While it is not a new target, many experts say that 2019 is shaping up to be the year of industrial cyber security. A confluence of factors has put OT networks online and more susceptible to cyber attacks. In fact, ICS networks often lack the security that have been used in IT networks for more than two decades. Moreover, the mantra of “set it and forget it” in OT networks result in obsolete and unsupported windows versions and more all making it infinitely easier to attack. For example, Shamoon, a weaponized virus, was launched and targeted specific oil & energy companies. It focused on an old Windows kernel that was secured in IT networks many months if not years before. Many claim that this attack was more destructive than anything previously seen and directly impacted the ICS environment. Without addressing threats targeting the OT network, any manufacturing facility, industrial operation or critical infrastructure can be ground zero to a devastating attack.
Like IT environments, OT attacks are launched using similar attack stages including reconnaissance, mapping, weaponization, install and execution. In many cases, the first two stages may occur over a period longer than the actual attack. This is typical (a) because it takes time to find a vulnerability to exploit (b) so as not to create alarms due to heavy probing.
The ICS threat landscape may include scans and port knocking on the reconnaissance side and denial of service, malware, ransomware and special ICS targeting on the attack side. When tasked with creating the rule sets that are optimized for ICS environments, security experts must take into consideration some key areas. They must balance between quality rules that catch probing and reconnaissance even over extended periods of time while at the same time eliminate the generation of false positives or negatives.
Building these types of rule sets requires a vast knowledge and expertise both on the security and OT infrastructure side in order to be able to alert on the relevant threats to the network. Rules are created and collected from many sources. They are tested and implemented into ICS security products and solutions to provide the necessary protection for the new security realities existing in OT environments today. In addition, keeping the rules updated is an ongoing task to ensure that the network is protected from new developments and campaigns that are constantly evolving. Each environment is different, so part of the art is fine tuning the rulesets for each specific environment in order to find every attempted attack while being able to conduct business as usual.
Indegy’s Unique ICS Ruleset
In order to be able to create and deploy these sophisticated rule sets, Indegy leverages the power of the community combined with ICS security expertise. Following the enhancement of Indegy’s threat detection with Suricata engine, Indegy is providing its customers with this unique ICS Ruleset to protect them from the ever-growing threats. This ruleset is updated frequently to keep up to date with new threats and new rules that are created by the community.
This unique collection of rules can be categorized into the following groups:
- Malware & Ransomware - ICS environments have been attacked with many variants of malwares and ransomwares in the past years. These are used to collect data, wipe out files, execute additional attack stages and continue to propagate to additional devices and assets. This rule group, alerts on a wide range of CnC communications, suspicious DNS requests, indicators of compromise, propagation of malware, file encryption requests and file lockdowns. Some examples of threats that are detected by this ruleset include; Locky, Cerber, Delf, VPNFilter, Gh0st, Emotet and many more.
- Exploits & Attacks - Detecting attacks and exploits is a huge challenge for any cyber solution. The Attacks & Exploit rule group emphasizes the unique properties of attacks aimed at ICS environments including different known exploits, suspicious SSL certificates, malicious traffic to and from servers, corrupt payloads, phishing attacks and more. Detection should address the widest range of attacks including but not limited to; Heartbleed, Eternal Blue, Eternal Romance, Spectre, Reverse Shell Attacks, Metasploit based attacks and many more.
- ICS Attacks - ICS attacks are unique in the equipment they attack, in the way they propagate and the complexity of their detection. This unique and curated rule group, detects ICS specific attacks using multiple sensors and indicators of compromise to detect the attacks as early as possible. Ranging from Stuxnet, BlackEnergy, Shamoon, Havex, Industroyer, as well as potentially dangerous traffic in the ICS environment based on attack groups that operate and attack ICS environments.
- Scans & Denial of Service - This rule groups detects hundreds of different types of network scans that can indicate pre-attack reconnaissance. Such scans can be generated with a wide range of tools and can collect data from the different devices in order to lay the ground for next stage of the attack. This rule group also protects from Denial of Service attacks. Such attacks can have massive effect on the network and the operational processes including downtime and loss of production. These include the detection of NMAP scans, Operating Systems probing, RDP and VNC scans and a large range of Denial of Service and Buffer Overflow traffic and behavior.
Integrating these capabilities and rules to the Indegy Security Suite takes threat detection to the next level be improving the range of threats that can be detected as well as the real time updates to protect from ongoing attacks. With the range of threats growing and evolving so quickly, it is essential that ICS security vendors contribute to and leverage the power of the security community. More eyes will be able to catch more threats and that rising tide of protection will protect all participating industrial organizations against the unacceptable industrial cyber security threat.