To start, what is MITRE Att&ck for Industrial Control Systems (ICS)?
MITRE Att&ck, which stands for Adversarial Tactics, Techniques and Common Knowledge, is a knowledge base of adversary tactics and techniques that help inform the cybersecurity industry. MITRE recently released an Att&ck knowledge base specifically designed for industrial control systems (ICS). ICS are found in industries such as electric, water, wastewater, oil and natural gas, transportation, chemical, pharmaceutical, and various manufacturing sectors. These systems enable the regular automation of key processes that everyone relies on, and any compromise on their operation could impact the health and safety of humans.
According to the MITRE Att&ck document, adversary TTPs associated with ATT&CK for ICS fall under the following broad categories:
• Blocked or delayed flow of information through ICS networks, which could disrupt ICS operation.
• Unauthorized changes to instructions, commands, or alarm thresholds, which could damage, disable, or shut down equipment, create environmental impacts, and/or endanger human life.
• Inaccurate information sent to system operators, either to disguise unauthorized changes, or to cause the operators to initiate inappropriate actions, which could have broad negative effects.
• ICS software or configuration settings modified, or ICS software infected with malware, which could have broad negative effects.
• Interference with the operation of equipment protection systems, which could endanger costly and difficult-to-replace equipment.
• Interference with the operation of safety systems, which could endanger human life.
To begin this blog series, we will first dive into External Remote Services. The aim is to help you understand the MITRE Att&ck walk-through, and their mitigation techniques, as well as offer our own insight.
External Remote Services (T882):
How It’s Done:
Adversaries sometimes opt to use external remote services to gain initial entry into a network. Common external remote services include VPNs, Remote Desktop connections, and Active Directory, among others. External remote services are used by administration to gain access to control systems. Vendors or third parties often use them to gain access but must traverse the corporate network first. These actions sometimes require Internet access. When adversaries gain valid accounts to these services, they could gain access to the internal network. If the remote access system is compromised, an adversary could use this opportunity to launch an attack against the entire control system network.
A prime example of adversaries using external remote services to launch attacks on networks was when Xenotime used remote desktop jump boxes to move into the ICS environment in 2017. They targeted remote desktop protocol, and remote authentication and management portals.
Recommended Mitigation Techniques:
- Role-Based Access Control (RBAC): Limit the number of privileged users in the network and stay up to date on configuring and assigning roles.
- Dispel’s platform has four levels of users (Owner, Admin, User, and VDI-User) to accommodate any level of privilege and ensure that users are granted need-based access. Administrator can revoke or reduce access in real time.
- Use Strong Authentication: Use unique usernames and passwords, strong authentication, encryption if determined appropriate, and audit logs in remote control software.
- Unique usernames and passwords: Dispel does not allow repeat usernames, and has strong password requirements for all users.
- Strong authentication: MFA support for temporary passwords and hardware tokens (Yubikey) included out of the box.
- Encryption: All traffic through Dispel’s systems is encrypted with two layers of AES-256.
- Audit logs in remote control software: All traffic through Dispel systems is logged, and actions done through Dispel Virtual Desktops are fully screen recorded.
- Monitor Console Actions: Enable console user actions to be traceable, manually or automatically.
- Deploying Dispel virtual desktops ensures that all actions are screen recorded, securely stored, and can be played back by an administrator at any time.
- Multi-Factor Authentication: Consider including other forms of authentication such as multi-factor authentication using biometric or physical tokens.
- Dispel comes with multi-factor authentication out of the box, supporting both temporary one time passwords (e.g. Google Auth, Authy) and hardware tokens (e.g. Yubikey).
- Secure Access: Secure and restrict access to the control room(s) and ensure VPNs are properly configured.
- Secure access is Dispel’s specialty: The Enclave-Wicket architecture with whitelisting ensures that access is only given to necessary systems at necessary times. All of Dispel’s VPNs are maintained daily.
- Intrusion Detection: Utilize intrusion detection systems and solutions and promptly send patches.
- Although not directly an intrusion detection system, Dispel integrates with existing intrusion detection systems and pushes traffic logs for inspection.