Actionable guide to protecting your ICS from nation-state attacks.
Last Friday, the U.S. assassinated Qasem Soleimani via drone strike, following claims that four American embassies were under possible threat. Soleimani, commander of Iran’s Quds Force, was long-considered a severe threat to U.S. interests and the most dangerous person in the region. Following his assassination, tensions in the region have heightened. Iran bowed out of the nuclear deal, and the promise of a cyberattack on critical infrastructure and ICS is now imminent.
Iran’s Role in Cyberspace
Iran actively conducts operations in cyberspace, and maintains relatively sophisticated offensive capabilities. Homeland Security warned companies of “disruptive and destructive cyber operations,” and the potential of “cyber-enabled espionage,” in the first official guide they released by their Cybersecurity and Infrastructure Security Agency. The report lists primary targets including phone companies, utility companies, and energy companies.
“We will probably see an uptick in espionage, primarily focused on government systems, as Iranian actors seek to gather intelligence and better understand the dynamic geopolitical environment,” said John Hultquist in TechCrunch, director of intelligence analysis at cybersecurity firm FireEye. “We also anticipate disruptive and destructive cyberattacks against the private sphere."
Since the attack, approximately 35 organizations have faced cyber-attacks “specifically-traced” to Iran’s state-sponsored hacking groups. Beyond these relatively minor attacks loom two greater threats:
1) a state-sponsored attack against ICS; and,
2) attacks on commercial data systems both domestic and abroad.
"Iranian hackers may use their access to destroy databases, or they may choose to try to gain access to the electricity grid that powers Silicon Valley as a way of saying, ‘You may want to retaliate, but there will be consequences." – Suzanne Spaulding, New York Times
"Iranian hackers may use their access to destroy databases, or they may choose to try to gain access to the electricity grid that powers Silicon Valley as a way of saying, ‘You may want to retaliate, but there will be consequences,’” said Suzanne Spaulding in the New York Times, a former secretary for cybersecurity and critical infrastructure at the Department of Homeland Security. “‘We’re sitting here with a gun to your head.’”
What ICS Security Breaches Have We Seen in The Past?
- New York Dam (August/September 2013): In 2013, Iran performed a cyberattack on the New York Dam, during which they gained access to the operation of the dam. The hackers reportedly kept quiet about the attack for two years following the incident, until the Wall Street Journal reported the breach and SOBH Cyber Jihad claimed credit. Although they never manipulated the dam, the breach drew attention to the possibility that other attacks like this could be conducted, with the potential for great damage. Eventually, in 2016, the U.S. Justice Department indited one Iranian actor for working on behalf of the IRGC for accessing the SCADA system of the dam illegally.
- Las Vegas Sands Casino (February 2014): In 2014, Iran launched a cyberattack on the Las Vegas Sands Casino when Sheldon Adelson, the casino magnate, provoked the country. While on a panel in October of 2013, Adelson made comments regarding sending a message to Iran due to its nuclear ambitions and detonating an American warhead in the Iranian desert. In response to these comments, the Las Vegas Sands Corporation in Las Vegas, Nevada was hacked and customer data including social security numbers, driver’s license information, and credit card data were stolen. Additionally, the Las Vegas Sands Corporation’s Computer Systems were completely wiped. However, it was not until September 2015 that the U.S. Director of National Intelligence officially identified Iran as the source of the attack.
- Cyber Theft Campaign Conducted by IRGC (2013 to 2017): In early 2018, nine Iranian actors were indicted for role in a massive cyber theft campaign that consisted on multiple individual attacks. These attacks were conducted in association with the Mabna Institute and it was revealed that many were conducted on behalf of the IRGC. In targeting academic and intellectual property, these attacks were aimed at “144 U.S. universities, 176 universities across 21 foreign countries, 47 domestic and foreign private sector companies, the U.S. Department of Labor, the Federal Energy Regulatory Commission, the State of Hawaii, the State of Indiana, the United Nations, and the United Nations Children’s Fund,” according to the indictment.
How Iran Attacks
Historically, Iran is patient, and here to play the long game. An attack could come at any time, so anyone with ICS should be on high alert for a potential attack.
"There is ample evidence to suggest that Iranian-sponsored actors have invested considerable time and effort over the past several years to infiltrate the computer systems that control the critical infrastructure of the United States and its allies," PAS Global COO Mark Carrigan warned on UtilityDive.
