Critical Infrastructure. It’s what keeps the lights on, water safe to drink, planes in the sky. Everything we take for granted but it’s mission critical 24/7 and nobody really understands how it works except the folks who work with it. There was a time when this stuff was kept offline, in its own little realm. Not anymore. It’s a lot more exposed, a lot more vulnerable.

Major Attacks on ICS / SCADA / Critical Infrastructure

Stuxnet: Daisy-chaining zerodays to carefully create centrifuge chaos in an Iranian nuclear power plant. The 2010 attack in the stuff of legends, far from that simplistic and honestly, my favourite bedtime story to this day. “Countdown to Zeroday: Stuxnet and the Launch of the World’s First Digital Weapon” by Kim Zetter is fascinating and filled with all the detail, politics and twists that put make a bestseller.

Saudi Aramco: Revenge isn’t always a dish best served cold. In 2012 Iran unleashed highly destructive malware on their sworn enemy, Saudi Arabia, and all but destroyed operations at major oil refinery Saudi Aramco.

Black Energy and Crash Override: 2015 and 2016 were when the lights literally went out in Ukraine, courtesy of a highly sophisticated Russian APT group known as “Sandworm”. I love Andy Greenberg’s book “Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers”, which tells a number of cautionary tales about how easily we overlook the small, carefully planned steps to a major event.

Triton: In 2017, somebody was messing with the safety systems on industrial systems in a massive petrochemical operation in Saudi Arabia. What could go wrong? “Trisis” malware enables remote attackers to control the emergency shutdown system so they could tamper with the settings, resulting in a potentially catastrophic failure to detect dangerous conditions and literally press the emergency stop button.

Ransomware and ICS

Snake or Ekans ransomware established a significant presence through attacks targeting ICS environments. First identified in January 2020, the operators hit major European hospital operator Fresenius, then automobile manufacturer Honda, followed by energy distribution company Enel Group.

LockerGoga and Norsk Aluminum: What happens when destructive ransomware hits a major manufacturing operation hard? Months of downtime, people using pen and paper, and tens of millions spent on remediation. Norsk did all the right things, and were commendably open about sharing what happened and how they were handling it.

Dale Peterson, or @digitalbond, hilites how ransomware in ICS differs, and what we should know in his piece here: https://www.linkedin.com/pulse/ransomware-icsscada-its-happening-predictions-dale-peterson . Bricking the PLC seems to be the big hurt. They usually aren’t redundant and the ability to do forensics is very limited.

Who Ya Gonna Call?

What do you do when things go very, very wrong in this specialized realm? When you’re likely the target of a state-sponsored attack, you need super heroes.

Dragos Inc: From their site, and I wouldn’t change a word: Dragos was founded by renowned ICS/OT practitioners who have defeated adversaries for the U.S. government, ally nations, and global firms. Today, Dragos is on a mission to protect the world’s most critical infrastructure and safeguard civilization. You can read their latest annual report “2020 ICS Year in Review”