Jurassic Park is often (mistakenly) left out of the hacker movie canon. It clearly demonstrated the risk of an insider attack on control systems (Velociraptor rampage, amongst other tragedies…) nearly a decade ahead of the Maroochy sewage incident, it’s the first film I know of with a digital troll (“ah, ah, ah, you didn’t say the magic word!”), and Samuel L. Jackson correctly assesses the possible consequence of a hard reset (namely, everyone dying), resulting in his legendary “Hold on to your butts”. The quotable mayhem is seeded early in the film, when biotech spy Lewis Dodgson gives a sack of money to InGen’s Dennis Nedry to steal some dino DNA. Dodgson’s caricatured OPSEC (complete with trilby and dark glasses) is mocked by Nedry shouting, “Dodgson! Dodgson! We’ve got Dodgson here! See, nobody cares…” Three decades later, this quote still comes to mind* whenever conventional wisdom doesn’t seem to square with observed reality, and today we’re going to apply it to the oft-maligned world of Industrial Control System (ICS) security.
There is plenty of literature on ICS security pre-2010, but people really sat up and started paying attention when we learned about Stuxnet. Possibly the most upsetting thing about Stuxnet (for security-complacent control system designers like me) was the apparent ease with which the “air gap” was bridged over and over again. Any remaining faith in the air gap was killed by Éireann Leverett’s demonstration (thesis and S4 presentation) that thousands of industrial systems were directly connected to the Internet — no air gap jumping required. Since then, we’ve observed a steady growth in Internet-connected ICS devices, due both to improved search techniques and increasingly-connectable ICS devices. On any given day you can find about 100,000 unique devices speaking industrial protocols on Censys and Shodan. These protocols are largely unauthenticated and unencrypted, allowing an attacker that can speak the protocol to remotely read state, issue commands, and even modify programmable logic without using an actual exploit.
This sounds (and is) bad, and people have (correctly) highlighted its badness on many occasions. The attacks, however, appear to be missing: we are not aware of a single instance of industrial damage initiated via an Internet-connected ICS device. In this Three Paper Thursday we’ll look at papers showing how easy it is to find and contextualise Internet-connected ICS devices, some evidence for lack of malicious interest, and some leading indicators that this happy conclusion (for which we don’t really deserve any credit) may be changing.
*Perhaps because guys of a certain age still laugh and say “Dodson! We’ve got Dodson here!” when they learn my surname. I try to explain that it’s spelt differently, but…
An Internet-Wide View of ICS Devices by Ariana Mirian, Zane Ma, David Adrian, Matthew Tischer, Thasphon Chuenchujit, Tim Yardley, Robin Berthier, Joshua Mason, Zakir Durumeric, J. Alex Halderman, and Michael Bailey.
The team that gave the world ZMap, a tool for efficient, Internet-wide scanning (USENIX paper and GitHub repo), developed a stateful extension (now available as ZGrab2) , allowing scanners to obtain detailed identifying information from devices communicating on dozens, then hundreds, and now thousands of protocols. In this paper, they show the tool can identify about 60,000 Internet-connected ICS devices on five common industrial protocols, including those for process automation, building automation, and utilities. The authors demonstrate that many of these devices provide enough information to identify geographic locations and industrial sectors (e.g., utilities, water/sewage, manufacturing). In some cases, combining scanning data with WHOIS lookup data allows them to identify the actual device owner.
Having documented the large population of vulnerable ICS devices, the authors proceed to a search for malicious activity. Using low-interaction ICS honeypots and a network telescope, they analyse network traffic on ICS protocols. Though they successfully classify other scanning campaigns, they admit that they cannot identify any attempt to maliciously modify ICS device behaviour via an industrial protocol, despite their obvious vulnerability.
They conclude that the industrial security sector is in disarray, emphasising that the lack of identifiable malicious interest is not grounds for complacency.
Another conclusion one can draw from the same data is that the Internet-connected ICS population is highly fractured. There are dozens of device manufacturers running bare-metal applications or proprietary operating systems on different chipsets. While the total population might be approaching 100,000, even the most popular manufacturers only have a few thousand connected devices, which is a sharp contrast to the IoT community, where there are millions Linux-based devices running on similar chipsets.
Using Global Honeypot Networks to Detect Targeted ICS Attacks by Michael Dodson, Mikael Vingaard, and Alastair R. Beresford.
Numerous ICS honeypot studies (including that documented in the first paper) have shown lots of scanning activity and no malicious activity. This isn’t surprising, since scanning is intentionally indiscriminate and all known ICS attacks have targeted specific devices, usually at specific locations (e.g., Stuxnet, Triton/Trisis, BlackEnergy and CRASHOVERRIDE). Given that there does not appear to be any indiscriminate ICS malware yet (as demonstrated by these honeypot studies), the only reason a targeted attacker would interact with an ICS honeypot is because they have mistaken it for a real device and are either testing their exploit or believe it is part of their target.
