DTS Solution
DTS Solution

ICS MITRE ATT&CK Technique

ICS MITRE ATT&CK Technique

ABOUT DTS SOLUTION
Securing OT and ICS environments has always remained a priority for DTS Solution. Having performed OT cyber security risk assessment and built cyber security management systems (CSMS) for major enterprises operating OT facilities across the region. There is a not a single industry where OT plays a major role that DTS has not assessed; airports, nuclear, petrochemical, power generation and transmission, water desalination, manufacturing, agriculture, oil and gas and even maritime and marine and the list continues to grow. As we continue on the mission on helping our customers secure their environment; it is clear to see the importance of OT cyber security given we live in a very connected world.
Traditional OT OEM vendors are now also challenging this exact tradition by introducing virtualization and micro-services in the OT environment, introducing remote diagnostic service to remotely monitor and perform preventative maintenance of the OT environment; deploying functional service that are not plant critical into the cloud and so on. Digital transformation in the IT has already started and we can clearly see pace gathering for the OT environment.
In this series of blogs; we will be introducing the important OT cyber security and how MITRE ATT&CK framework can support in cyber-threat management.
Introduction

ICS/OT networks continue to be targeted by cyber-attacks as the stakes are higher and the damage is greater, compared to enterprise networks. MITRE has recently published its first ICS MITRE framework which highlight the differences between ICS /OT and IT network in term of attack tactics and techniques used by adversaries. The publishing of the framework recognizes the growing concern of cyber threats on OT environment. The MITRE ATT&CK is a global knowledge base framework that could be easily accessed by organization and individuals.

The Purdue Model
Despite the OT environments heavy dependence on IT infrastructure and network components (predominantly from Level 3.5 to Level 2) – MITRE Enterprise ATT&CK technique will not yield significant results when applied to OT networks; the OT environment is different in perspective.
To understand how the ICS MITRE ATT&CK framework work you need to understand how the ICS/OT network is designed and segmented to ensure secure network. The Purdue model is good starting point as to how to design and segment the OT network.
The Purdue model defines segregating the ICS/OT into different level from level 0 up to level 5 depending on the functionality of each device on the network and level. A typical example of the Purdue model is illustrated below;
  • Level 0 Basic Control such Sensors, Actuators, Pumps, Valves etc. from the field mostly hard-wired devices connected to the field
  • Level 1 DCS Controllers and PLC
  • Level 2 Engineering Workstation (EWS) and HMI
  • Level 3 ICS Management Applications, OPC Servers, Historian
  • Level 3.5 Patch Management and Windows System Updates and Anti-Virus Server
  • Level 4 Business Network, Business Intelligence
  • Level 5 Internet Edge
The Purdue Model – Security Zoning and Conduits
It is also worth mentioning that many existing OT environments were not built with security in mind, which makes them very vulnerable to cyber-attack. Each level of the network within the Purdue model poses a cyber-threat if not properly secured.

The Purdue model ensures secure network architecture by defining security zones and isolating networks or creating segments based on industrial process and its criticality in terms of safety and functionality; thereby minimizing cyber risks should an attack occur at the business network or within the plant itself.

ICS MITRE ATT&CK
Segregating and segmenting the OT network as per the highlighted Purdue model gives a pictorial architecture representation of the network. Introducing security zonings and conduits ensure Purdue model also follow “restriction of data flow”, a key requirement in implementing security assurance levels in OT environment.
The ICS MITRE ATT&CK framework provides a detailed outlook in term of attack tactics and techniques used by adversaries targeting ICS environments. Malware targeting ICS environments generally follow a unique set of tactics and techniques as they are designed to target OT environment that have very unique characteristics.
In terms of ICS environment; the ICS MITRE ATT&CK framework is a breakthrough as ICS security vendors, practitioners and consultants now have a framework to use when understanding ICS targeted cyber-attacks. The framework has many benefits; can be used to reverse engineer the exact tactics and techniques used by malware to impact industrial facilities; can also be used to design ICS environments and networks to counter measure against these techniques.

