Using “Update.exe” as a Case Study for Robust OT Cybersecurity

In 2020, car manufacturer Honda fell victim to a ransomware attack. Using a payload called “update.exe,” the attack crippled Honda’s international customer service and Financial Services wing for days. Although it affected two customer facing branches of this global corporation, the ransomware was designed to target and breach Honda’s critical ICS/SCADA environments.

This ransomware, written in ‘Go’ language and highly obfuscated, is called EKANS, or “Snake” spelt backward. The malware includes a check for a hardcoded internal system name and a corresponding public IP address related to Honda. If it doesn’t exist, it exits.

On the Impact of ICS Cybersecurity Threats

The attack described above was targeting the entire network, including the Internet of Things and SCADA systems. This can have severe consequences in an environment that is machine/ICS-centric. When industrial control systems are down, it directly impacts manufacturing and industrial activity, which directly correlates to a loss of revenue.

Regardless of the attack vectors, ICS and SCADA systems are increasingly becoming the victims of targeted, sabotage-type attacks. In October 2019, for instance, North Korean state-sponsored attackers targeted India’s nuclear plants using Remote Access Tools (RATs) to collect information such as host IPs, running processes, password hashes and browser history. News of that attack arrived several months after solar power company sPower suffered a distributed denial of service (DDoS) attack in March 2019 that targeted exploits in firewalls, forcing unexpected reboots of devices.

Strengthening Your OT Environment Against Threats

These ICS attacks are clearly varied, but one theme that is rapidly emerging is that OT cybersecurity is crucial and can no longer be overlooked.

This, however, is easier said than done. One of the biggest challenges that organizations within the OT sector face is to recognize cybersecurity as an issue. Traditionally, OT infrastructure was never built with security in mind. This was done deliberately to encourage a rapid adaption to technology as well as cross-pollination. This mindset is changing, fortunately, as organizations are looking at several core IT security approaches to deal with breaches in their OT environment.

Here’s a three-pronged methodology that will help:

1. Visibility: By far the biggest challenge the OT industry faces is the issue of knowing what constitutes their network. Large manufacturing and services-based companies find it difficult to inventory and then keep current the list of networked assets within their environment. You can’t protect what you can’t see. Simple enough. As OT networks are not designed to withstand active scans, these companies are now looking at ‘passive sniffing discovery’ processes to ensure they have an updated and current list of all assets, including make, model, firmware and configuration as well as security-related information like known vulnerabilities impacting these systems and levels of access.

Once an organization can accurately inventory their systems, they can provide effective controls to manage and maintain them, as well.

2. Access: Once the issue of visibility is addressed, managing access becomes paramount. The OT network topology is governed by the Purdue Model, an architecture that’s not too different from the IT OSI stack. It provides a reference model for organizations on how to architect their systems in different layers of communication. This equips OT administrators with context around which devices should be communicating across layers and more importantly which must not. The issue of access is therefore not only limited to human access but machine access, as well.

An organization that can effectively architect their systems to this level can ensure that a workstation in, say, level 3 does not communicate with a PLC in level 1.

3. Configuration Integrity: Finally, ensuring the configuration integrity of systems in an OT environment is critical. Consider a scenario where a simple change in register value for a PLC from a 0 to 1 can reverse the direction of a coolant valve on a factory floor. Or that the configuration settings of a firewall in level 3 of a Windows server allowed unfederated access to engineering workstations or HMIs in level 2. A lot of OT attacks try to change the configuration of these OT devices. Ensuring that this type of misconfiguration is detected before it happens is critical.

Unfortunately, as time moves on, attacks like EKANS will continue to prove to be the norm, not the exception. It is incumbent upon these organizations to follow an approach to OT cybersecurity with some strategy in mind at a minimum if they want to have a fighting chance to thwart security threats.

Learn how you can protect your infrastructure with ICS security solutions from Tripwire: https://www.tripwire.com/solutions/industrial-control-systems

The post ” Using “Update.exe” as a Case Study for Robust OT Cybersecurity” appeared first on TripWire

Source:TripWire – Anirudh Chand