In this paper, we show that targeted attackers can be deceived and new attacks can be identified. We hypothesise that earlier studies suffered from short-term use of low interaction, geographically-concentrated honeypots that were easy to identify or ignore (e.g., because they use default serial numbers or are hosted on AWS). To test the hypothesis, we use a large number of high-interaction, geographically-distributed honeypots. Our honeypot network includes IP addresses geolocated in over 20 countries and we capture packets over a 13 month period.
Using this network, we identify much of the same scanning activity as previous studies; however, out of 80,000 interactions, we also identify nine that clearly make malicious use of an industrial protocol. Attackers used S7comm, IEC-104, and Modbus to initiate Denial of Service and command replay attacks. The paper also describes observable characteristics about the attackers, such as their geographic distribution, emphasising the need for similarly distributed honeypot networks.
While the yield was small, the study is the first to identify any such attacks using ICS honeypots and demonstrates the level of investment required to deceive even the lowest tier of targeted ICS attackers. More broadly, the study also confirms previous conclusions about the lack of large-scale malicious interest in the ICS domain, as a study that successfully identifies targeted attacks is also likely to identify any less discriminating attacks, if they existed.
Separately, we also observed overlap between suspected hosts of the Mirai botnet and devices scanning ICS protocols. While we show that it is unlikely Mirai itself is scanning for ICS devices, it seems that the gap between IoT and ICS is narrowing, which brings us to our final paper.
A Survey of IIoT Protocols: A Measure of Vulnerability Risk Analysis Based on CVSS by Santiago Figueroa-Lorenzo, Javier Añorga, and Saioa Arrizabalaga.
The heterogeneity of the Internet-connected ICS population may be a barrier to entry for attackers looking for a large target population. With dozens of protocols, operating systems, and chipsets, any particular exploit might only apply to a few hundred devices. However, the ‘digital manufacturing revolution’, ‘Industry 4.0’, and (the lamentably named) ‘Industrial IoT (IIoT)’ are racing to put ICS on the same footing as IoT.
This survey paper not only provides excellent summaries of 30+ IT, IoT, and ICS protocols (worth keeping on the shelf for this alone), but clearly articulates the following:
- IIoT and Industry 4.0 inevitably require convergence of IoT and ICS protocols, and in many cases this convergence needs to happen in individual devices
- Existing vulnerability measurement sources are inadequate mechanisms to assess risk for these areas of convergence because the two domains historically have different weighting priorities (confidentiality for IoT and integrity or availability for ICS)
The paper surveys different risk measurement systems, existing sources of vulnerability information, and past exercises in applying existing systems to industry. The authors ultimately develop a new Vulnerability Assessment Framework (VAF), which uses existing vulnerability information to account for environmental and temporal factors in assessing the risk posed by IT, IoT, or ICS vulnerabilities within the industrial domain. Put another way, the ranking of two vulnerabilities using VAF should represent the relative difference in risk posed by each vulnerability within the converged industrial environment, regardless of whether the vulnerability originates from an IT, IoT, or ICS protocol.
Perhaps more importantly, the paper makes a clear case for the negative security implications of IoT and ICS convergence and plants that case in a reputable, computing journal.
Many ICS devices are directly connected to the Internet and are clearly vulnerable to malicious influence; however, there is little evidence of attacker interest in the population. There are many possible reasons for this lack of interest: the population is highly fragmented, buying devices for development and testing is expensive, or ICS device behaviour within a system may be hard to predict. The convergence of ICS with IoT changes the economics of attacking ICS, however, and it may soon overcome this observed lack of interest in two ways: 1. Convergence with IoT brings new homogeneity to a fragmented ICS population, and 2. Convergence with IoT risks ICS systems simply being swept up in attacks against the much larger IoT domain.
To come full circle, I should probably close with either “Hold on to your butts” or “See, nobody cares”, but I don’t think we are in a position yet to guess which direction this will go. Nation states will continue to successfully execute attacks like Stuxnet, Trisis, and CRASHOVERRIDE (which generally originate from Windows-based industrial infrastructure), and cyber criminals will continue to exploit the almost unimaginable 30-ish billion IoT devices currently connected to the Internet. My very hesitant prediction would be that ICS simply moves too slowly to connect at the level hoped for by the most ambitious proponents of Industry 4.0, and this is good. While this slowness often leaves individual devices vulnerable for long periods of time, they tend to fall into the “nobody cares” category, and being slow to change might save the most critical physical processes from being connected via the actively exploited IoT domain.