Risk assessments and mitigation are commonplace activities in the manufacturing environment, but as the number and type of cyberattacks increase in all industries, and connectivity continues to increase between information technology (IT) and operational technology (OT), it is necessary to take a practical, targeted approach to cybersecurity risk management of smart manufacturing and Industrial Internet of Things (IIoT) systems. The industrial control system (ICS) adversarial tactics, techniques, and common knowledge (ATT&CK) framework presents the information in matrices arranged by attack stages, from initial system access to data theft or machine control.
The tactics, techniques, and procedures (TTPs) describe patterns of activities associated with a specific threat actor or group of threat actors. By using the ATT&CK framework within a risk assessment process, organizations can identify risks and associate them to TTPs that adversaries are actually using today. This, in turn, helps identify the specific changes that can be made to the systems and network environment to disrupt those attacks and significantly reduce the OT environment’s risk level.
The MITRE Corporation’s federally funded cybersecurity R&D center helps to provide the nation’s business infrastructure with effective and practical cybersecurity architectures and solutions. The ICS ATT&CK matrix is a knowledge base of adversary actions that focuses on adversaries whose goal is disrupting ICSs. This open-sourced/community-driven knowledge base is accessible here.
In the ICS ATT&CK matrix, disruptive tactics are mapped against mitigation techniques to give manufacturers practical actions to help prevent each type of threat. Information is also provided about adversary groups. Experts should know how to use the ATT&CK framework to create a roadmap that prioritizes mitigating the largest risks to an organization’s smart manufacturing and IIoT systems.
Applying ATT&CK to risk management
Applying ICS ATT&CK to risk management involves identifying cybersecurity risks, determining the potential effect and likelihood of risk occurrence, and then determining the best way to deal with each risk with the resources available. Assessing this information helps manufacturers deploy the most efficient, cost-effective risk control and mitigation strategy and controls in a targeted way to reduce the most likely or highest-impact cybersecurity risks first.
In the typical risk assessment methodology, an estimate of risk probability is required. Unfortunately, there is no simple yet consistently accurate way to measure probability (likelihood of risk occurrence). Rather than relying on elaborate mathematical models or falling back on a guesstimate approach, ICS ATT&CK is a more practical approach. Some aspects of this include looking at localized data relevant to the specific environment. Risk assessment is more about prioritization than probability, so it is important to evaluate local attack vectors. It is also important to use facts and measurable data applicable to the facility’s configuration and assets to estimate business impact rather than guessing or generalizing.
However, for a risk assessment to be effective, it is important for manufacturers to have a complete understanding of the assets involved in their industrial control systems and the network topology in manufacturing areas. Legacy equipment, security patches applied or lacking, and connectivity to business systems with more threat exposure must all be considered when evaluating cybersecurity risk. Typical steps involved with threat modeling and risk management are shown in the diagram figure 1.
Practical approaches to preventing cyberattack
The use cases of the ICS ATT&CK model assume that a breach will occur; thus planning and performing preventive maintenance is required to fortify an enterprise’s perimeter and internal network to mitigate an attack. Proactive maintenance is always less costly than reacting after the fact, when time is of the essence and additional action may be needed to undo the damage caused by an intrusion. Risk assessment typically consists of three phases.
Phase 1 – Gather information on systems environment
System owners should evaluate the smart manufacturing and IIoT system assets as well as the ICS environment as a whole, including links to networks outside of manufacturing; software/firmware installed on each workstation, controller, or other equipment; and user permissions, with consideration for other factors such as corporate expansion plans or equipment upgrades. Figure 2 is an example presenting simplified findings of phase 1.
Figure 2Phase 2 – Create IIoT system attack tree using ICS ATT&CK framework
Define the risks for each piece of equipment and identify and prioritize appropriate mitigation techniques. An example is an insecure network architecture with no security policies between the IT/OT zone and no industrial demilitarized zone (IDMZ). After analyzing the network, one attack tree may be a malicious USB connected at the enterprise network. Based on the flat network topology, the USB installs malware with the intent of gaining remote access to an engineering workstation (EWS). Once remote access is gained to the EWS, the adversary can use the manufacturing execution system (MES) software already installed to impair the facility’s process or attack the business’ ERP system.
