Skip to content

Deception for Industrial Control Systems

Industrial Control Systems
Home News & Blogs Deception for Industrial Control Systems

Attackers only have to be lucky once. Defenders have to be lucky every time.

Industrial Control Systems (ICS) have many unique characteristics that make defensive countermeasures against cyber attacks a challenging job.

The main priority for ICS/SCADA systems is operational continuity. The use of outdated and physically isolated devices, and the inevitable convergence between the IT and the OT world, makes these environments vulnerable to insider threats and external breach attempts. By using threat intelligence and deception technology, these challenges can be mitigated more effectively.

 

Why is That? 

  • An “air gapped” network is not always an option, as there may be data from those devices that needs to be accessed (Weiss, 2010; Knapp, 2011).
  • Patching devices may require a connection to either the Internet or a central patching server, such as a Windows Server Update Service (WSUS) or RedHat Satellite.
  • Consultants and vendors may bring malware in on laptops and connect those systems to the SCADA network for maintenance purposes.
  • Performing software updates on SCADA devices can be difficult (Higgins, The SCADA Patch Problem, 2013). The vendors of these devices or the integrators used to bring them online may not allow them to be updated without the vendor or integrator first performing appropriate regression testing (Byres, 2012).
  • Fear of disturbing equipment that has been operating fine for years, sometimes decades, for a security patch (Zubairi & Mahboob, 2013).
  • Implementing additional security controls on SCADA networks or devices like anti-virus or a host-based intrusion detection system might cause some unexpected behaviours, such as system slowdowns or active responses to perceived attacks (Wade, 2011).

 

Leveraging Threat Intelligence Powered by Deception helps mitigate these challenges by providing real-time insights and proactive defense mechanisms without disrupting normal operations.

 

Let’s Consider the HMI (Human Machine Interface)

This is a critical component of a SCADA network as it permits an operator to communicate with a controller of an industrial system. Most of these HMI are Windows-based machines, so vulnerabilities such as buffer overflow, weak hashing algorithms, SQL injection flaws, FrostyURL, Shellshock, and cross-Site Scripting attacks are well documented. Therefore, mitigating the vulnerabilities may not always be possible, as discussed above.

Now, considering all these limitations let’s explore how CounterCraft’s Threat Intelligence Powered by Deception platform can help in the proactive protection of critical assets without imposing any burden on the normal operation of services:

  • CounterCraft’s approach does not require modifying the existing SCADA network.
  • There is no need to insert additional inline devices.
  • Deception assets are simply plugged into the network as any other system would be and set up to run services that look like other devices on your SCADA network. A deception host that, from the outside, looks like a real production HMI can deflect the attention of the human attackers away from real Industrial Control Systems, ICS assets and, when engaged, generate a confirmed alert of an ongoing attack in real time. Further threat intelligence will be obtained from the attacker’s actions, leading to a better understanding of the attacker’s objectives and TTPs used. Other deception hosts like physical WiFi routers or PLC emulations can also be an effective part of a deception campaign.
  • The CounterCraft Cyber Deception Platform does not base detection on known signatures or traffic analysis, but on human actions.
  • It can be configured to look like specific devices on a typical SCADA network.
  • CounterCraft allows for the monitoring of attacks designed specifically to target the current infrastructure.
  • Deception offers you earlier detection, along with immediate identification of the breach and compromised asset.
  • Understanding TTPs of the attacker leads to local specific, actionable threat intelligence to share with SIEM, SOAR and the rest of the security team.

 

 

Deception campaigns based on these principles can effectively detect threats against ICS infrastructures, from lateral movements and zero-day attacks to vulnerabilities exploitation attempts and documents exfiltration.

CounterCraft flips the traditional conundrum on its head — now attackers have to be lucky all the time, and you, the defender, only have to be lucky once.

 

Author: 

Conrado Crespo is the Senior Sales Engineer for CounterCraft, with expertise in IAM, DR and cybersecurity integration.

Follow him on Linkedin.