William Jardine, Security Consultant
4 mins read
The focus therefore has become protection and detection: Intrusion Detection Systems (IDS) are deployed to provide awareness of any ongoing attacks against ICS networks.
Yet here again, infrastructure operators encounter a problem in that current IDS used on ICS are largely “passive”. They generate no new network traffic and perform detection based purely on existing network traffic, using open-source solutions as well as more bespoke, proprietary ones. A well-resourced and powerful attacker can evade these detection methods, if indeed detection systems have been enabled in the first place. In the case of the Natanz plant, a highly sophisticated piece of malware called Stuxnet allowed attackers to take control of 1,000 machines involved with producing nuclear materials and interfered with highly privileged physical operations and their monitoring.
An alternative detection approach is that of an “active” IDS. These interact directly with the controlling device of an ICS network and retrieve internal values from it. However, this more active approach is resource-intensive and involves a higher level of risk that the old ICS devices will be overloaded. As a result, active techniques are rarely implemented, leaving infrastructure suppliers with a quandary – either use a passive approach and not be made aware of a sophisticated attack until it is well underway, or use an active approach that could very well overload the sensitive ICS controllers and potentially cause more damage to the system than an attacker.
Now however, research undertaken by F-Secure Consulting’s William Jardine during his time as a student at Lancaster University, together with three other cyber security researchers from the institution, has highlighted improved detection rates possible with a new hybrid approach to form a practical and minimally intrusive active monitoring solution.
Selective Non-Invasive Active Monitoring (SENAMI) is a combination of a largely passive IDS with selective elements of active monitoring and was demonstrated for Siemens S7 ICS environments. S7 devices account for more than 700 internet-connected controllers in mainland Europe alone. S7 devices are also famous for being the system that was used by the Natanz facility targeted by the Stuxnet bug.
Specifically, SENAMI performs active monitoring, but on a smaller, more context-based scale. Rather than reading in hundreds of values at once, SENAMI reads in only three, pre-determined to be critical to the operation of the S7 ICS. This approach has been found to increase the difficulty for an attacker trying to evade detection mechanisms, compared with a purely passive IDS, without overwhelming the whole operating system on which the ICS sits.
For operators using Siemens S7 ICS, the risks highlighted in the team’s work should be at the forefront of security policies. At present, it is possible for an attacker with a foothold in a network to evade detection of a passive IDS and execute a value tampering attack – i.e. one that disrupts the monitoring of key processes. These attacks can potentially cause huge amounts of physical damage to critical infrastructure while remaining undetected. It was reported that Iran was forced to decommission around 20% of its centrifuges in the Natanz plant during attack.
SENAMI significantly increases the difficulty of executing such attacks and makes it a much less appealing attack vector for an ICS attacker.
The creators of SENAMI also believe this work highlights the importance of the need for bespoke security for ICS. SENAMI represents a specific solution for legacy Siemens S7 environments, but similar specific research must be done for each unique ICS environment.
F-Secure Consulting has noted that a driving factor behind work being done to improve IDS and their remit over ICS appears to be regulation or fear of regulation rather than risk of cyber attack damage. As can be seen from publicly reported cyber attacks against ICS, this risk is slowly but steadily increasing. Unless infrastructure operators take seriously the threat posed by running old ICS without the necessary protection in place, future events similar to the Ukraine and Iran attacks are a distinct possibility, especially as cyber attacks climb higher on the agendas of political powers and practitioners of corporate espionage.
The SENAMI paper was presented by Jardine at the 2nd ACM workshop on Cyber-Physical Systems Security and Privacy (CPS-SPC), co-located with the 23rd annual CCS conference in Vienna on October 28, and can be read in full here.