The OT team is doing their best to make sure the plant’s safety and availability is assured. Well, confidentiality and integrity of data comes next, if there is budget and resource available!

Of course, the IT team deployed a firewall, Anti virus is working and email/web gateways are in place. Does that stop Ransomware, fileless attacks and zero-day exploits?

Since Microsoft products are commonly used throughout ICS environments, including HMI stations and Historian database servers, and patch management in OT networks is not as easy as IT, ICS networks are at a great risk. In fileless attacks, malicious code is either embedded in a native scripting language or written straight into memory using legitimate administrative tools such as PowerShell, without being written to disk.

It could start from a user browser, malicious website or spear-phish email with an attachment (Lets assume delivering the malware by USB is out of this discussion). Then, a vulnerable application is exploited or in other cases, a macro starts in memory, as the malicious attached document is opened. As soon as the macro starts, or the vulnerable application is exploited, command line starts running powershell in memory. Next, powershell downloads some more scripts and the encryption key, and guess what, encryption starts…

3 ways Ransomware can damage ICS networks:

1- It can Freeze SCADA configuration and management abilities

2- It can damage HMIs ability to monitor and send commands to the controllers

3- Or it can paralyze Historian-dependent operations

How to protect ICS networks against such advanced attacks:

-Security awareness among OT team is a key factor.

-Deployment of technologies that can detect Indicator of Attack (IoA) and Indicator of Compromise(IoC). IoA’s are not focused on attack tools or codes, but rather on steps taken in attack methods that lead to compromise.

-Vulnerability and Patch Management.

-Backup and shadow critical systems and databases.

-Deployment of access management, up to process’ level on critical assets.(Micro-Segmentation)

– Deployment of ICS security audit frameworks such as; NIST 800-82a,ISA/IEC 62443 or NERC CIP.


Share via
Copy link
Powered by Social Snap