"Iran has a long track record of using cyber means of retaliation.” – Peter Singer, Washington Post
According to Peter Singer in the Washington Post, a cyberwar expert and senior fellow at the New America think tank, “Past performance is not always a perfect predictor of future results, but it is often the best that we have, [and] Iran has a long track record of using cyber means of retaliation.”
How Can You Protect Yourself and Your ICS?
According to Richard Henderson in UtilityDive, head of global threat intelligence at cybersecurity firm Lastline, “Heavy industry, oil and gas, electrical generation and the attached grid infrastructure, as well as other critical infrastructure, are all caught in the crosshairs as of this moment.” Henderson said. "Any organization with substantial ICS infrastructure ‘should be on high alert now for potential attacks.'"
"Heavy industry, oil and gas, electrical generation and the attached grid infrastructure, as well as other critical infrastructure, are all caught in the crosshairs as of this moment.” – Richard Henderson, UtilityDive
Evidently, Iran and the U.S. have a history of cyber conflict, which is unlikely to halt in the foreseeable future. The risk of a cyberattack is particularly relevant for organizations with large ICS infrastructures. Even if you are not hit directly, you have the potential to become collateral damage. Despite the imminent threat of a cyberattack against ICS, there are ways you can evaluate the threat you are facing and adequately prepare in the case of an attack.
- Assess the Threat: What potential damage could Iranian actors execute on your ICS and the rest of your company? How can we learn from these past ICS attacks to take preventative security measures?
- Acknowledge the potential for damage/vulnerabilities
- Develop a plan to mitigate/prevent damage
- Understand Your Risks: If you need help tackling security challenges specific to OT and ICS, particularly those related to risk-based decisions and cybersecurity, consider enlisting the assistance of a Cyber Risk Management service which specializes in OT and ICS security.
- Utilize a Cyber Risk Management service
- Evaluate Third-Party Access: Statistically speaking, the majority of attacks occur from third parties, which then can work their way up your ICS network. Take the time to review how you are granting and giving third-party access. Are remote access pathways encrypted or temporary? Are remote access privileges being revoked regularly? Review who you are giving remote access to, because everyone is a potential threat.
- Use end-to-end encryption
- Check active user base for remote access permissions
- Verify all active accounts are valid
- Install system that automatically revokes privileges once no longer needed
- Use Disposable Infrastructure for ICS Remote Access: Consider using a disposable or cloud-based infrastructure to further ensure secure networks. Particularly when provide remote access for ICS, ensuring that network pathways are temporary is critical for security.
- Consider implementing disposable infrastructure
- Construct a Virtual Environment Between Third Parties & OT Networks: Consider constructing a virtual environment between third party partners and OT networks, such as disposable virtual desktops or another kind of media break.
- Construct a virtual environment, ensuring remote access is routed through virtual desktops.
- Protect Your Privacy: Make sure you are regularly changing out passwords and security keys, particularly on your OT end devices. If you don’t already use an intrusion detection tool, consider looking into one.
- Regularly change out passwords
- Regularly change out security keys
- Use an intrusion detection tool
- Back-up Regularly: Practice routine backups and ensure they are stored in easily accessibly locations which are air-gapped from the organization’s network.
- Routinely back-up data
- Store backups in air-gapped locations
- Patch Key Vulnerabilities: Regularly patch externally facing equipment, with an emphasis on critical and high vulnerabilities in case you need to remotely execute code or deny service on your externally facing equipment.
- Patch critical/high vulnerabilities
- Monitor Network & Email Traffic: Ensure you are sufficiently monitoring network and email traffic, particularly by reviewing network signatures and indicators for focused operations activities, scanning for new phishing themes and restricting attachments via email or other platforms.
- Regularly review network signatures & indicators
- Scan for phishing themes
- Restrict attachments
- Prevent Against Being Collateral Damage: Even if your threat model does not include Iran, as long as you have ICS, you could still be hit by a potential cyberattack. Although there may be a small likelihood you could be impacted by an attack, assess the damage it could have if you were part of the collateral damage and add it to your threat model.
- Consider collateral damage
- Alter threat model accordingly
Keep in mind that the possibility of an Iranian cyberattack on industrial control systems is not a matter of if, but when. Arm yourself with the necessary tools before an attack, rather than pick up the pieces after when chaos ensues.