /
Industroyer malware platform, plugins for IEC
101/104, 61850 and OPC, second (after
STUXNET) case of malware designed to target
physical systems
6. CYBER-PHYSICAL ATTACKS: ENERGY
WHEN: DECEMBER 2015
WHERE: UKRAINE
PHYSICAL: power cell switches operated,
remote control disabled for operators, power
outage on 7 110kV and 23 35 kV substations.
FINANCIAL: POWER OUTAGE IN 5 REGIONS FOR 6 HOURS
BlackEnergy 2.0
CYBER: BlackEnergy 2.0 as the door opener,
the rest of the attack performed manually.
7. ,
CYBER-PHYSICAL ATTACKS: OIL & GAS, SHAMOON
WHEN: DECEMBER 2012
WHERE: SAUDI ARABIA,
SAUDI ARAMCO, 35000
COMPUTERS WIPED OUT,
50 000 HDDS WHERE
REPLACED
PHYSICAL: 17 DAYS OF DELAYED PRODUCT DELIVERY
History repeating
8. ,
CYBER-PHYSICAL ATTACKS: OIL & GAS, SHAMOON 2.0 STONEDRILL
WHEN: NOV 2016 – JAN 2017
WHERE: SAUDI ARABIA,
ME, EUROPE,
MANUFACTURING AND OIL &
GAS, CONNECTED TO
NEWSBEEF, PROBABLY IRAN
DAMAGE: ??? STILL TO BE CALCULATED
History repeating
9. RANSOMWARE ATTACKS: UTILITY
Michigan, USA, 2016
CYBER ATTACK:
• Phishing attack to deliver ransomware
• Mail delivery and finance operation affected
• Phone lines not working including Technical Support line
• Customers stopped from getting their bills
$2.4M FOR EXTRA CYBER SECURITY
DIRECT LOSSES:
• $25K ransom
10. RANSOMWARE ATTACKS: WannaCry in ICS?
12-15 May, 2017, more than 150 countries
COMPANYES REPORTED:
• Renault, France
• Gas Natural, Spain
• NHS, UK
• Computers in Police units in India
• Enterprises in Mumbai, Hyderabad, Bengaluru,
Chennai
• Schools, Universities,
• Railways?
• Etc…
15. 90%
9.9%
0.1%
Targeted attacks
Advanced persistent threats
Traditional cybercrime
Targeted threats to organizations
Cyber-weapons
THE NATURE OF
THE THREAT
310 000 New threats per day
OUR DAY-TO-DAY RESEARCH
We discover and prevent > 300 000 new
threats a day
16. OUR DAY-TO-DAY RESEARCH
We discover and dissect the world’s most
sophisticated threats
2011 2012 2013 2014 2015 2016
2010
Duqu
miniFlame
Gauss
Icefog
Winnti
NetTraveler
Miniduke
Epic Turla
Energetic Bear /
Crouching Yeti
RedOctober
CosmicDuke
Darkhotel
Careto / The
Mask
Regin Sofacy
Carbanak
Desert
Falcons
Equation
Naikon
Hellsing
TeamSpy
Duqu 2.0
Animal Farm
Kimsuky
Stuxnet
Flame
Darkhotel
MsnMM
Campaigns
Satellite Turla
Wild Neutron
Blue Termite
Spring Dragon
Metel
Adwind
Lazarus
Lurk
17. 25% of all the APTs
found by KL in 2016
were targeting
industrial companies
OUR DAY-TO-DAY RESEARCH
We discover more targeted attacks and APTs than the rest of the industry
>100 private reports delivered in 2016
37. CYBER-PHYSICAL ATTACK VECTORS: ENERGY
§ Equipment and configuration equal to
the real-world substation
§ Cyber security settings hardened
§ 4 security expert teams competing in
CTF competition
§ Goal: to demonstrate ways to damage
to the physical world.
WHEN : OCTOBER 2015
WHERE: MOSCOW
TARGET: Penetration testing 500kV
substation model:
Kaspersky Lab Study 2015: Digital Substation
38. § Multiple IEC 61850 (MMS/GOOSE) and
SIEMENS DIGSI architecture and
implementation vulnerabilities exploited
§ Circuit protection logic turned off, terminal
firmware changed, three 0-days found
§ 2 out of 8 terminals damaged (bricked)
§ Multiple unauthorized power cell
operations
PHYSICAL: FIRST SHORT CIRCUIT IN 3 HOURS, 2 TERMINALS
BRICKED
Identified attack vectors against RTUs
and protection terminals:
CYBER-PHYSICAL ATTACK VECTORS: ENERGY
Kaspersky Lab Study 2015: Digital Substation
39. CYBER-PHYSICAL ATTACK VECTORS: ENERGY
Kaspersky Lab Study 2016: Micro Grid
Infrastructures:
• Hydro Power Plant
• High Voltage Substation 110 kV
• Distribution Substation 10kV
• Solar Power Station
• Other equipment
Hardware:
• Ruggetcom & Hirschmann
• S7-1500,Siprotec 4
• PLC modem, NTP, Wi-Fi, etc.
41. CYBER-PHYSICAL ATTACK ANATOMY
Attack steps to gain control over terminal facilities to destroy equipment and/or break the process.
Get access to
industrial network Reconnaissance
Get access to
SCADA and PLC +
get the password
Create modified
PLC programs
Deliver modified
logic to target
PLCs
Emergency alarm
0,5-48 hours 1-4 hours 0,5-6 hours 1-24 hours 0.5-2 hours INCIDENT
OBJECT: gasoil discharge
terminal
TARGET: get access to ICS
network, get control over the
process, find the ways to break
the process / do physical
damage.
Cyber sabotage scenario modeling / analysis