Critical infrastructure

Operational technology compromises: Low sophistication, high-frequency

Greg Belding
July 28, 2021 by
Greg Belding

In recent years, operational technology (OT) has been dragged into the news due to an increase in compromises against these technology systems that our critical infrastructure relies on. A new trend observed in attacks on the OT of critical infrastructure has been a sharp increase in attacks that exhibit a low level of sophistication and are frequent. 

Cybersecurity firm FireEye has recently released a report exploring this trend. This article will provide a recap of this report and detail how OT security and training can fight against this disturbing trend impacting OT systems.

Learn ICS/SCADA Security

Learn ICS/SCADA Security

Explore realistic critical infrastructure scenarios and build your security skills with hands-on labs, on-demand courses and live boot camps.

The OT report

FireEye released a report entitled Crimes of opportunity: increasing frequency of low sophistication operational technology compromises. The report presents several findings which demonstrate how low sophistication attacks are not only growing but becoming more attractive to threat actors who have been taking advantage of the significant numbers of internet-connected OT devices. These threat actors are motivated by financial gain, as well as ideology/political and egotistic reasons. It should be noted that it did not take much digging to gather the information for the report as threat actors tend to make it known voluntarily in the form of online braggadocio.

Report findings

Rise in the frequency of incidents

The report mentions that while tracking threat actors offering access to OT systems connected to the internet since 2012, there has been a significant increase in the frequency of incidents against OT within the last couple of years. The most common observed threat activity has been actors trying to make money off internet-connected OT and leveraging well-known TTPs, tactics, techniques and procedures in conjunction with commodity tools. This gives threat actors the ability to access, interact with, and harvest information from internet exposed OT, which was observed hardly ever in the past (mainly due to the standard practice of air-gapping OT systems into segregated networks).

The rise in low sophistication threat actor activity

As touched on in the finding above, the use of TTPs indicates that low sophistication threat actors are populating the burgeoning world of OT threat activity. Other indicators, such as threat actors leaving comments on the internet demonstrating that they do not fully understand OT and the rise of tutorials for those targeting OT systems, leave little to the imagination of just how low sophistication these threat actors are.

The low level of technical sophistication of OT threat actors is well known. Those who are relatively more sophisticated than others try to educate their fellow threat actors with hacktivist tutorials. Observed OT threat tutorials teach simple methodologies such as using VNC tools to connect to identified IP addresses.

Low sophistication threat activity was observed on a wide range of targets, ranging from those that present little risk to critical and sensitive ones in nature — for example, activity impacting security systems and building automation systems to water and energy critical infrastructure. A constant theme that has been observed is the reliance on unsecured remote access services as an exploit to access compromised OT control systems. 

HMIs: The low hanging fruit

HMIs, or human-machine interfaces, are the low-hanging fruit for process-oriented OT attack activity because they give a user-friendly look into the complex industrial processes of OT systems. This allows threat actors that lack prior knowledge of industrial processes the opportunity to modify industrial control variables quickly and easily. 

Threat actors typically cannot keep quiet about their deeds and share IP addresses, GUIs, system timestamps and videos captured during OT attacks with their online communities.

Some threat actors are truly amateurs

Being of low sophistication is one thing; being an amateur is even worse. 

The report observed some embarrassing examples of threat actors claiming to target one thing and end up missing the mark entirely. One incident was when an anti-Israel hacktivist group claimed to be targeting a “gas system” in Israel when instead they were impacting a kitchen ventilation system in an Israeli restaurant. 

In another incident, threat actors claimed to be attacking a German “rail control system,” but what they thought was a legitimate railroad control system was a web interface for a model train set.

Other OT takeaways

Some other key takeaways from the report:

  • Each new incident provides threat actors with an opportunity to learn from the operations, technology and physical processes to improve their “tradecraft.”
  • Low sophistication attacks can impact OT systems, especially those with less mature OT security.
  • Publicizing OT incidents normalizes them and encourages other threat actors.

How to combat low sophistication OT attacks

Combatting low sophistication OT attacks is not difficult if you use OT security best practices and provide solid OT security training to your organization’s employees. OT security best practices are:

  • When possible, segregate OT assets from public-facing networks that have access to the general internet. 
  • When remote access is necessary, implement access controls and monitor for unusual traffic activity.
  • Apply network hardening techniques to edge devices and those that are remotely accessible.
  • Identify exposed assets and information and determine if online scanners can discover them.
  • Configure your OT system’s HMIs and control system assets, so only acceptable input ranges are enforced and hazardous variable states are excluded.
  • Maintain situational awareness of the cybersecurity for your OT system and the development of exploits that will impact your system. This includes being aware of what about your OT system would interest threat actors.

Implementing operational technology cybersecurity best practices is only part of your arsenal against OT attacks. Make sure that your organization’s cybersecurity awareness training dedicates at least a section to OT security. Employees are sometimes the first line of defense against OT threats, so it makes good strategic sense to equip them with as much OT security knowledge as possible.

Learn ICS/SCADA Security

Learn ICS/SCADA Security

Explore realistic critical infrastructure scenarios and build your security skills with hands-on labs, on-demand courses and live boot camps.

Securing operational technology 

Recently, a cybersecurity firm released a report detailing the rise of low sophistication OT attack activity on a level that has never been observed before. These OT threat actors leverage TTPS, online hacktivist tutorials, and the success of others to impact OT systems in critical infrastructure and low-impact environments such as home surveillance systems. These incidents affect OT systems connected to the public-facing internet, reinforcing the need for best practices coupled with OT security awareness training.

 

Sources

Crimes of Opportunity: Increasing Frequency of Low Sophistication Operational Technology Compromises. FireEye Threat Research Blog.

Greg Belding
Greg Belding

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys Information Security, creating Information Defensive Strategy, and writing – both as a Cybersecurity Blogger as well as for fun.