Attacks aimed at SCADA networks are still much rarer than those targeting IT networks, but the number is slowly rising.
And, according to Radiflow CTO Yehonatan Kfir, there’s no time like the present to start using a consistent, evidence-based taxonomy to analyze them and learn from them.
“The current lack of a single taxonomy to analyze security incidents leads to difficulties in understanding the threat landscape in an unbiased way,” he opines.
Classifying and assessing OT attacks
In a recently published whitepaper, Kfir proposes a taxonomy that distinguishes between non-technical and technical properties. Each property has three “grades”.
The non-technical properties are:
- Targeted industry (Type of campaigns): IT campaign — Campaign that targets IT and OT networks — OT-specific campaign
- Desired impact: Non-SCADA specific — SCADA specific and impacts confidentiality — SCADA specific and impacts availability and integrity
- Actual impact: No impact on availability and integrity — Impact on availability and integrity of non-critical systems — Impact on availability and integrity of critical systems
- Physical process expertise: None — Case-specific knowledge — Industry-specific knowledge
- Dormant Duration (Attack duration): Weeks or more — Days — Hours.
The technical properties include:
- Type of malware: No malware / generic IT malware — Generic IT malware / malware with add-on module for SCADA (malware that can work both on IT and OT networks) — Malware clearly developed for the OT environment
- Industrial protocols expertise: Attackers did not demonstrate industrial protocol expertise — Attackers demonstrated understanding of open specification industrial protocols — Attackers demonstrated understanding of proprietary protocols
- Assets configuration changes: There were no attempts to change controller logic or firmware — Logic or the set points of controllers were changed — Firmware was changed
- Vulnerability type: Non-SCADA-specific vulnerabilities common in IT networks (e.g., in Windows, Linux) — Vulnerabilities in Windows-based applications and those related to the SCADA network (e.g., HMI) — Vulnerabilities related to controllers and other SCADA-specific devices.
- Vulnerabilities used: Known vulnerabilities with public exploit — Known vulnerabilities with no public exploit (which means the attacker had to develop it and knew how to do it) — Unknown, zero-day vulnerabilities.
Preparing for the future
Kfir believes that this new taxonomy and case analysis approach provides risk managers a coherent framework for analyzing the different types of attackers and allows them to plan their security defenses according to the attacker models that are relevant for their specific organizations.
The next step is a better methodology for determining the impact of disclosed vulnerabilities, based on the context of the organization’s OT network and business logic related to the relevant attacker models.
NIST and ICS-CERT use scoring standards for the risk assessment of disclosed vulnerabilities with a bias towards IT networks, he notes, and their framework is not always applicable to the context of industrial environments and the SCADA and ICS systems running on OT networks.