Securing the attack surface within the ICS environment using various hardening techniques will ensure defense-in-depth security. The ICS MITRE ATT&CK technique has defined eleven techniques is to how an adversary could attack OT network;

  1. Initial Access: The attacker needs to establish a foot hold on the ics network
  2. Execution: The attacker executes a code on the network
  3. Persistence: The attacker continues to maintain his foothold on the network
  4. Evasion: The attacker continues to remain hidden in the network and avoid to be detected
  5. Discovery: The attacker use techniques to survey the ics network
  6. Lateral movement: The attacker use techniques to enter and control the network
  7. Collection: The attacker collects information about the ICS system that will aid him in launching attack
  8. Command and Control: The adversary is trying to communicate with and control compromised systems, controllers, and platforms with access to your ICS environment.
  9. Inhibit response function: The adversary is trying to prevent your safety, protection, quality assurance, and operator intervention functions from responding to a failure, hazard, or unsafe state.
  10. Impair process control: The adversary is trying to manipulate, disable, or damage physical control processes.
  11. Impact: The adversary is trying to manipulate, interrupt, or destroy your ICS systems, data, and their surrounding environment.
Leverage ICS MITRE ATT&CK Model to Improve Cyber Defense
In terms of ICS environment; the ICS MITRE ATT&CK framework is a breakthrough as ICS security vendors, practitioners and consultants now have a framework to use when understanding ICS targeted cyber-attacks. The framework has many benefits; can be used to reverse engineer the exact tactics and techniques used by malware to impact industrial facilities; can also be used to design ICS environments and networks to counter measure against these techniques.
DTS Solution has used the ICS MITRE ATT&CK model to solve various problem statements at customer sites and some of them are listed below;
  • Identification of technical gaps in ICS cyber security controls and creation of defensive strategies to identify attacks during each phases of the attack-lifecycle (tactics in ICS MITRE ATT&CK)
  • Development of effective ICS/OT monitoring use cases for the SOC / SIEM – ensuring that specific security events mapped to the ICS MITRE ATT&CK techniques trigger an alert.
  • Develop effective ICS threat intelligence and ICS incident triage and response activities by understand how malware compromise occurs and its lifecycle
  • Help train field and OT field workers and site operators in understanding of ICS threat behaviors
  • Help your red, blue and purple team to perform adversary emulation; testing of security controls and defenses in an OT testbed if you have one
An example of a real-world cyber-attack scenario is shown below; where each technique being executed across the different stages / tactics of the cyber-attack lifecycle to eventually cause business loss or damage.
Conclusion
It is extremely practical for organizations to use the ICS MITRE ATT&CK framework in order to design and build a secure OT network. The framework is a good starting point when conducting cyber risk assessment to identify gaps in defense, prevention and monitoring controls, reverse engineering and analyzing attack surface and doing OT incident response.
Several recent ICS cyber-attack malwares where analyzed using this framework to provide context in to how each malware functions and what tactics and techniques it uses to infiltrate and damage industrial facilities; giving great insight into what was unknown before.

It’s vital for international standard, security vendors, consulting and advisory firms that regulates ICS cyber security to adopt such a framework to improve overall cyber security posture.

