Building a Resilient World:

Welcome to the official blog of the ISA Global Cybersecurity Alliance (ISAGCA).

This blog covers topics on automation cybersecurity such as risk assessment, compliance, educational resources, and how to leverage the ISA/IEC 62443 series of standards.

All Posts

Cyber Threat Intelligence in ICS Sectors: Context is Everything

This blog is the second in a three-part series defining Cyber Threat Intelligence (CTI). The first part explained the concepts of CTI, including its history, emergence, and challenges. The third part covered recent activity in Dragos Threat Groups.

Cyber Threat Intelligence (CTI) in Operational Technology (OT) relies heavily upon context to detect, describe, and mitigate threats, as threats differ across industry verticals. The combination of a defense in depth (DiD) posture for a given infrastructure, the components used in that infrastructure, and the systems comprising the Information Technology (IT) and OT infrastructures, help to determine this context.

The DiD is an approach to cybersecurity in which a series of defensive mechanisms are layered on top of each other to protect valuable information on a network. In this scenario, if one mechanism fails, another steps up immediately to stop the attack. The Diamond Model is a useful tool that organizations commonly use to respond to incidents quickly and efficiently. In this blog, we present a case study example of an applied CTI to illustrate how threat detection and mitigation works. This blog refers to methodologies and terms that are important to OT cybersecurity with links to definitions and further resources on each.

A Brief Example: Electric Power Transmission Industry; Impact: High

Several public utilities were compromised in the past year using spear phishing emails. The emails contained a malicious Word document that successfully exploited a Microsoft vulnerability, MS08-067, on unpatched workstations. This created a worm that started spreading through the network via SMBv1, looking to cross network segments. SMBv1 is an older version of the Server Message Block protocol Windows uses for file sharing on a local network, which is still found in many networks. The worm actively looks for historian applications and other evidence of operational networks involved in electric power transmission. Once the worm discovers an operational network, it contacts a command-and-control server at an adversary-controlled internet host x, via HTTPS, registering the victim with the adversary. The adversary would then use the worm’s remote access capabilities to access the network and use local PowerShell resources to begin further internal reconnaissance and targeting.

In this attack, Dragos assessed with high confidence that the adversary was in the process of Stage 1 of the ICS Cyber Kill Chain—information gathering prior to developing or deploying capabilities to disrupt electric power transmission. A Cyber Kill Chain, which was developed from the military kill chain concept, reveals the phases of a cyber-attack from early reconnaissance to the goal of data exfiltration.

Threat Intelligence Action

Dragos gave defenders the context and action recommendations to mitigate and prevent further instances of the threat. Threat intelligence provides the technical and policy recommendations customized for and based on the context of the threat. Actions sourced from threat intelligence recommendations typically include

  • Detective guidance such as technical indicators or signatures of the activity to help identify the breaches in an environment
  • Policy guidance to protect the organization from a potential disruption, hopefully leading to threat prevention
  • Detailed threat behavior to enable hunting for similar behavior
  • Data collection suggestions to support effective detection
  • Threat scope and impact details supporting risk-based strategic decision-making

Indicators of compromise (IOCs) are technical elements of information used to enable threat detection, and they include IP addresses, domain names, file names, file hashes, etc. Security Incident and Event Management (SIEM) tools use these to trigger alerts for security operations centers. In a similar manner, Threat Behavior Analytics identify system or user actions indicating suspicious or malicious activity. These analytics detect adversary tradecraft (trained behaviors) and can provide contextual knowledge of an environment such as assets or users. Behavioral analytics drive the cost of ownership lower due to better false-positive and true-positive rates, which can be aa challenge based on current machine-learning or anomaly-based approaches.

Next, we will provide an example of a threat intelligence actions, where we mitigate the threats described above. 

  • Detect and mitigate any inbound or outbound traffic associated with IP address x.x.x.x between 10th and 30th of July
  • Patch MS08-067 across the enterprise to prevent initial compromise
  • Prevent SMBv1 communication between IT and OT networks to prevent spread of the worm
  • Monitor all PowerShell behaviors and disable where necessary
  • Prioritize this threat due to high impact of adversary actions

ICS vs. IT Threat Intelligence 

Operational networks share some of the same cybersecurity approaches of enterprise IT networks, however, they are not the same. Most notably, Industrial Control System (ICS) threat intelligence considers a much different set of impacts and consequences from successful adversary breaches. ICS threat intelligence falls into the following three categories

  • Interested Adversaries: Intelligence on activities of adversaries known to have an interest in control systems
  • Direct ICS Impact: Intelligence on threats directly affecting the operation of industrial control systems
  • Indirect ICS Impact: Intelligence on threats not associated with industrial control systems but that have a high likelihood of disrupting their operation.

Some Final Thoughts

The roles of Network Operations Centers, Security Operations Centers, and a comprehensive understanding of assets in the organization (asset management) all play a critical role in CTI and Threat Intelligence Action. Some important tools used in threat intelligence include: The MITRE ATT&CK framework for both enterprise and ICS; and the ICS Cyber Kill Chain. Threat intelligence alone cannot protect critical assets, but instead complements every component of cybersecurity best practice: Detect, respond, and prevent. Threat intelligence, when appropriately used, will greatly reduce the harm and attack surfaces for an organization.

Dr. Tom Winston
Dr. Tom Winston
Dr. Tom Winston is a director of intelligence content for Dragos. Tom has over 25 years of professional experience in many areas to include cybersecurity, ICS/SCADA systems, Critical Infrastructure protection, academics as well as systems and network engineering. He joined Dragos after serving for several years as a professor of cybersecurity engineering at George Mason University. Prior to that Tom served in a 15 year-long career at the CIA as an operations, digital forensics, and ICS/SCADA expert. His experience focused on threats to critical infrastructure (ICS/SCADA) systems, as well as foreign cyber intelligence and threat analysis. Tom has extensive experience in mobile device, removable/fixed media digital forensics, as well and has visited over 30 countries worldwide, and speaks over a dozen foreign languages.

Related Posts

Experience Centers Teach Cybersecurity Best Practices

The adoption of Industry 4.0 technologies is increasing efficiency and profitability across industrial co...
Luis Narvaez May 24, 2022 5:30:00 AM

Why Network Discovery is Critical in the ICS/IACS Environment

Securing operational technology (OT) networks requires a great deal of thought when designing and impleme...
Achal Lekhi May 17, 2022 5:30:00 AM

Securing Industry 4.0

As we head into the Industry 4.0 era—where connected Internet of Things (IoT) devices and automation will...
David Nosibor May 10, 2022 5:30:00 AM