Protecting Operational Technology Environments from Today’s Cyberthreats
When I was a child, my grandfather Efraim of blessed memory was a production worker at one of Israel’s most significant milk and dairy manufacturing plants. He used to take me on plant tours to see the production lines of milk, chocolate milk, and other dairy products, which ran around the clock. Of course, I always got to taste these products at the end of the tour, which was great fun.
Efraim was responsible for ensuring that the production lines ran reliably and consistently, including making sure all operational technology (OT) devices, such as the supervisory control and data acquisition (SCADA) system, programmable logic controllers (PLC), human-machine interfaces (HMI), and Industrial Internet of Things (IIOT) devices, were working properly.
Efraim died a few years ago, before cyberattacks on manufacturing and production lines arrived on the scene. Although such attacks are all too common today, many of the OT devices he used back then have stayed basically the same – without much improvement in security.
If he were alive today, I believe Efraim would be amazed at how easy it is to shut down a production line or an entire factory, and how such breaches can immediately affect millions of production workers (job loss), their factories (shutdowns), their companies (revenue loss) and consumers (shortages and higher prices).
I think he would be proud that my company uses an innovative approach called cyber deception security to help the world’s largest manufacturing and production plants defend their operations against production shutdowns and other threats.
OT security is lagging behind
Consider these statistics from the ESG Research Insights Paper, “Threat Detection and Response in Manufacturing”:
- 53% of manufacturing organizations surveyed experienced a cyberattack or security incident in the past 12-24 months.
- 82% admitted that they must improve their ability to see malicious activity inside their OT network.
- 53% reported that their operations workload exceeds staff capacity.
Today, it is no longer a question of whether external attackers will shut down a production facility or trigger a significant interruption, but rather when and how an attack will take place. This is because OT security in manufacturing and production is lagging far behind other industries such as technology, insurance, and financial services, and because threat actors are so sophisticated and clever. Today, it is almost impossible to avoid a security breach in any factory or production plant in the world.
Relying on conventional IT security alone is like trying to phish a whale with a kid’s phishing rod.
Here are some examples of the sophistication of today’s OT attacks. Cyberthreat actors use BitPaymer, which employs the PowerShell Empire tool for lateral movement in the network. Ryuk ransomware uses TrickBot modules to execute credentials theft and PowerShell Empire traffic for reconnaissance and lateral movement. LockerGoga, another ransomware program, uses PsExec (a sys admin tool) to achieve lateral movement in the network.
In addition to targeting individual companies or facilities, today’s cybercriminals execute supply chain attacks that affect partners, vendors and end customers. Examples include the Solarwinds Sunburst backdoor incident and the latest Kaseya MSP supply chain attack leveraging REvil ransomware and third-party remote monitoring and management (RMM) software. In a recent blog, I described how DeceptionGrid from TrapX could help defend against such attacks.
Risks, threats and attack vectors in OT environments
Following are common scenarios that can lead to security breaches in manufacturing and production facilities that depend on OT devices.
- Inside attacks: An industrial control system (ICS) service person or an integrator that helps maintain production lines can steal credentials.
- External connections: A supply chain partner or remote employee connecting to the corporate system may spread infection from his laptop. Using wired access to fix an urgent issue offers an attack vector.
- ICS-connected workstations: These devices may download ransomware accidentally, which can later spread across the network and exploit known vulnerabilities. Encrypting Windows hosts on the industrial network could cause an abnormal shutdown of critical control systems, prompting operators to activate an emergency safety shutdown.
- Legacy software: Maintaining and updating legacy software that runs many OT and IIoT devices is difficult because they typically run 24×7, leaving few opportunities for downtime. Unpatched software can present vulnerabilities to exploit. Further, embedded operating systems on these devices sometimes cannot be patched.
- Inadequate defenses: These issues can include weak firewall rules, default configurations on OT devices, unencrypted communication between PLCs and automation servers, lack of network segmentation, and failure to implement two-factor authentication for mobile devices connecting to the network. Attackers wishing to target an OT environment may disable the HMI of a device, breach an ICS vendor’s website and inject new code along with a recent update, create a backdoor in the ICS software, or manipulate data by sending command injections.
How DeceptionGrid from TrapX can help
TrapX DeceptionGrid 7.2 uses patented emulation technology to deliver comprehensive protection and full visibility at scale. DeceptionGrid hides real assets in a crowd of imposters that interact with attackers and misinform them in exchange for insight into their TTPs, allowing for rapid response and containment. In just minutes, TrapX’s patented emulation technology launches hundreds of authentic traps that engage attackers and malware and generate high-fidelity alerts for rapid response.
