ICS/SCADA, Critical Infrastructure Security

ICS security evaluations may help improve detection of subtle attack clues

The Mitre building is seen in McLean, Va., in 2017. (Antony-22, CC BY-SA 4.0 , via Wikimedia Commons)
The Mitre building is seen in McLean, Va., in 2017. (Antony-22, CC BY-SA 4.0 , via Wikimedia Commons)

Already known for evaluating enterprise cyber solutions and how they stack up against various APT and financial cybercrime operations, Mitre Engenuity today announced the results of its first-ever assessment of security solutions specifically designed for industrial controls that typically are found in critical infrastructure environments and manufacturing plants.

For the exercise, Mitre examined how five separate ICS security solutions responded to a simulated Triton malware attack, facilitating the detection, identification and analysis of its TTPs. And while certain solutions delivered reliably on forensics or detection capabilities, the hope is that across the board they will continue to improve at understanding processes and configurations at a granular level, in order to better recognize anomalies that signify a possible intrusion, according to Otis Alexander, the man who led the exercise.

Discovered in 2017, the highly dangerous, Russia-linked Triton malware is capable of manipulating or disabling safety systems that commence potentially life-saving shutdowns of industrial processes, should an emergency occur.

Five vendors voluntarily submitted solutions for review against this particular threat: Armis, Claroty, Microsoft (due to its CyberX acquisition), Dragos, and the Institute for Information Industry. The test was a natural progression from Mitre’s 2020 official release of ATT&CK for ICS — a framework and knowledge base that defines TTPs that are specifically associated with threats aimed at industrial control systems found in utilities operations or factories.

The timing of the evaluation seems especially relevant following reported instances of attempted sabotage against U.S. water treatment plants, including the Bruce T. Haddock Water Treatment Plant in Oldsmar, Florida last May. While Triton or other ICS malware was not used in that incident, the unsuccessful compromise is still representative of the potential destruction an ICS malware attack could cause.

Lately, “there's been a lot of talk about ransomware,” which sometimes can find its way into an ICS environment and sometimes cause disruptions. But in most cases, “I have a hard time believing that… they're targeting ICS directly,” said Alexander. “So what we really wanted to look at are the attacks that target ICS and cause the disruptions that we're really worried about. There's a number of attacks that fall into that category, Triton being the most recent.”

Following Triton’s public exposure, the malware no longer represents the active threat it once was, according to Alexander – but it is still emblematic of the types of threats the ICS space must be constantly on the lookout for. And this made Triton a natural choice of malware to use for an attack emulation and evaluation.

“When something happens to [an ICS] system, you have to think about what the root cause was. Was it human error? Was it a flaw? Did you have a hardware error or something like that?” Alexander explained in an interview with SC Media. And when Triton was first surfaced back in 2017, “we saw a three-month period where the responders to Triton were confused in general about what was going on. Even the vendors came in, and they just looked at the system and said ‘Hey, maybe it's bad hardware. Let's replace it.’”

“But we’ve got to think what would have happened if they had had a detection solution [at the time], and they were able to have some type of reliable forensics data to look at,” Alexander continued. “In addition to the other sources of information that they had, I think they would have come to a quicker, more definitive response plan based on that information. So, that's part of the reason why we looked at Triton.”

For the evaluation, Mitre researchers ran an adversary emulation against an environment set up to function as a burner management system that one might find in a power generation facility featuring a boiler. The environment also featured control system components including Allen-Bradley programmable logic controller technologies, a Windows host running ICS applications and various network infrastructure, while industrial equipment and physical processes were simulated, according to the evaluation website. Vendors then shipped a physical appliance with their detection solution installed for testing.

The results, available for review on the website, demonstrate what each particular solution excelled at. “It may be that they're really good on the forensic side, because you're going to capture a lot of [attack data and] dig into the back end to really get a story of what happened,” said Alexander. “Others are suited towards threat hunting and proactively looking for threats in your network. And then some really excelled on the detection side.”

Regardless of each solution’s strengths, Alexander hopes that their vendors will be able to build off of this exercise to even more deeply grasp their processes and configurations moving forward.

“I want them to understand when there are cases of loss of safety, that things potentially may not be acting the way that they're supposed to. I want them to be able to look at process variables, [and] see anomalies there… at [a] very low level, when you start playing with the communication to PLCs and playing with protocols...” said Alexander. “I think that's very important, not only from the detection by SOC perspective, but the forensics perspective. So you have another story of what's going on.”

Participating vendors expressed gratitude over being able to participate in the voluntary exercise.

“The ATT&CK Evaluations help the cybersecurity community by improving security products through real-world tactics and techniques employed by adversaries,” said Chris Dobrec, vice president of product marketing at Armis. “This ensures that organizations can actively evaluate ICS security solutions with confidence in order to protect themselves from the latest advances from attackers.”

“ICS is the new target of choice for cyber criminals and nation-states, as demonstrated by the uptick in cyberattacks on critical infrastructure in recent months,” said Grant Geyer, chief product officer at Claroty,so it’s more important than ever that organizations can ensure that they are equipped to handle this onslaught of attacks. We are honored to participate in the first MITRE Engenuity ATT&CK Evaluations for ICS, which sets an important new standard for industrial cybersecurity solutions.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.