MITRE Att&ck for ICS: Remote System Discovery
About MITRE Att&ck for Industrial Control Systems (ICS)
Read More About MITRE
MITRE Att&ck, which stands for Adversarial Tactics, Techniques and Common Knowledge, is a knowledge base of adversary tactics and techniques that help inform the cybersecurity industry. MITRE recently released an Att&ck knowledge base specifically designed for industrial control systems (ICS). ICS are found in industries such as electric, water, wastewater, oil and natural gas, transportation, chemical, pharmaceutical, and various manufacturing sectors. These systems enable the regular automation of key processes that everyone relies on, and any compromise on their operation could impact the health and safety of humans.
According to the MITRE Att&ck document, adversary TTPs associated with ATT&CK for ICS fall under the following broad categories:
• Blocked or delayed flow of information through ICS networks, which could disrupt ICS operation.
• Unauthorized changes to instructions, commands, or alarm thresholds, which could damage, disable, or shut down equipment, create environmental impacts, and/or endanger human life.
• Inaccurate information sent to system operators, either to disguise unauthorized changes, or to cause the operators to initiate inappropriate actions, which could have broad negative effects.
• ICS software or configuration settings modified, or ICS software infected with malware, which could have broad negative effects.
• Interference with the operation of equipment protection systems, which could endanger costly and difficult-to-replace equipment.
• Interference with the operation of safety systems, which could endanger human life.
Next in this blog series, we will explore Remote System Discovery. The aim is to help you understand the MITRE Att&ck walk-through, and their mitigation techniques, as well as offer our own insight.
Remote System Discovery (T846):
How It’s Done:
Remote System Discovery identifies the presence of hosts on a network, collecting details such as their IP address, hostname, along with other identifying information to move laterally within the system. Remote system discovery allows adversaries to map out hosts on the network and TCP/IP ports that are open, closed or filtered for future-attack targets.
An example of remote system discovery in action is the Backdoor.Oldrea ICS malware plugin. This plugin works to discover all servers reachable by a compromised machine over the network, including OPC Servers, by using Windows (WNet).
Recommended Mitigation Techniques:
- Use VLANS: Segment the network with VLANs to allow switches to enforce security policies and segregate traffic at the Ethernet layer.
- Because all Dispel infrastructure is virtual, a network can be segmented to any configuration using the Wicket-Enclave system. Wickets provide whitelisting capabilities, and Enclaves provide segmented access channels to the subnets.
- Locate the ideal antenna location: Determine antenna location and strength that minimizes exposure of the network before installing a network.
- Using Dispel to access a network means the access pathway can be placed anywhere around the world, as long as there is a cloud data center nearby. Because our networks are moving target defense SD-WANs, their locations can be securely changed over time to ensure they remain undetected but strong.
- Restrict authorization: Secure and limit authorization to the control room and the physical environment, and confine ICS devices to designated areas.
- Dispel does not help with physical security, but can ensure that authorization is limited to a specific system to which only certain admin have access after strong authentication.
- Employ VPNs: Utilize VPNs to further restrict access in and out of control system computers and controllers.
- More secure than traditional VPNs, all of Dispel’s networks are moving target defense SD-WANs which facilitate traffic and access in and out of control system computers and controllers.
- Keep tabs on the network: Monitor the network and enforce access control practices; e.g. whitelisting.
- Dispel Wickets provide real-time whitelisting out of the box.
- Develop a detection plan: Implement heuristics to detect monitoring and invasive probing activity on the network, and ensure devices and patches are current.
- Although this is mostly left as an exercise to management, Dispel provides full traffic logs which can be pushed to a storage server or integrated with a pre-existing intrusion detection system.