Why Your Utility Needs Adversary Simulation Tests
- September 28, 2018
- 459 views
Cyber attacks on the world’s energy grids are increasing at an alarming rate. In just the last three years, attackers have triggered two regional power outages in Ukraine and have successfully breached US power companies, going so far as to gain “operational access” to power management controls with the ability to sabotage operations.
To make matters worse, research into new vulnerabilities and methods of attack for SCADA and ICS systems is increasingly finding its way into the public domain, from industry alerts to talks at popular hacking conferences. This lowers the bar for future attacks, and the problem is further compounded by the rise in commodity hacking tools and services which can be easily and cheaply bought on the Dark Web.
As both criminal activity and geopolitical tensions rise, the US energy sector finds itself in the crosshairs of a growing number of sophisticated adversarial groups, including state-sponsored teams, organized crime and hacktivists.
For this reason, it is imperative that utilities test their defenses and response capabilities to a wide range of contingencies.
What is adversarial simulation?
Most utilities will be familiar with the concept of simulation testing. After all, they regularly conduct tests to gauge their capabilities and response — like functional testing, load testing, failover testing, etc.
With adversarial simulation testing, the utility is conducting an in-depth examination of what types of cyber attacks they are potentially vulnerable to, and what would happen if the attack was successful. A good frame of reference for adversary simulation is to look at failover testing. Typically, this involves identifying some critical asset or service, and working backward along the supply delivery chain to test points of failure. In other words, if something critical were to fail, how does the utility switch to the backup system (and measure how that transition goes).
Similarly, with an adversarial test the utility is looking at points of failure in the security domain, including cyber, human and physical. A good, comprehensive adversarial simulation will essentially stress-test all three of those attack vectors. For instance, how likely are employees to fall for phishing emails or to use an unfamiliar thumb drive? Does the network have any exposed endpoints? Are sensitive systems truly air-gapped, or is there a way for an attacker to migrate off the front-end office system and into a critical environment? How does the utility’s IT/security team respond to an active breach?
The key element to an adversarial simulation is that the utility is stress-testing its current security setup against the real-world tools and tactics of sophisticated attackers.
How do attackers target a utility?
The most common approach in any cyber attack is to use “social engineering” tactics to target employees, managers, third-party contractors and any other personnel who have trusted access to an office or facility.
For the average utility, this means the most likely scenario of attack is that employees will be sent phishing emails in order to try to infect their workstations with malware or steal their login credentials. This will be accomplished through malicious web links, infected attachments or fake login screens.
The most likely path for an attack is to first establish a beachhead into the front-office network, then use this to spread laterally throughout the facility, and potentially into the ICS. Although the ICS environment is segmented, and in many cases air-gapped, the attacker can work around this protection by programming malware that will automatically install itself onto a thumb drive or other removable media that may be connected to the front-office network and then reused in the ICS environment. They can also use their foothold on the network to hunt for any exposed or hidden connections to the ICS.
However, in addition to attacking the utility from the front-office systems first, attackers could also target third-party contractors and vendors with malware in order to use their physical access to spread into the corporate network and/or the ICS. Attackers can also scan for open and vulnerable ports in ICS systems which are unknowingly connected to the public Internet. For example, the search engine Shodan makes it possible for researchers and others to sift through many exposed Internet-connected devices.
Common Utility Weak Points —
As noted above, there are a few common paths attackers take when attempting to breach an operational environment. This boils down to four main weak points:
People — Employees are always the weakest link in the chain. It’s common for people to make basic mistakes with technology and security decisions, from clicking on emailed links to bringing outside devices (laptops, thumb drives) into a sensitive environment. It’s imperative that a utility always assume its employees will be compromised at some point, even if they’ve undergone extensive security awareness training. By starting from the assumption that an employee will be compromised, the utility can then build up a layered defense that should reduce the impact of a breach.
Outdated or unpatched systems — This is another major issue for utilities, as well as any other industrial facility. It’s common to find older versions of systems still running inside an industrial network due to the challenge of updating or replacing software and hardware that helps to manage or monitor physical operations. New system and software vulnerabilities come out regularly, and they are well known by attackers. Failing to implement even one security patch or software update in a short period of time could expose the entire operation to compromise.
