ICS Threat Activity on the Rise in Manufacturing Sector
By Dragos Team
November 16, 2020
Dragos is pleased to announce the release of the Manufacturing Sector Cyber Threat Perspective, a comprehensive analysis of recent observations of ICS-targeting threats to manufacturing organizations along with practical defensive recommendations. This article touches on highlights from the November 2020 report, which is available for download in its entirety here.
Cyber risk is increasing
Cyber risk to the manufacturing sector is increasing, led by disruptive cyberattacks impacting industrial processes, intrusions enabling information gathering and process information theft, and new activity from Industrial Control Systems (ICS)-targeting adversaries. Dragos currently publicly tracks five ICS-focused activity groups targeting manufacturing: CHRYSENE, PARISITE, MAGNALLIUM, WASSONITE, and XENOTIME in addition to various ransomware activities capable of disrupting operations.
Dragos has not observed ICS-specific malware targeting manufacturing operations on the same scale or sophistication as that used in the disruptive TRISIS and CRASHOVERRIDE malware attacks that targeted energy operations in Saudi Arabia and Ukraine, respectively. However, known and ongoing threats to manufacturing can have both direct and indirect impacts to operations. This article will discuss the following topics:
Activity groups targeting or demonstrating interest in manufacturing entities
targets petrochemical, oil and gas, manufacturing,
and electric generation sectors. Targeting has
expanded beyond the group’s initial focus on the
Persian Gulf region, and the group remains active in
more than one area.
has targeted energy, aerospace, and supporting
entities since at least 2013. The activity group
initially targeted firms based in Saudi Arabia but
expanded targeting to include entities in Europe and
North America, including U.S. electric utilities.
MAGNALLIUM lacks an ICS-specific capability, but the
group remains focused on initial IT intrusions.
operating since 2017, targets electric utilities,
aerospace, manufacturing, oil and gas entities, and
government and non-governmental organizations. Its
geographic targeting includes North America, Europe,
and the Middle East.
targets electric generation, nuclear energy,
manufacturing, and research entities in India, and
likely South Korea and Japan. The group’s operations
rely on DTrack malware, credential capture tools,
and system tools for lateral movement. WASSONITE has
operated since at least 2018.
XENOTIME is known for its TRISIS attack that caused disruption at an oil and gas facility in Saudi Arabia in August 2017. In 2018, XENOTIME activity expanded to include electric utilities in North America and the Asia-Pacific region; oil and gas companies in Europe, the United States (U.S.), Australia, and the Middle East. Expanded activity also includes control system devices beyond the Triconex controllers targeted in the 2017 incident. This group compromised several ICS vendors and manufacturers, posing a potential supply chain threat. Links: Temp.Veles
Currently two activity groups, XENOTIME and ELECTRUM, have demonstrated the ability to interact with and disrupt operations with malware specifically targeting ICS processes: TRISIS and CRASHOVERRIDE malware respectively. Although Dragos has not observed either malware family disrupting manufacturing operations, it is possible these adversaries will target manufacturing companies in the process of developing such malware, even if they are not the ultimate target.
Vulnerabilities in ICS-specific devices and services can introduce risk to the manufacturing environment. As of October 2020, Dragos researchers assessed and validated 108 advisories containing 262 vulnerabilities impacting industrial equipment found in manufacturing environments. Dragos found that almost half of the advisories described a vulnerability that could cause a loss of view and/or loss of control within a compromised environment.
Of the vulnerabilities assessed by Dragos impacting manufacturing industrial equipment, 70 percent require access to the victim network to exploit, 26 percent require an adversary to have access to the vulnerable device itself, and 8 percent require an adversary to be on the local area network to facilitate exploitation. Asset owners and operators are encouraged to be aware of the threat these vulnerabilities pose to manufacturing operations. A loss of view or control, for instance, may cause safety concerns and potentially put workers’ lives or the environment at risk.
