MITRE Att&ck for IT ICS: Remote System Discovery
About MITRE Att&ck for IT Industrial Control Systems (ICS)
Read More About MITRE
MITRE Att&ck, which stands for Adversarial Tactics, Techniques, and Common Knowledge, is a knowledge base of adversary tactics and techniques that help inform the cybersecurity industry. MITRE recently released an Att&ck knowledge base specifically designed for industrial control systems (ICS).
IT ICS are found in industries such as electric, water, wastewater, oil and natural gas, transportation, chemical, pharmaceutical, and various manufacturing sectors. These systems enable the regular automation of key processes that everyone relies on, and any compromise on their operation could impact the health and safety of humans.
According to the MITRE Att&ck document, adversary TTPs associated with ATT&CK for ICS fall under the following broad categories:
- Blocked or delayed flow of information through ICS networks, which could disrupt ICS operation.
- Unauthorized changes to instructions, commands, or alarm thresholds, which could damage equipment, create environmental impacts, and/or endanger human life.
- Inaccurate information sent to system operators, either to disguise unauthorized changes or to cause the operators to initiate inappropriate actions, which could have broad negative effects.
- ICS software or configuration settings modified, or ICS software infected with malware, which could have broad negative effects.
- Interference with the operation of equipment protection systems, which could endanger costly and difficult-to-replace equipment.
- Interference with the operation of safety systems, which could endanger human life.
Remote System Discovery (T846):
Remote System Discovery identifies the presence of hosts on a network, collecting details such as their IP address, and hostname, along with other identifying information to move laterally within the system. Remote system discovery allows adversaries to map out hosts on the network and TCP/IP ports that are open closed or filtered for future-attack targets.
An example of this is the Backdoor, Oldrea ICS malware plugin. This plugin works to discover all servers reachable by a compromised machine over the network, including OPC Servers, by using Windows (WNet).
Recommended Mitigation Techniques:
- Use VLANs: Segment the network with VLANs to allow switches to enforce security policies and segregate traffic at the Ethernet layer.
- Your network can be segmented to any configuration using the Wicket-Enclave system. Wickets provide whitelisting capabilities, and Enclaves provide segmented access channels to the subnets.
- Restrict authorization: Secure and limit authorization to the control room and the physical environment, and confine ICS devices to designated areas.
- Dispel ensures that authorization is limited to a specific system, to which only certain admins have access after strong authentication.
- Employ VPNs: Utilize VPNs to further restrict access in and out of control system computers and controllers.
- More secure than traditional VPNs, all of Dispel’s networks are moving target defense SD-WANs which facilitate traffic and access in and out of control system computers and controllers.
- Keep tabs on the network: Monitor the network and enforce access control practices; e.g. whitelisting.
- Dispel Wickets provide real-time whitelisting out of the box.
- Develop a detection plan: Implement heuristics to detect monitoring and invasive probing activity on the network, and ensure devices and patches are current.
- Although this is mostly left as an exercise to management, Dispel provides full traffic logs which can be pushed to a storage server or integrated with a pre-existing intrusion detection system.
Remote access has become a necessity for organizations operating IT ICS. Your time matters and your systems should work. Invest in a remote access system built from the ground up for industrial control networks, uniquely secured with moving target defense, with no compromises on security.