ICS MITRE ATT&CK Technique
ABOUT DTS SOLUTION
Securing OT and ICS environments has always remained a priority for DTS Solution. Having performed OT cyber security risk assessment and built cyber security management systems (CSMS) for major enterprises operating OT facilities across the region. There is a not a single industry where OT plays a major role that DTS has not assessed; airports, nuclear, petrochemical, power generation and transmission, water desalination, manufacturing, agriculture, oil and gas and even maritime and marine and the list continues to grow. As we continue on the mission on helping our customers secure their environment; it is clear to see the importance of OT cyber security given we live in a very connected world.
Traditional OT OEM vendors are now also challenging this exact tradition by introducing virtualization and micro-services in the OT environment, introducing remote diagnostic service to remotely monitor and perform preventative maintenance of the OT environment; deploying functional service that are not plant critical into the cloud and so on. Digital transformation in the IT has already started and we can clearly see pace gathering for the OT environment.
In this series of blogs; we will be introducing the important OT cyber security and how MITRE ATT&CK framework can support in cyber-threat management.
Introduction
ICS/OT networks continue to be targeted by cyber-attacks as the stakes are higher and the damage is greater, compared to enterprise networks. MITRE has recently published its first ICS MITRE framework which highlight the differences between ICS /OT and IT network in term of attack tactics and techniques used by adversaries. The publishing of the framework recognizes the growing concern of cyber threats on OT environment. The MITRE ATT&CK is a global knowledge base framework that could be easily accessed by organization and individuals.
The Purdue Model
Despite the OT environments heavy dependence on IT infrastructure and network components (predominantly from Level 3.5 to Level 2) – MITRE Enterprise ATT&CK technique will not yield significant results when applied to OT networks; the OT environment is different in perspective.
To understand how the ICS MITRE ATT&CK framework work you need to understand how the ICS/OT network is designed and segmented to ensure secure network. The Purdue model is good starting point as to how to design and segment the OT network.
The Purdue model defines segregating the ICS/OT into different level from level 0 up to level 5 depending on the functionality of each device on the network and level. A typical example of the Purdue model is illustrated below;
  • Level 0 Basic Control such Sensors, Actuators, Pumps, Valves etc. from the field mostly hard-wired devices connected to the field
  • Level 1 DCS Controllers and PLC
  • Level 2 Engineering Workstation (EWS) and HMI
  • Level 3 ICS Management Applications, OPC Servers, Historian
  • Level 3.5 Patch Management and Windows System Updates and Anti-Virus Server
  • Level 4 Business Network, Business Intelligence
  • Level 5 Internet Edge
The Purdue Model – Security Zoning and Conduits
It is also worth mentioning that many existing OT environments were not built with security in mind, which makes them very vulnerable to cyber-attack. Each level of the network within the Purdue model poses a cyber-threat if not properly secured.
The Purdue model ensures secure network architecture by defining security zones and isolating networks or creating segments based on industrial process and its criticality in terms of safety and functionality; thereby minimizing cyber risks should an attack occur at the business network or within the plant itself.
ICS MITRE ATT&CK
Segregating and segmenting the OT network as per the highlighted Purdue model gives a pictorial architecture representation of the network. Introducing security zonings and conduits ensure Purdue model also follow “restriction of data flow”, a key requirement in implementing security assurance levels in OT environment.
The ICS MITRE ATT&CK framework provides a detailed outlook in term of attack tactics and techniques used by adversaries targeting ICS environments. Malware targeting ICS environments generally follow a unique set of tactics and techniques as they are designed to target OT environment that have very unique characteristics.
In terms of ICS environment; the ICS MITRE ATT&CK framework is a breakthrough as ICS security vendors, practitioners and consultants now have a framework to use when understanding ICS targeted cyber-attacks. The framework has many benefits; can be used to reverse engineer the exact tactics and techniques used by malware to impact industrial facilities; can also be used to design ICS environments and networks to counter measure against these techniques.
Securing the attack surface within the ICS environment using various hardening techniques will ensure defense-in-depth security. The ICS MITRE ATT&CK technique has defined eleven techniques is to how an adversary could attack OT network;
  1. Initial Access: The attacker needs to establish a foot hold on the ics network
  2. Execution: The attacker executes a code on the network
  3. Persistence: The attacker continues to maintain his foothold on the network
  4. Evasion: The attacker continues to remain hidden in the network and avoid to be detected
  5. Discovery: The attacker use techniques to survey the ics network
  6. Lateral movement: The attacker use techniques to enter and control the network
  7. Collection: The attacker collects information about the ICS system that will aid him in launching attack
  8. Command and Control: The adversary is trying to communicate with and control compromised systems, controllers, and platforms with access to your ICS environment.
  9. Inhibit response function: The adversary is trying to prevent your safety, protection, quality assurance, and operator intervention functions from responding to a failure, hazard, or unsafe state.
  10. Impair process control: The adversary is trying to manipulate, disable, or damage physical control processes.
  11. Impact: The adversary is trying to manipulate, interrupt, or destroy your ICS systems, data, and their surrounding environment.
Leverage ICS MITRE ATT&CK Model to Improve Cyber Defense
In terms of ICS environment; the ICS MITRE ATT&CK framework is a breakthrough as ICS security vendors, practitioners and consultants now have a framework to use when understanding ICS targeted cyber-attacks. The framework has many benefits; can be used to reverse engineer the exact tactics and techniques used by malware to impact industrial facilities; can also be used to design ICS environments and networks to counter measure against these techniques.
DTS Solution has used the ICS MITRE ATT&CK model to solve various problem statements at customer sites and some of them are listed below;
  • Identification of technical gaps in ICS cyber security controls and creation of defensive strategies to identify attacks during each phases of the attack-lifecycle (tactics in ICS MITRE ATT&CK)
  • Development of effective ICS/OT monitoring use cases for the SOC / SIEM – ensuring that specific security events mapped to the ICS MITRE ATT&CK techniques trigger an alert.
  • Develop effective ICS threat intelligence and ICS incident triage and response activities by understand how malware compromise occurs and its lifecycle
  • Help train field and OT field workers and site operators in understanding of ICS threat behaviors
  • Help your red, blue and purple team to perform adversary emulation; testing of security controls and defenses in an OT testbed if you have one
An example of a real-world cyber-attack scenario is shown below; where each technique being executed across the different stages / tactics of the cyber-attack lifecycle to eventually cause business loss or damage.
Conclusion
It is extremely practical for organizations to use the ICS MITRE ATT&CK framework in order to design and build a secure OT network. The framework is a good starting point when conducting cyber risk assessment to identify gaps in defense, prevention and monitoring controls, reverse engineering and analyzing attack surface and doing OT incident response.
Several recent ICS cyber-attack malwares where analyzed using this framework to provide context in to how each malware functions and what tactics and techniques it uses to infiltrate and damage industrial facilities; giving great insight into what was unknown before.