The most common threat to manufacturing is ransomware. Dragos observed a significant rise in the number of non-public and public ransomware events that have affected ICS environments and operations over the last two years. This year, Dragos identified multiple ransomware strains adopting ICS-aware functionality, including the ability to “kill” (i.e., stop) industrial processes if identified in the environment, with activity dating back to 2019. EKANS, Megacortex, and Clop are just a few ransomware strains that contain this type of code. EKANS and other ICS-aware ransomware represent a unique and specific risk to industrial operations no previously observed in ransomware operations.
Industrial and networking assets exposed to the internet are a high risk for manufacturing that can facilitate initial access to a victim environment. Various tracked ICS-targeting activity groups – PARISITE, MAGNALLIUM, ALLANITE, and XENOTIME – have previously targeted or currently attempt to exploit remote access technology or logon infrastructure.
According to the
Dragos Year in Review
report detailing lessons learned from the incident
response and services team, 66 percent of incident
response cases involved adversaries directly
accessing the ICS network from the internet, and 100
percent of organizations had routable network
connections into their operational environments.
Recent cyber intrusions targeting
in Israel were the result of PLCs exposed to the
open internet. Dragos also responded to ransomware
events at industrial entities that leveraged
internet-connected remote access portals to
infiltrate the operations network and deploy
ransomware. In July 2020, the U.S. Department of
Homeland Security Cybersecurity and Infrastructure
Security Agency (CISA) and the National Security
Agency (NSA) published an
encouraging asset owners and operators to take
immediate actions restricting exposure of OT assets
to the internet.
It is not unusual to see flat networks in manufacturing environments. This is when network connections are shared across both enterprise and operational segments. This makes it easier for an adversary to bridge the IT and OT boundary, and disrupt manufacturing operations after pivoting from an access point in IT.
In addition to internet-connected process automation and other “smart” manufacturing processes, operators are adopting Wi-Fi enabled machine tools and diagnostic equipment that enable workers to move around plants and factories without tripping over power cords. Internet-connected tools connect to historian databases for quality assurance, regulatory, and logistics purposes, among others. Often these tools are connected to enterprise or operations resources and can be used as network access points or targeted in an attack meant to disrupt production and impede operations.
As manufacturing operations become increasingly connected, a lack of visibility into processes, assets, and connections remain within these environments. It is difficult to defend against threats operators do not see. According to the Dragos 2019 Year in Review report, 81 percent of organizations the Dragos Services team worked with had extremely limited or no visibility into the ICS/OT network. Observations from incident response engagements found no instances of security and process data aggregation for incident analysis requiring manual retrieval of logs and distributed analysis.
Theft of intellectual property
Dragos assesses with high confidence intellectual property theft and industrial espionage are major threats to manufacturing entities, especially by state-sponsored adversaries and malicious insiders. IP and theft of trade secrets related to process and automation functions can enable industrial organizations and interested states and governments to fast-track development of critical infrastructure, including manufacturing. It can also support state-sponsored espionage activities for political or national security efforts. Obtaining material specifications for products is likely not enough to replicate them. Businesses rely on engineering and industrial design schematics, and sequencing automation details. According to Dragos researchers, adversaries may want to steal the algorithms, engineering designs, and programming specifications to replicate the entire production process, not just the material goods and services output.
A concerning upward trend of ransomware targeting manufacturing companies leading to operations disruptions exists. Internet-exposed assets, supply chain and third-party compromise risks, and growing convergence of interconnected enterprise and operations networks are contributing to a growing threat landscape. Dragos continues to monitor targeted activity groups and threats targeting manufacturing operations, including concerning ICS-aware ransomware capable of disrupting operations. Additionally, adversaries do not need to specifically target industrial processes to achieve widespread disruption across plants, fleets, or automation processes, as detailed in this report. Dragos assesses with high confidence the threats to manufacturing will continue to increase over the next year.