Claire Vacherot
Security Auditor, Orange Cyberdefense
The number of known malware targeting industrial systems keeps on increasing and was intensified in 2022 due to the war against Ukraine. These systems, also referred to as Operational Technology (OT), differ from the Information Technology (IT) that we are familiar with and can be described as hardware and software components used to control physical and mechanical processes. It includes equipment, protocols, software, and processes specifically used in manufacturing, energy, transportation, or even building management systems.
Historically, OT systems used to be closed, standalone systems. They eventually became interconnected and started using IT standards in addition to their own, to simplify the processes of supervision, operation and maintenance. In other words, the OT became reachable remotely to its authorized users, but also to illegitimate actors.
While industries have long been concerned about safety, cybersecurity was not a priority until a few years ago. Some thought that OT was not a relevant target, while others believed that the cybersecurity controls that are commonly endorsed on IT wouldn't cope with the technical and operational differences of OT systems. Consequently, the level of awareness and the technical measures available to enforce them is often far behind what we can find on information systems, while the means of attackers have evolved. Fortunately, the situation has changed, and OT cybersecurity has emerged, with measures either specific to OT, or borrowed from the IT and adapted to the industrial world. Penetration testing is one of these measures.
A penetration test is used to simulate malicious operations performed by a malware or an attacker, and this type of test is quite common in organizations' internal networks (IT). During such assessments, security auditors explore the system, trying to find exploitable flaws that could be combined into realistic attack scenarios. The aim is to provide a prioritized mitigation plan for these vulnerabilities, based on real-world attack techniques. It can also be used to raise awareness on cybersecurity risks. Needless to say, unlike real attacks, the auditors will adapt their testing process to make sure that they don't disrupt the system. When applied to OT, this is probably the most important part of the tests. Indeed, many OT components are not designed to be exposed and may not handle invalid or superfluous network traffic and operations. Above all, involuntary disruptions may have disastrous consequences.
When performed on a running environment, the assessment requires an important preparatory phase. Sensitive components may be excluded from the tests to minimize the risks on availability and integrity while preserving the safety.
The most common entry point to the OT is through the IT, connected to the Internet. Several industrial malware such as the ones from the BlackEnergy family were introduced using phishing and spread until they reached the OT[84]. Therefore, most penetration testing processes start from the IT. The auditor tries to find a way to the OT, most likely by making use of network segmentation issues such as authorized network flows or dual-homed stations between the two environments. Another scenario consists of simulating an attack introduced directly in the OT, using a compromised device (maintenance station, USB drive, etc.), or via a device exposed on the Internet.
Once the OT is reached, the penetration tester first needs to identify its technical assets. She looks for workstations and servers as she would do on IT, but also for industrial components. This includes software, protocols, and devices such as programmable logic controllers (PLCs), HMIs, actuators, sensors, and any type of equipment that is not an IT asset . This discovery phase is usually conducted with the help of network scans.
However, as we discussed before, such an environment is likely to include old devices, and sending them unexpected network traffic may have harmful side effects. For this reason, additional information is required beforehand to locate critical or sensitive components. The auditor will still explore the network as an attacker would, but she will exclude or be careful with assets that could become unstable and take extra measures when contacting components (run restricted and targeted scans, use only genuine tooling, etc.). It is also important that a technical contact is available at any time on site during the assessment. This person is contacted immediately in case of a suspected issue.
The next step for the auditor is to search for vulnerabilities. The main difference with penetration tests on IT is that, here, she does not do any malicious operation nor action that may have side effects. For instance, it is strictly forbidden to run a man-in-the-middle attack to intercept traffic in industrial networks, while this is a common test on IT networks. So, how is a test conducted?
From our experience, we noticed that most of the time, an attacker who can reach an industrial component on the network is already able to misuse it or make it unavailable. Thus, the auditor first tries to reach as many components as possible. She may use the access she gains to find hosts with extended network permissions that are used as "pivot" to access additional components.
Once accessed, the auditor evaluates the attack surface of the components. Assessing the cybersecurity of servers and workstations follows a similar process as on IT (namely, abusing Linux, Windows, and Active Directory weaknesses.). This is different for the other industrial components. Here, the aim is to gain as much information as possible on it: what type of device it is, what it is used for, what it is interconnected to, which version is used by each of its modules, what network services are enabled, what functions are available, and how they are configured. As mentioned before, this is usually sufficient to show how damaging an attack could be. Indeed, many of them have not been designed or configured with cybersecurity concerns. For instance, a lot of industrial network protocols are neither encrypted nor authenticated: sending the appropriate network request may change a device's behavior. Also, it is common to find devices with unused services enabled, default credentials, or available security features disabled.
Finally, it is likely that some components are exposed to public vulnerabilities, as updating and applying security patches on industrial systems is difficult considering operational and availability constraints. Malware such as Pipedream[85] embed exploitation codes for several vulnerabilities targeting specific versions of PLCs. The auditor does not exploit these flaws in production, but may ask for a test environment, if available, to provide proof of concept.
The last step is the reporting phase: all the findings are combined to build the attack scenarios, along with the remediation plan that will help prevent them. Although every plan is unique to its context, the first improvement we usually recommend is network segmentation between the IT and OT as well as between trust zones within the OT. As long as they are not secure, and even then, the best we can do is to ensure that no attacks reach industrial systems.
This story is published in our Security Navigator 2024, and there are many more. Check out the full report and download your copy here.