powered by world-leading cybersecurity research team

Cryptomining in ICS

New technology now allows operators of industrial infrastructure such as oil and gas platforms, mine sites, manufacturing plants and utilities to have remote visibility and control over their production processes.  The disadvantage of this new technology is that it provides avenues for cybercriminals to exploit.  Therefore, advanced cyber security techniques are required to ensure the operating environment remains safe and secure from malicious actors who are always innovating to achieve their aims.

This article discusses a new technique that normally would not be associated with cyber-crime called ‘Cryptomining’.

Cryptomining

The advent of blockchain technology allowed for the creation of the first decentralised virtual currency, Bitcoin. This was the first of many virtual currencies that could be ‘mined’ by a computer through the process of verifying cryptographic chains.

The use of technology has grown exponentially over the last few years. It allows a miner to compete with other crypto miners to solve complicated mathematical problems with cryptographic hash functions that are associated with a block containing the transaction data.  The reward for cracking the code is the authorisation of the transaction and a small amount of cryptocurrency.

Cybercriminals are capitalising on the rise of crypto mining, and the integration of industrial technology with the internet.

These malicious actors are starting to recognise the value in utilising the processing power of these operating systems as a method for mining cryptocurrency.

ICS targeted by crypto miners

The technology has resulted in ‘Cryptojacking attacks’ where the intent is to consume compute cycles within the target control system to perform the crypto mining activity.  The goal for this type of attack isn’t to steal or take control of the infrastructure but to consume a small amount of computer power on the system to generate cryptocurrency. This can result in performance degradation of the system.  The payload of this type of attack has been found to be delivered in malware that is becoming increasingly widespread.

Potential impact

Some would argue that actors targeting processing power, rather than company bank accounts or confidential data, are a lesser threat to an organisation.

However, the impact on a company’s systems can be both financially and physically disastrous.

All computing devices, from an employee’s laptop to an interface controlling air flow into a mine, are capable of a certain amount of processing based on their hardware specifications. In operational technology, these capabilities are only enough for the device to function correctly and allow for it to deal with minor failures. If the device does not have the adequate processing power, it will cease to function as expected, instructions given to the system will be ignored, and a manual reboot or complete replacement will be necessary. Cryptomining does exactly this. Cryptomining technology accesses processing power of a device and utilises that power to perform its mining function.

Hopefully, the targeted device is a regularly used machine and the slow down or failure of its function will be recognised by an operator, and processing will be stopped to fix it. This ‘best case scenario’ results in costs associated with stopping all systems associated with, and replacing or fixing, the compromised device. However, the infected machine could be part of a safety or redundancy system that is only used in an emergency. Only when it is needed will the system fail, resulting in potentially catastrophic physical damage or loss of life.

A secondary consequence is the bandwidth usage of cryptocurrency mining operations. Cryptomining software will regularly be in contact with its Command and Control (C2) server, creating high levels of data traffic that adds greater stress to operational technology communications infrastructure.

PROTECTING ASSETS

Traditional cyber security practices, such as the use of anti-virus software and firewalls, are a good start for the protection of an industrial network’s perimeter. However, the innovation of recent cyber attacks expresses the importance of a solution that is resilient and adaptable.

Cryptomining software and data traffic can often go undetected by common malware signature databases and firewall rulesets.

ICS specific detection solutions provide visibility of what and how devices in a network are communicating. These solutions often raise alerts based on the anomalous behaviour of devices. Sudden higher traffic levels from a device will lead to an immediate investigation. If a safety redundancy device is consistently operating, network visibility allows for actionable intelligence to immediately address the issue.

Passive network monitoring solutions provide insights and visibility against malicious crypto mining activities, with minimal impact on network bandwidth.

 

Honeypot technology

There is a growing importance placed on detection technologies in both threat research and damage mitigation. In every war, intelligence is of the utmost importance for deployment of resources and exploitation of an adversary. The cyber battlefield is no different, as discovery and understanding of the enemies’ avenue for attack is the best method for preventing damage to an organisation.

The adversary is also changing, from opportunistic broad-spectrum attacks to more targeted, developed threats.

