May 16, 2020
ICS SCADA Use cases
Mitigations
- Mitigation based on latest experience by CISA handling incident at a Natural gas compression facility – Use case and nice mitigations. Also coupled strongly with Mitre Att&ck ICS matrix
- More mitigations steps in Fireeye blog.
Use Cases
- Infiltration of Malware via Removable Media and External Hardware
- Malware Infection via Internet and Intranet
- Human Error and Sabotage
- Compromising of Extranet and Cloud Components
- Social Engineering and Phishing
- (D)Dos Attacks
- Control Components Connected to the Internet
- Intrusion via Remote Access
- Technical Malfunctions and Force Majeure
- Compromising of Smartphones in the Production Environment
- Unusually heavy network traffic
- Significantly reduced free disk space
- Unusually high CPU usage
- Creation of new user accounts
- Attempted use of administrator accounts
- Locked-out accounts
- Cleared log files
- Full log files with an unusually large number of events
- Antivirus or IDS alerts
- Disabled antivirus and other security controls
- Unexpected patch changes
- Machines or intelligent field devices connecting to
- Requests for information about the system
- Unexpected changes in configuration settings
- Unexpected system shutdown
- Stoppage or displayed error messages on a web, database, or application server
- Unusually slow access to hosts on the network
- Filenames containing unusual characters or new or unexpected files and directories
- Auditing configuration
- A large number of bounced e-mails with suspicious content
- Unusual deviation from typical network traffic flows
- Erratic ICS equipment behavior
- Override of safety, backup, or failover systems
- Equipment, servers, or network traffic that has bursts of temporary high usage.
- Unknown or unusual traffic from corporate or other network external to control systems network
- Unknown or unexpected firmware pulls or pushes.
Typical Manufacturing use cases
- Use of Windows XP in Manufacturing
- Malicious Autorun.inf detections
- Prevalence of Downad in Manufacturing
- Data exchange via USB between IT and OT
- PlugX and Ransomware on Manufacturing Network
- Targeted ransomware
- mining campaigns
- Equation tools weaponized to distribute coin miner
- Equation tools
- Coin Miners
- APT tools For Coin mining and Ransom
- Unintentional leaks due to poor configuration
- Malicious CAD files
- Use of older version of Microsoft Office
- Distribution of Confidential information
- Distribution of leaked CAD files
- Counterfeit products issue
- Exposed ICSs
- SCADA 0days dealt on the Underground
- PLC password crackers sold online on the underground
- Industrial equipment purchase request
- Shodan Shop with Industrial Section
References
BSI Publications on Cyber-Security | Industrial Control System Security – Top 10 Threats and Countermeasures
Latest Threats / Use cases
https://www.securityweek.com/manufacturing-sector-targeted-five-ics-focused-threat-groups-report
https://www.securityweek.com/seven-ransomware-families-target-industrial-software – Important
https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/
Process Kill lists
https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html
CSA Alerts
https://media.defense.gov/2020/Jul/23/2002462846/-1/-1/1/OT_ADVISORY-DUAL-OFFICIAL-20200722.PDF
https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF – Dovorub
Basics – Joe Weiss – Purdue model
https://www.youtube.com/watch?v=S3Yyv53dZ5A
Basics – Approach
https://www.fireeye.com/blog/threat-research/2019/12/fireeye-approach-to-operational-technology-security.html
Mitigations
https://www.fireeye.com/blog/threat-research/2020/02/ransomware-against-machine-learning-to-disrupt-industrial-production.html
Revisions
March 13, 2020: Initial Version