It’s vital for international standard, security vendors, consulting and advisory firms that regulates ICS cyber security to adopt such a framework to improve overall cyber security posture.

See also:

What to Train Your User for Effective Email Security

June 9, 2020

Cyber Threat Management with MITRE ATT&CK–PART 1

June 1, 2020

Shah Sheikh spoke to Gulf News about How to Secure Home Network for Remote Working

May 20, 2020

Linkedin X-twitter Facebook Youtube

© Copyrights 2024.
All rights reserved by DTS Solution 
– Cyber Security Redefined

Solutions

Network and Infrastructure Security
Zero Trust and Private Access
Endpoint and Server Protection
Vulnerability and Patch Management
Data Protection
Application Security
Secure Software and DevSecOps
Cloud Security
Identity Access Governance
Governance, Risk and Compliance
Security Intelligence Operations
Incident Response

Industry

Critical Infrastructure
Education
Energy and Utilities
Enterprise and Service Providers
Financial Services and FinTech
Government
Healthcare and BioTech
Legal
Manufacturing
Media and Entertainment
Retail and Ecommerce
Technology and Digital

Services
Cyber Strategy
Cyber Secure
Cyber Operations
Cyber Response
Cyber Resilience
Products

COMPLYAN
FYNSEC
HAWKEYE CSOC WIKI
Firewall Policy Builder

Other

About Us
Awards
Board of Directors
Leadership
Careers
Support
Contact
Vendors
Resources
Press Center
Privacy Policy

Accreditations
ISO27001
ISO45001
CREST
Accreditations
ISO27001
ISO45001
CREST

  Dubai

Office 4, Oasis Center
Sheikh Zayed Road
PO Box 128698
Dubai, UAE

+971 4 3383365
[email protected]
   Abu Dhabi

Office 7, Floor 14
Makeen Tower, Al Mawkib St.
Al Zahiya Area
Abu Dhabi, UAE

+971 2 6573566
[email protected]

   Kuwait

Mezzanine Floor, Tower 3
Mohammad Thunayyan Al-Ghanem Street, Jibla
Kuwait City, Kuwait


+971 4 3383365
[email protected]

   London

160 Kemp House, City Road
London, EC1V 2NX
United Kingdom
Company Number: 10276574

+44 20 3287 3942
[email protected]

The website is our proprietary property and all source code, databases, functionality, software, website designs, audio, video, text, photographs, icons and graphics on the website (collectively, the “Content”) are owned or controlled by us or licensed to us, and are protected by copyright laws and various other intellectual property rights. The content and graphics may not be copied, in part or full, without the express permission of DTS Solution LLC (owner) who reserves all rights.

DTS Solution, DTS-Solution.com, the DTS Solution logo, HAWKEYE, FYNSEC, FRONTAL, HAWKEYE CSOC WIKI and Firewall Policy Builder are registered trademarks of DTS Solution, LLC.