In the cybersecurity arena, forensic analysis is the process of deconstructing an attack’s exploitation, transmission vector and payload to determine exactly how and, if possible, why a system was compromised. It is important for evaluating a networks’ vulnerability, creating defences against attacks, as well as predicting how potential attacks may operate.

What is a honeypot?

A ‘honeypot’ in cybersecurity describes an apparently vulnerable network device with the capacity to covertly monitor and record attacks against it. The honeypot is set up to appear enticing and legitimate to an attacker, without actually compromising important data if attacked.

What is its purpose?

A honeypot can capture the attack methodology, attack signature, information on targeted systems, network vulnerabilities and, potentially, information on the attacker. This intelligence allows the cybersecurity industry to be more adept at detection of current attacks and prevention of future attacks. Attack signatures can be added to intrusion databases, a methodology can be dissected and understood in order to develop defence strategies, and vulnerabilities can be exposed and patched before they can be exploited. A greater understanding of a cyber adversary is also integral to the ability of the cybersecurity industry to evolve and adapt.

Awareness of the motives of attackers creates a great advantage for security professionals to predict how the cyber threat landscape is developing, and allow for pre-emptive countermeasures to be deployed.

Malicious actors are aware of the existence and purpose of honeypots and are constantly wary of being trapped. Therefore, effective honeypot deployment involves making the device look as real as possible. This includes protecting the device with proper security technology and having the device retain data and traffic that appears legitimate. However, in order to protect legitimate data, these honeypots are often located outside of the company’s secure network, in a fake network or ‘Demilitarised Zone’ (DMZ).

Honeypots in Active Defence

Honeypots are increasingly being adopted by operators who are seeking to strengthen their cybersecurity regime using countermeasure technology.  The devices provide the opportunity to observe the actions of an attacker and build an understanding of the tactics, techniques and procedure being used against systems or facilities.  A well-implemented honeypot deployment can provide the following:

  • Highlight risks and assess the seriousness of a threat.
  • Provide impact assessments based on the observations of the activities of the threat.
  • Direct further investigative activities and allow for incident response planning.
  • Deliver specific Threat Intelligence to the organisation.
  • Act as a decoy to bolster defence systems.

Future Use of Honeypots

ICS systems will continue to be attacked, with potentially greater success, as new tools and easily accessible information becomes more widely available.

This will allow the technical knowledge, sophistication and new methodologies for attacks to develop over time.  Honeypots are a useful tool that can indicate malicious intent and methodologies to provide operators with the intelligence required to build a or strengthen the security posture of an organisation.

Cybersecurity principles for industrial environments

Industrial Control Systems (ICS) have traditionally been isolated from a company’s Information Technology (IT) infrastructure.

This inherent isolation essentially created an ‘air gap’ between the ICS and IT environments. Such a basic defence posture is now no longer effective due to the increased integration of ICS devices into the IT network.

Organisations rolling out extensive digitisation programs that use IT network technologies to enhance productivity, reduce costs and increase safety are now at risk of cyber-attack.

This integration of technologies now makes securing industrial control networks a major priority for organisations and governments, as vulnerabilities within this new technology are rapidly being identified and exploited.

There are several high-level principles that should be implemented to develop multiple layers of security, critical to ensuring the protection of assets:

Design

Ensure the design of the system and processes allow for suitable security measures to be implemented. As the intention with most system upgrades and installations generally involves maximising profits and increasing efficiency, security considerations can be hard to quantify, and are sometimes missed or left out of a design. Therefore, it is vital that cyber security is considered, from concept, to design, construction and implementation.

Management

Industrial Control Systems must allow for constant security assessments and updating. Many legacy systems will become vulnerable to a cyber-attack within its service lifetime and need the ability to be updated with the latest security features when needed.

Best Practice

Effective security measures can be simply achieved by educating the workforce and enforcing best practices throughout the organisation. The systems and actions used by personnel and technology must be constantly adjusted and refined to ensure protective measures are maintained against emerging threats.

