Widely available ICS attack tools lower the barrier for attackers

The general availability of ICS-specific intrusion and attack tools is widening the pool of attackers capable of targeting operational technology (OT) networks and industrial control systems (ICS).

“As ICS are a distinct sub-domain to information and computer technology, successful intrusions and attacks against these systems often requires specialized knowledge, establishing a higher threshold for successful attacks. Since intrusion and attack tools are often developed by someone who already has the expertise, these tools can help threat actors bypass the need for gaining some of this expertise themselves, or it can help them gain the requisite knowledge more quickly,” FireEye researchers point out.

The tools can also come in handy to experienced actors who might want to conceal their identity or maximize their budget.

ICS attack tools: What’s out there?

The researchers have been tracking a large number of publicly available ICS-specific cyber operation tools for a while now, and here’s what they can tell us about them:

• Most of them have been developed in the last ten years
• Most tools are vendor agnostic
• Not unexpectedly, developers mostly concentrate on creating tools to target the most widely used solutions by the largest ICS original equipment manufacturers such as Siemens, Schneider Electric, GE, ABB, Digi International, Rockwell Automation, and Wind River Systems.

Some tools are “standalone”, others come in the form of modules for popular exploitation frameworks.

Over half of the “standalone” tools are aimed at learning about ICS devices attached to a network and software exploitation tools:

To create some of the tools, such as ICS-specific malware and ransomware, creators have to have a high degree of knowledge about the target systems as well as coding skills – something that is out of reach for many aspiring attackers.

ICS-specific exploit modules

There is a variety of ICS-specific exploit modules for exploitation framework such as Metasploit (free), Core Impact and Immunity Canvas (both commercial), as well as more recent ICS-specific exploit frameworks: Autosploit, Industrial Exploitation Framework (ICSSPLOIT), and the Industrial Security Exploitation Framework.

“We currently track hundreds of ICS-specific exploit modules related to more than 500 total vulnerabilities, 71 percent of them being potential zero-days,” the researchers noted.

Of the three non-ICS-specific frameworks, Metasploit has the fewest number of ICS-specific exploits, but due to the fact that it’s freely available, these exploits may currently represent the highest danger for defenders.

They mostly target products by these vendors:

“Awareness about the proliferation of ICS cyber operation tools should serve as an important risk indicator of the evolving threat landscape,” the researchers noted.

“Organizations that do not pay attention to available ICS cyber operation tools risk becoming low-hanging fruit for both sophisticated and unexperienced threat actors exploring new capabilities.”