Living Off the Land Attacks and Countermeasures in Industrial Control Systems
Written by SANS Institute’s Certified Instructor, Dean Parsons.
As attacks on critical infrastructure and industrial control systems become increasingly brazen, ICS defences must go beyond just preventative security. Control system defences must be ICS-specific, teams need to be proactive and have ICS cyber-specific knowledge and skills.
Brazen ICS Attack Techniques
The recent evolution of targeted attacks against critical infrastructure sends a clear message: proactive control system cyber defence requires engineering knowledge to preserve the safety of industrial control system (ICS) and operational technology (OT) operations.
Discussions in Facilities - On the Plant Floor
One of the many things I love about being an ICS-Certified SANS instructor is that in between teaching in the classroom, we spend our time as practitioners in the field. We bring up-to-the-minute threat intelligence-driven knowledge from the field directly into each class. For example, at my firm, ICS Defence Force, I perform cybersecurity control system assessments across multiple critical infrastructure sectors - oil and gas, water, electric power generation, distribution, critical manufacturing, etc.
That means I meet with security teams, engineering staff, facility stakeholders, operators, and those leading the charge of security and ICS risk management. Many meetings are held on the plant floor in hard hats, discussing how to practically apply new ICS defence technologies, tactical defence knowledge, incident response processes, and risk management strategies.
ICS Living-Off-the-Land Attacks Explained
ICS living off-the-land attacks essentially turn control systems against themselves. This can be achieved when an adversary is abusing already deployed engineering software, industrial network protocols, trusted network access, engineering tools, control system libraries, etc. Living-off-the-land attacks can be much cheaper for adversaries to deploy, have higher success rates, are more difficult to detect, require more rapid industrial response, and can have immediate direct safety and engineering impacts. Let's look at just a few of the ways adversaries live off the ICS land.
Adversaries commonly abuse valid credentials to laterally move from IT to ICS/OT networks, then throughout control system networks by way of legitimate Active Directory (AD) accounts, for example. This is most commonly seen in high-risk environments that allow a trust relationship between both IT and ICS/OT ADs. Or where organizations have the same AD infrastructure that authenticates accounts on both IT and ICS/OT networks.
ICS cyber defenders must know what normal ICS network traffic looks like. As adversaries abuse deployed industrial network protocols, monitoring will detect anomalous unauthorized commands. This requires deep network visibility, or ICS network security monitoring (NSM) to identify engineering commands sent in packet payloads to/from key ICS assets and to ensure they are authorized, expected, and unmanipulated. Such assets are critical human machine interfaces (HMIs), programmable logic controllers (PLCs), remote terminal units (RTUs), protection control relays, meters, historians, etc.
The abuse of already installed scripting interpreters is also common. Such interpreters like PowerShell can be used to build malware or run functions for malicious purposes inside the system without the adversary having to bring in attack tools or malicious payloads. This helps the adversary avoid detection. PowerShell is a great administrative tool for proactive ICS threat hunting and used in incident response (IR) situations. Ensure powerful scripting and interpreters are monitored and limited to only the systems and users that require it for engineering and IR purposes.
Engineering Controls System Applications
Why would an adversary group invest time, money, development, and testing of exploit code if already installed engineering applications can be abused to directly interact with the control systems to cause negative consequences? Engineering software is targeted because of its ability to directly monitor, control, and modify the physical process.
Trusted Network Paths
Adversaries abuse trusted network access paths. Firewalls will not defend against an attack group abusing legitimate allowed network ports or protocols over trusted pathways. The adversaries will be allowed access using existing access controls lists (ACLs). While network segmentation following Purdue1 and the SANS ICS410 SCADA Reference Architecture is a fundamental ICS security best-practice, modern ICS defence must go well beyond basic best-practice engineering network architecture. Additionally, know that once a strong network architecture is in place, all other ICS defence investments will have a much higher return on investment.
Living-Off-the-Land Attack Examples - They're Not New, and Growing
One example of living off the land is when attackers gain access to an HMI. The adversary uses HMI commands on-screen against the engineering process. An adversary gaining access to an HMI in an electric power facility could remotely open circuit breakers in the field causing power outages. Like in the 2015 Ukraine power distribution system attack. Or, in a water treatment facility in Oldsmar Florida where an adversary abused the HMI and altered the chemical mixture in the water to toxic levels.
Another example is the abuse of the engineering workstation (EWS) functionality to reprogram PLCs with manipulated logic over legitimate EWS-to-PLC communication ports, like the TRISIS/Triton malware.
Living-off-the-land attacks are not new (HAVEX, CRASHOVERRIDE, etc.). Other examples are seen with PIPEDREAM/Incontroller, which is a scalable ICS-specific attack framework which can be deployed for distribution and possibly physically destructive impacts to operations and safety, regardless of sector or region. The attack modules inside the PIPEDREAM toolkit help adversaries live off the land. The framework can impact a wide variety of vendor PLCs. It can abuse already installed legitimate industrial automation software. Additionally, attackers can abuse legitimate ICS protocols within the ICS network, including but not limited to OPC-UA, Modbus, and some proprietary control protocols.
Exploiting ICS Vulnerabilities Vs Living-Off-The-Land
When conducting on-site assessments this question on pre-empting adversary tradecraft often comes up:
"Are adversaries shifting away from exploiting engineering hardware or software vulnerabilities to instead focus on ICS living-off-the-land attacks techniques?"
We should expect a blend of exploits and living-off-the-land attack techniques depending on the adversary's goals. This will also depend on the environment and current ICS security program maturity. The effort the adversary invests in attacks against your ICS will likely be directly related to the ICS-specific defences in place, or lack thereof. Vulnerabilities in engineering hardware and software should continue to be addressed during scheduled engineering maintenance windows while always considering the engineering impacts of deploying patches and workarounds. Living-off-the-land attacks are not going away any time soon. In fact, in anything, they are likely to increase in frequency and be more creative. We must continuously assess risk while considering the following questions:
Do the engineering needs outweigh the risk of an identified vulnerability actually being exploited within the ICS network, such that the exploit provides the adversary the ability to impact the safety and reliability of operations?
Would the adversary take this expensive option of pre-positioning, developing, testing, and launching exploits, rather than just abusing the HMI, EWS, or other elements inside the ICS to enable the same or more harmful affect?
ICS Living-Off-the-Land Countermeasures
Those responsible for leading the charge in ICS/OT cybersecurity and risk management must plan to rely on more than just basic ICS-specific defence-in-depth preventative controls. We must have trained staff ready to respond and maintain engineering operations when those controls fail to detect ICS living-off-the-land attacks. Early detection of adversary pre-positioning in the ICS Cyber Kill Chain is a must.
Find out more about the SANS ICS curriculum here: https://www.sans.org/industrial-control-systems-security/