Cyber-Risk Assessment

For many organisations, risk assessment is an integral process to the security and growth of a company. However, companies often lack human and technological resources to perform adequate cyber-risk evaluations. Risks associated with an organisation’s assets, technology or information should continually be reviewed and assessed against the current threat climate. This allows security measures to be implemented that protect against the most recent aggressive cyber incidents.

Transparency

By providing visibility of security information throughout an organisation the incident response teams can minimise any remediation time to an attack.

By communicating effectively, an organisation can minimise financial losses, physical damage and human safety impacts.

Limit Connectivity

Identify, secure and minimise all network connection to any industrial control systems and clearly understand the risks associated with systems requiring connectivity.

Sapien’s technology can be deployed at any stage of a facilities life cycle. It provides security monitoring in real time and delivers cyber defence based on thorough risk assessments of vulnerabilities and threats. Sapien develops its platform based on current threat intelligence empowering users with greater visibility in order to develop network resilience.

A look at the Triton attack

In December 2017, the world found out about a sophisticated attack on the control systems of an LNG plant, known as ‘TRITON’.

The attack caused the entire operation to shut down and is one of the many examples in recent years of malicious software designed specifically to target industrial equipment.

In the decade since the infamous Stuxnet malware destroyed many centrifuges of an Iranian uranium plant, numerous attacks against many critical infrastructure sectors have been discovered with the intent to cause damage and destruction.

This relatively new malware variant targeted the Triconex Safety Instrumented System, otherwise known as SIS controllers. These SIS controllers, made by Schneider Electric, operate on over 11,000 sites around the world, and are responsible for the automated emergency shutdown functions in the case of a situation which may threaten the safety and lives of plant personnel.

It is concerning that the Triton malware payload was deployed long after the attackers had gained in depth access to the plants network, with reports saying they had been sitting on the network for up to 9 months before the SIS controllers were reprogrammed. Given this attack was ultimately deemed to be unsuccessful due to a single coding error by the attackers, it does raise concerns about how much damage could be caused when an attack is successful.

Furthermore, Security Week reports that Triton malware is still active today and the group behind its creation have expanded their scope, now reaching far outside of the Middle East for their next target.

So how did the attack succeed and what can be done to stop it from happening again?

After the Triton attack was published, Schneider discovered a zero-day vulnerability in its Triconex SIS which enabled the cyber criminals to gain access to, and change, the programming of the SIS controllers. FireEye reports they found a Remote Access Trojan (RAT) in the Triton malware which they believe to be the first RAT ever known to have infected SIS equipment.

In addition, it appears that the remote access and remote control of the SIS devices was achieved because the physical key on the controllers was left in the ‘program’ state, thereby allowing the remote programming of the main controller and the subsequent re-programming of the SIS controllers that caused such damage.

In an Operational Technology (OT) network, the availability of systems, especially those relating to safety, is typically a top priority, taking precedence over protection of confidentiality and integrity. The problem for many industries operating large plants is the growing complexity of their networks and lack of network wide visibility across all of their systems.

Many understand a problem exists but simply don’t know where to start in creating risk management procedures, building network resilience and maintaining a secure network.

What is clear is that as attacks become more frequent, the likelihood of a catastrophic outcome increases also. Organisations need to take action now to ensure lives are not lost and they are not tomorrow’s headline.

Sapien offers a sophisticated solution to address the complexity found within commercial, industrial and government owned assets. Read more on how our system of systems’ design offers our clients unprecedented visibility across your enterprise network and a complete solution in identifying threats, preparing for new attacks, and shielding your systems from advanced cyber criminals.

The strategic value of Australian Universities to cyber criminals and nation state actors

The cybersecurity practices of Australian universities are in the spotlight after the recent significant breach of Australian National University’s (ANU) IT systems.

The FBI has published that up to 26 Australian universities were targeted in a sustained hacking campaign between 2013-2017, believed to have been funded by the Iranian government.

Such attacks are proof of the value placed by cyber criminals and other nation states on intellectual property, business data, social data, and private information held by Australian universities. Key examples include the personal information and financial records of students and the valuable intellectual property being generated every day. The value of this information will continue to increase as today’s students become tomorrow’s leaders, politicians or employees of government, business and security bodies.