Phase 3 – Plan creation
Based on the findings of phases 1 and 2, ICS cybersecurity practitioners can calculate asset risk and identify the cybersecurity gaps that may allow unwanted adversarial activity. Using this information, they can create roadmaps prioritizing these risks while also visually modeling risk mitigation once these risk mitigation activities have been performed.
Realizing efficiencies
Many times, system owners have the opportunity to implement security enhancements in conjunction with other activities requiring planned system downtime. This minimizes the impact on production and of course is preferable to an unplanned shutdown caused by a cyberattack.
By incorporating security enhancements at the same time as system design changes, the security aspects of the system can be validated along with the rest of the system. System owners can also help ensure that any system expansions or improvements are planned and designed with cyberattack prevention in mind via defining minimum security requirements across the enterprise.
Enterprise-level considerations
Most security breaches are the result of intrusions or malicious attacks on the corporate side of the enterprise. In the past, networked manufacturing systems and equipment were separate from the rest of the enterprise and the outside world, and only communicated with each other. But with the advent of smart manufacturing and IIoT systems such as MES, digital twins, and overall equipment effectiveness implementations, there is greater connectivity between the enterprise network and the manufacturing network. Though this improves efficiency and allows for better planning, it also allows more opportunities for intrusions, malware, and successful phishing attacks, and allows malware to spread to the production floor with potentially catastrophic results. A critical component for managing this connectivity is an industrial demilitarized zone to carefully control traffic between the industrial and enterprise zones.
The rapid adoption of the IIoT also has the potential to allow intrusion, as more and more devices are networked, often with inconsistent implementation without enough security measures. As the IIoT is increasingly adopted, it will increase the vulnerability of the control system network if robust security practices are not rigorously followed. Cloud-based tools and systems also pose new risks that increase the attack surface.
When a system owner performs a risk assessment and mitigation plan using the ATT&CK model, system assets should be classified based on criticality, not only from a manufacturing process perspective, but also from the perspective of the potential environmental, safety, and regulatory impacts from a security breach. For smart manufacturing and IIoT system breaches, which affect both the IT and OT environments, the stakes are higher.
The ICS ATT&CK model is not a standard but provides a framework of known activities attempted by cybersecurity adversaries. It defines how adversaries have successfully attacked ICSs, such as smart manufacturing and IIoT systems and provides the mitigation steps to take for each type of known attack. System owners can then line up the mitigations with the standards applicable to each area for an industry-compliant mitigation. Approaches may be guided by closely following ISA-99 and IEC 62433.
What’s coming next for defending IIoT systems?
MITRE ATT&CK provides an effective approach to understand risk and prioritize the security controls to protect smart manufacturing and IIoT systems. Baked into the framework are TTPs that can be applied to IIoT systems, such as initial access through Internet-accessible devices, execution through API, and exploitation of remote services. However, smart manufacturing and IIoT systems still pose unique challenges compared to traditional ICS security.
For this reason, experts and standard bodies are exploring ways to provide guidance for applying cybersecurity standards to these systems. For example, ISA99 recently communicated preliminary plans for adding standards to the IEC 62443 series dedicated to IIoT. In the future, we may see a consensus-driven answer to the question of how to apply cybersecurity standards to these systems.
MITRE is also exploring modifications to its framework to address the IT-OT combination of technologies that comprise smart manufacturing and IIoT systems. For example, articles and discussion are being had regarding a hybrid ATT&CK matrix visualization that combines ATT&CK for ICS and represents the IT portions of ICS attacks in ATT&CK for Enterprise. If a hybrid matrix provides value in tracking attack pathways and effective mitigation measures, it could become a preferred approach for applying ATT&CK to smart manufacturing and IIoT systems.
This blog has been repurposed from InTech.