Improper air-gaps — The ICS should be air-gapped, but often this is not the case because of a desire for remote management options. Air-gapping is further weakened by adding Internet of Things (IoT) devices into the operational environment. Any connection into the SCADA and ICS environments exposes the utility to potential major risks, since the ICS is not properly equipped to defend against a breach and an attacker could potentially cause physical damage to the facility.
Physical access — Any unauthorized physical access to an operational environment is a major vulnerability. Obviously, if an attacker can directly gain access to a critical system, it’s game over. There is very little that can be done at that point, in terms of cybersecurity, so maintaining strict security protocols for physical access is crucial. Employees and contractors with access can pose a couple of risks: they may accidentally bring malware into the environment via an infected thumb drive, computer or diagnostic tool, or they may themselves behave maliciously (i.e., the “insider threat”). Utilities must implement strict security policies to regulate all direct access and they should also consider banning certain devices, like thumb drives, altogether.
Key Components of an Adversarial Simulation —
Testing is conducted from an adversarial perspective. This means stress-testing the utilities networks, people and security controls. Typically, it is best to use a third party team to run this type of test, as they will be better able to challenge organizational assumptions and probe for overlooked weaknesses.
Each adversarial simulation should be conducted in a way commensurate with the assets being protected, while also being considerate of the threat actors and what their goals are likely to be.
The engagement should be designed to test the utility’s three main attack vectors:
Human – From administrative staff to IT team and executives. This means social engineering attacks, which include phishing, vishing and in-person attempts to breach facility.
Logical/Cyber – Network security setup, endpoint security, intrusion detection systems, etc. This includes network scans for open/vulnerable ports, unpatched devices, insufficient logging, etc.
Physical – From perimeter fences to security cameras and physical air-gaps of the critical systems. To fully test a utility’s security readiness, the team should attempt physical breaches of facilities and field offices.
Tests should be:
- Designed to challenge the organization’s assumptions (about its state of security, readiness). This type of test isn’t a check-the-box assessment. Its goal is to find the shortcomings in a utility’s security program – no matter how strong and well managed that security program might be.
- Designed to compromise its assets. An adversarial test goes far beyond the traditional security audit: instead of merely identifying a security weakness and stopping, this type of test will seek to exploit that weakness in order to show the utility just how far an attack could escalate.
- Conducted considering the organization’s threat actors. Since utilities are a frequent target of state-sponsored teams, this means companies must assume they have extensive resources, capabilities and technical skills, and will also utilize sophisticated tactics which may combine numerous elements (ex: social engineering, custom malware, zero-days).
- Unknown to most people. An adversarial simulation will not work if too many people are “in the know.” Only essential personnel should be informed of the test ahead of time.
Key Mistakes to Avoid —
The goal of an adversarial simulation is to stress test the utility’s computer network and employees/contractors against a sophisticated, real-world attacker. However, two common mistakes can undermine this evaluation, thereby reducing the effectiveness of the test.
The first mistake is to put too many restrictions on the testing team.
If the testing team is too limited in what and how it can assess, and must confine itself to a very narrow, siloed scope, then the utility will get a limited or distorted view of its weaknesses and vulnerabilities. There is a place for siloed testing, but it is not in an adversarial simulation.
The entire purpose of this specialized test is to give a holistic view of the utility’s attack surface (networks, people, physical environment), major weak points, and readiness to counteract a serious attack. Therefore, an adversarial simulation should be allowed to identify risks anywhere within the organization which could lead to the compromise of critical assets. This will enable the utility to make smarter decisions about security going forward, including how to best prioritize spending to focus on high-risk threats and blind spots.
The second mistake is to forewarn staff. The “human component” is a key part of these tests, as in most cases it is an employee mistake which enables an attacker to breach the network. Consequently, if the utility involves too many of its personnel in this type of test, it will taint the results and lead to an inaccurate picture of the organization’s weaknesses. Only essential personnel should be involved in the test.
Given today’s heightened risks for utilities and other critical structure organizations, it is important for operators to go beyond the standard security audit and policy reviews and actually test their defenses against a real-world opponent. Adversarial simulation is the best way to determine a utility’s real weaknesses and defense capabilities.