Underpinning the university’s role as a supplier of education is a complex network of systems, critical in the operation of facilities and continued provision of services for their student cohort (on-campus and online).

In addition to the growth of the attack surface for universities is the growing complexity of their networks, now often stretching across multiple campuses, both nationally and internationally.

With this increasing complexity comes a reduced capacity to achieve and maintain network wide visibility, detect a network compromise and respond in a timely manner. To make matters worse, institutions are often operating with limited human and technological resources attributed to cyber defence.

Universities must also contend with a multitude of vulnerabilities inherent with the provision of teaching and research services to their students and staff. Students and staff bring their own laptops and mobile devices onto campus and remote network access is a necessity for individuals from across the globe.

Each device, every connection, is a vulnerability that can be exploited to gain access to critical systems and information elsewhere on the network.

The risk for a university is unlike a public company, which has the resources to ensure the latest patches and anti-malware are installed on devices accessing their network. Universities operate on different rules and simply don’t have the authority to control applications or devices that connect to its networks from student and staff devices.

For the university sector both nationally and internationally, it is clear the exposure to cyber risk needs to be carefully managed to protect the safety and productivity of university operations, whilst also facilitating confidence in future projects and efforts to expand a university’s digital commitment.

If you want to learn about the Sapien solution to provide both enterprise wide network visibility and advanced threat detection that is already helping an Australian university to protect its network read more here.

Threats to our critical assets are real: just how vulnerable are we and what should we be doing?

In 2016, a water treatment plant in the US was the victim of a sophisticated and methodical attack, where cyber criminals remotely took control over the treatment process and threatened to poison households.

In 2017, the Triton malware attack caused a complete shutdown of an LNG plant in the Middle East. In Australia, recent reports have highlighted just how vulnerable systems that provide water to homes in Queensland are. The Australian Energy Market Operator (AEMO) is now delivering additional cyber security controls to protect the nation’s electricity infrastructure.

Ernst & Young has listed cyber-attacks as the single largest threat to the world’s power and electricity companies and Siemens has reinforced this statement by saying that 30% of all cyber-attacks globally now specifically target Operational Technology (OT) systems.

These serious threats to critical infrastructure garner a lot of attention, but just how vulnerable is our day-to-day lifestyle? Are we even at risk of physical harm?

What many people do not realise is that the majority of the control systems operating critical infrastructure, not only here in Australia but also globally, were designed and installed in a time when the word ‘security’ meant locking a door or padlocking a gate. This ‘physical security’ prevented unauthorised access to operating systems and safety controls. Now, with the advent of greater communications technology, these systems are being connected to the ever growing ‘internet of things’. These changes help deliver increased productivity and safety to an industrial environment. However, security must adapt in tandem to address implications associated with being an online and remotely accessible system.

Australia’s geographic remoteness is no longer an advantage in terms of security, as the interconnection of devices means that our critical assets are only 32 milliseconds from any computer, anywhere on the planet.

In addition to the vulnerability of these anachronistic critical systems is the fact that the attack surface for these assets is growing rapidly. The list of attackers is diverse, with cyber attacks no longer just the hobby of ‘script kiddies’. Now, industrial cyber attacks are a business for criminal syndicates and a new frontier of espionage and disruption for nation states to utilise.

The attack methods themselves are also becoming more advanced as new malware is being designed specifically to target the OT systems responsible for the water to our taps, the gas to our hotplates and the electricity to our lights. Criminal and nation state threats have greater understanding of industrial network protocols, redundancy systems and operational procedures than ever before, nullifying the protection we once called ‘security by obscurity’.

This problem will not go away and it can no longer be ignored by organisations and government departments who operate our critical assets.

Perhaps the best course of action is a proactive one, best summed up by former Australian Prime Minister Malcolm Turnbull, who at the recent launch of the Australian Cyber Security Centre said;

“We must not and will not wait for a catastrophic cyber incident before we act to prevent future attacks.”

Sapien Cyber is here to help. Read more about our sophisticated solution developed here in Australia.