Advantages of DeceptionGrid for manufacturing and production environments:
- No interference with or interruption to any process automation (PA) or OT processes because DeceptionGrid is not deployed on the production line.
- No need to patch existing OT systems or install any agents on your workstations.
- Fast, easy deployment of emulated OT systems and components to deceive attackers.
- Ability to customize traps according to vendor types and versions.
- Multiple uses including threat hunting and detection, creation of decoy network assets that trick/fool cyberattackers, penetration testing, red team activities, and incident response.
Examples of our OT emulation trap capabilities
In the first example, we attacked a Rockwell PLC emulation trap using Metasploit. First, we configured a Rockwell PLC emulation trap in DeceptionGrid – it took us just 5 seconds to do that. The DeceptionGrid solution also offers mass deployment utilities to automatically create hundreds of such emulation traps in minutes.
We then used Metasploit to run an exploit that uses a vulnerability in Scada:multi_cip_command. With this vulnerability, we can run a command like CPU STOP to the emulation trap device.
Here is the result after running the command from Kali:
An INFECTION alert showed up within DeceptionGrid against this emulated Rockwell PLC. You can also retrieve the packet capture (pcap).
In the second example, we attacked a Siemens PLC s7_1200 emulation trap to achieve unauthorized access to the UI by running the Nmap command from Kali that enumerates Siemens s7_12oo PCL devices and collects their information.
First we configured the emulation trap – again, taking only 5 seconds.
We then accessed the emulation over HTTPS and got to a similar UI, but a reminder – it’s all fake!
Then we ran the Nmap command that enumerates Siemens s7_1200 PLC devices and collects their information.
On DeceptionGrid, you can see the interaction event and the attacker IP and command.
In another example, we attacked the Siemens PLC s7_1200 emulation trap again, this time with Metasploit. We used the vulnerability in Siemens PLC s7_1200_plc_control to send a reset command to the PLC.
Following are the command results from Kali:
Then a new alert appeared in the DeceptionGrid console, showing the stop and start commands and the attacker IP.
In this next example, we attacked a SCADA emulation trap.
We first configured first the emulation trap, also in 5 seconds!
We accessed the Scada emulation device’s HMI (like someone who steals credentials and tries to access the fake HMI emulation trap).
You can quickly see in DeceptionGrid that the attacker tried to log in as a specific user. In this case, we used admin/admin, and DeceptionGrid captured that, as shown below:
In the last example, we performed reconnaissance activity and issued arbitrary commands to the SCADA emulation trap.
First, we identified the Modbus service, sent a command read input register, and wrote command manipulation to the Modbus endpoint.
We received a succesful response when running from Kali against the TrapX SCADA emulation trap.
These are the results that showed up in the DeceptionGrid console. They allow you to detect the internal attacker and see the commands sent to the trap. Again, you have the option to retrieve the pcap.
DeceptionGrid allows you to remediate the risk and divert the attackers to VLAN quarantine, or to drop connections using many types of integrations with third-party endpoint protection and NAC systems.
Take action to avoid OT disruptions
Unfortunately, we are seeing more and more attacks on production lines and industrial plants, and reading about them in the news every day.
A shutdown of a production plant or significant disruption can occur at any time. It would cost a tremendous amount of money to restore things to normal, so it’s wise to take proactive measures now using the advanced, sophisticated deception security product DeceptionGrid from TrapX.
When using DeceptionGrid, our customers reduce risks and increase the probability of detecting, deceiving, and diverting attackers even before the attack starts.
You can deploy DeceptionGrid quickly alongside your legacy operating systems and IIOT devices to avoid interrupting PA/OT services and processes. The solution is agentless and provides an excellent answer for many of the risks and attacks vectors mentioned above.
About TrapX Security
TrapX has created a new generation of Deception technology that provides real-time breach detection and prevention. Our proven solutions immerse tangible IT assets in a virtual minefield of traps that misinform and misdirect would-be attackers, alerting SOC teams to malicious activity with immediate, actionable intelligence. Our solutions enable our customers to isolate, fingerprint rapidly, and disable new Zero-Day attacks and APTs in real-time. TrapX Security has thousands of government and Global 2000 users worldwide, servicing customers in manufacturing, defense, healthcare, finance, energy, consumer products, and other vital industries. For more information, visit www.trapx.com.