Industrial control systems cyber threats and the Gulf region Part 1

Protecting the Gulf region.

---

The evolution of targeted attacks against critical infrastructure in recent times sends a clear message to asset owners and operators. In industrial control systems (ICS) – water management, oil and gas refineries and distribution operations, and power grids, etc – modern adversaries have illustrated brazen steps to defeat traditional security controls and have impacts to safety and engineering reliability. Today, proactive control system cyber defence requires dedicated ICS security teams with engineering knowledge to preserve the safety of ICS and operational technology (OT) operations.

With my firm, ICS Defense Force, I perform ICS security assessments, incident response tasks and incident response tabletops across multiple critical infrastructure sectors, globally. It is important to describe my practical field work in this context. It allows me to meet with security teams, engineering staff and those leading the charge of cyber security risk management and defence, including the decision-makers, who are seeking technical solutions and tactical training to address their identified cyber security challenges.

Recent threat landscape analysis for the Gulf Cooperative Council (GCC) indicates attacks against critical infrastructure are increasing in volume and sophistication. Critical infrastructure adversaries and cyber criminals alike are exploiting both ICS and IT environments to achieve malicious goals with impacts to the safety and engineering operations.

The oil and gas and energy sectors specifically present valuable targets to modern advanced persistent threats (APTs), which are active and continue adjusting attack tradecraft to infiltrate multiple types of facilities and evade detection. Adversaries targeting facilities operating in GCC, in all energy sectors – electric, oil and gas and related supply chain providers for equipment and software – are at increased risk than in prior years. Adversaries consider cyber attacks against critical infrastructure a legitimate component of warfare.

For example, industrial cyber incidents from active adversary groups target oil and gas operations across upstream, midstream and downstream operations. Their purpose appears to have consequences ranging from disruptive to destructive incidents, including potential personal safety and environmental impacts.(1) This is evident with the discovered ICS targeted malware TRISIS/TRITON against oil and gas safety systems.(2)

Additionally, there has been a global increase of ransomware events against ICS environments, with no sign of slowing down. Ransomware impacting IT support services can also impact the ICS operations if the organisation does not have suitable network segmentation in place to protect engineering networks from IT and the internet. An example is the Colonial Pipeline(3) incident in oil and gas, where other adversary groups are learning from such events to adapt and strengthen their own attack techniques. As well, ICS-specific ransomware has been discovered in the form of EKANS.(4)

(1) https://www.dragos.com/industries/oil-gas-industrial-cybersecurity/

(2) https://en.wikipedia.org/wiki/Triton_(malware)

(3) https://en.wikipedia.org/wiki/Colonial_Pipeline_ransomware_attack

(4) https://attack.mitre.org/software/S0605/

Threat intelligence reveals critical infrastructure could be at increased unnecessary risk of cyber incidents with impacts if the following scenarios are present, but other gaps exist.

1. Lack of ICS/OT network visibility – ICS network visibility is a critical requirement for any ICS facility today. That is, specific ICS-protocol aware network intrusion detection systems deployed to monitor and alert on anonymous engineering commands and protocols.
2. Dual-homed assets between ICS and IT networks – Connections between IT networks and ICS networks are a major concern for owners and operations as it presents a pathway from commonly targeted IT environments into critical engineering systems.
3. Lack of multi-factor authentication for remote access – Multi-factor authentication is a best practice that strengthens remote access authentication. However, remote access has several other controls that must be in place, including but not limited to proper network access control and monitoring.
4. Limited logging enabled and monitoring for engineering systems – Legacy engineering assets may have logging disabled by default or assets may not be configured to log security events, or important engineering events such as logic updates.
5. Unprotected end of life operating systems, engineering hardware – Legacy systems require additional ICS-specific security controls, processes and mitigations to protect the safety and reliability of operations. 

According to the recent SANS 2023 ICS/OT Cybersecurity Survey data, only 52%(5) of ICS facilities have an ICS/OT-specific incident response plan that is documented, tested using engineering driven tabletop exercises, and is kept up to date. Seventeen percent are unsure whether they have such a dedicated ICS incident response plan. What’s critical to understand is this is not your IT incident response plan. “Copying and pasting” IT security controls into an ICS/OT facility’s incident response plan will not work. In fact, this approach is likely to cause serious unintended or disastrous consequences to safety and engineering operations

Planning is crucial.

---

It is imperative top facility leadership and engineering teams know the differences between traditional IT security and industrial control system security. ICS/OT assets are often incorrectly compared to traditional IT assets. Traditional IT assets focus on data at rest or data in transit, user data and user applications, whereas ICS/OT are engineering assets, equipment that focus on real-time systems for physical input values and controlled output physical action that have an effect in the real-world. It is this primary difference between IT and ICS/OT that drive differing cyber security design, security assessment approaches, risk surface understanding, safety, strategy, support, cyber tactical defence and industrial incident response practices. “Standard cyber incident remediation actions deployed in IT business systems may result in ineffective and even disastrous results when applied to ICS cyber incidents, if prior thought and planning specific to operational ICS is not done.”(6)

5. https://www.sans.org/white-papers/ics-ot-cybersecurity-survey-2023s-challenges-tomorrows-defenses/

6. www.cisa.gov/uscert/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_incident_response_100609.pdf

Those responsible for ICS/OT cyber security and infrastructure defence can position their facility to meet best practices by having an engineering-driven ICS-specific incident response plan. They can regularly exercise that plan by running ICS tabletops facilitated by ICS experts with realistic scenarios derived from sector specific threat intelligence. Ensure all the right teams are included.

Tactical practitioners working on the frontlines to defend engineering operations should embrace the fact that IT and ICS/OT are different. Discover what can be adapted from IT security to actively respond to ICS-specific threats using ICS-specific controls, technologies and processes, while prioritising safety first. Realise that ICS security is not a “copy and paste” of IT security into the ICS. In many cases, what works for IT will cause disruptive or disastrous consequences if applied to ICS.

I am very fortunate to be strengthening the SANS relationships in the region with senior leadership, decision-makers, engineering and security staff. I was recently in Dubai at the SANS EMEA Gulf Region event in November, teaching both ICS515 and ICS418, meeting great people from the local sectors in oil and gas, energy and manufacturing. It was fantastic being in-person delivering best-in-class practical risk management to leadership teams and hands-on tactical ICS cyber security training to those in day-to-day operations.

Teaching in Dubai at the SANS EMEA Gulf Region event in November 2023.

---

During the break and networking sessions, it gave us a wonderful opportunity to share experiences and assistance to facilities to help address some of the ICS/OT cyber security challenges they have today.

Teaching students in the Gulf region how to protect ICS systems using the ICS515 included student PLC hardware kit.

---

The SANS course, ICS515: ICS Visibility, Detection and Response, meets several modern ICS security challenges head-on. ICS515 teaches students how to perform tactical ICS incident response by leveraging hands-on labs. Labs include assembling and running a programmable logic controller (PLC) like you’d see on a plant floor. Students keep the PLC kit for continued learning after class is over. Students from IT, ICS, engineering, etc, will detect and defend against threats in several realistic ICS environments.

It’s critical for critical infrastructure owners and operators to ensure they have their teams attend, complete and be certified in ICS-specific security training, in order to defend against the latest threat groups that mean to cause disruption, downtime and safety impacts.

On behalf of myself and the EMEA team, thank you for taking the time to review this important topic as it relates to the protection of critical systems in the Gulf region. We look forward to seeing you all at our regional SANS training events! Stay tuned for additional ICS blogs in this series in a dedicated effort to provide actionable information to protect critical infrastructure in this region.

Be safe from industrial incidents!

For more information about SANS, please see here.