ICS SCADA Use cases

Mitigations

• Mitigation based on latest experience by CISA handling incident at a Natural gas compression facility – Use case and nice mitigations. Also coupled strongly with Mitre Att&ck ICS matrix
• More mitigations steps in Fireeye blog.

Use Cases

1. Infiltration of Malware via Removable Media and External Hardware
2. Malware Infection via Internet and Intranet
3. Human Error and Sabotage
4. Compromising of Extranet and Cloud Components
5. Social Engineering and Phishing
6. (D)Dos Attacks
7. Control Components Connected to the Internet
8. Intrusion via Remote Access
9. Technical Malfunctions and Force Majeure
10. Compromising of Smartphones in the Production Environment
11. Unusually heavy network traffic
12. Significantly reduced free disk space
13. Unusually high CPU usage
14. Creation of new user accounts
15. Attempted use of administrator accounts
16. Locked-out accounts
17. Cleared log files
18. Full log files with an unusually large number of events
19. Antivirus or IDS alerts
20. Disabled antivirus and other security controls
21. Unexpected patch changes
22. Machines or intelligent field devices connecting to
23. Requests for information about the system
24. Unexpected changes in configuration settings
25. Unexpected system shutdown
26. Stoppage or displayed error messages on a web, database, or application server
27. Unusually slow access to hosts on the network
28. Filenames containing unusual characters or new or unexpected files and directories
29. Auditing configuration
30. A large number of bounced e-mails with suspicious content
31. Unusual deviation from typical network traffic flows
32. Erratic ICS equipment behavior
33. Override of safety, backup, or failover systems
34. Equipment, servers, or network traffic that has bursts of temporary high usage.
35. Unknown or unusual traffic from corporate or other network external to control systems network
36. Unknown or unexpected firmware pulls or pushes.

Typical Manufacturing use cases

1. Use of Windows XP in Manufacturing
2. Malicious Autorun.inf detections
3. Prevalence of Downad in Manufacturing
4. Data exchange via USB between IT and OT
5. PlugX and Ransomware on Manufacturing Network
6. Targeted ransomware
7. mining campaigns
8. Equation tools weaponized to distribute coin miner
9. Equation tools
10. Coin Miners
11. APT tools For Coin mining and Ransom
12. Unintentional leaks due to poor configuration
13. Malicious CAD files
14. Use of older version of Microsoft Office
15. Distribution of Confidential information
16. Distribution of leaked CAD files
17. Counterfeit products issue
18. Exposed ICSs
19. SCADA 0days dealt on the Underground
20. PLC password crackers sold online on the underground
21. Industrial equipment purchase request
22. Shodan Shop with Industrial Section

References

BSI Publications on Cyber-Security | Industrial Control System Security – Top 10 Threats and Countermeasures

Latest Threats / Use cases
https://www.securityweek.com/manufacturing-sector-targeted-five-ics-focused-threat-groups-report
https://www.securityweek.com/seven-ransomware-families-target-industrial-software – Important
https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/

Process Kill lists
https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html

CSA Alerts
https://media.defense.gov/2020/Jul/23/2002462846/-1/-1/1/OT_ADVISORY-DUAL-OFFICIAL-20200722.PDF
https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF – Dovorub

Basics – Joe Weiss – Purdue model
https://www.youtube.com/watch?v=S3Yyv53dZ5A

Basics – Approach
https://www.fireeye.com/blog/threat-research/2019/12/fireeye-approach-to-operational-technology-security.html

Mitigations
https://www.fireeye.com/blog/threat-research/2020/02/ransomware-against-machine-learning-to-disrupt-industrial-production.html

Revisions

March 13, 2020: Initial Version