MITRE Att&ck for ICS: Network Service Scanning
About MITRE Att&ck for Industrial Control Systems (ICS)
Read More About MITRE
MITRE Att&ck, which stands for Adversarial Tactics, Techniques and Common Knowledge, is a knowledge base of adversary tactics and techniques that help inform the cybersecurity industry. MITRE recently released an Att&ck knowledge base specifically designed for industrial control systems (ICS). ICS are found in industries such as electric, water, wastewater, oil and natural gas, transportation, chemical, pharmaceutical, and various manufacturing sectors. These systems enable the regular automation of key processes that everyone relies on, and any compromise on their operation could impact the health and safety of humans.
According to the MITRE Att&ck document, adversary TTPs associated with ATT&CK for ICS fall under the following broad categories:
• Blocked or delayed flow of information through ICS networks, which could disrupt ICS operation.
• Unauthorized changes to instructions, commands, or alarm thresholds, which could damage, disable, or shut down equipment, create environmental impacts, and/or endanger human life.
• Inaccurate information sent to system operators, either to disguise unauthorized changes, or to cause the operators to initiate inappropriate actions, which could have broad negative effects.
• ICS software or configuration settings modified, or ICS software infected with malware, which could have broad negative effects.
• Interference with the operation of equipment protection systems, which could endanger costly and difficult-to-replace equipment.
• Interference with the operation of safety systems, which could endanger human life.
Next in this blog series, we will detail Network Service Scanning. The aim is to help you understand the MITRE Att&ck walk-through, and their mitigation techniques, as well as offer our own insight.
Network Service Scanning (T841):
How It's Done:
Network service scanning involves discovering services on networked systems, via port scanning or probing. Port scanning is a technique used to identify open ports and services on a host network. It detects which ports are open, closed or filtered by a firewall by interacting with the TCP/IP ports on a system. Depending on the specific port numbers detected, the service behind the port can often be determined.
The Triton and PLC-Blaster attacks serve as prime examples of this technique being utilized, as adversaries often probe for specific ports with various tools.
Recommended Mitigation Techniques:
- Isolate access points & data servers: Confine wireless access points and data servers for wireless worker devices to their own network, and minimize connections to ICS network.
- Dispel’s Wicket-Enclave system can isolate access points and data servers through whitelisting and single-tenant access pathways. This works even when the current, existing configurations do not support such levels of segmentation.
- Use VLANs: Segment the network with VLANs.
- Because all Dispel infrastructure is virtual, a network can be segmented to any configuration using the Wicket-Enclave system. Wickets provide whitelisting capabilities, and Enclaves provide segmented access channels to the subnets.
- Physical control room or control systems access often implies also gaining logical access.
- Dispel’s granular user controls, disposable access pathway implementation, and whitelisting capabilities ensure that access is only granted to those who need it at times when they need it.
- Separate ICS and IT network cables: Ensure ICS and IT network cables are kept separate and that devices are locked up when possible.
- Dispel cannot ensure the physical locking of network cables, but its Wicket-Enclave systems can ensure that access to ICS and IT networks are completely separate and segmented.
- Keep tabs on the network: Monitor the network and enforce access control practices; e.g. whitelisting.
- Dispel Wickets provide real-time whitelisting out of the box. Logs can be exported to a in Enclave ELK Stack and exported to a SIEM.
- Develop a detection plan: Develop and implement heuristics to detect monitoring and invasive probing activity on the network.
- Although this is mostly left as an exercise to management, Dispel provides full traffic logs which can be pushed to a storage server or integrated with a pre-existing intrusion detection system.