ENISA Threat Landscape Report 2018. Some notes on SCADA/ICS systems and critical infrastructures.
This new EMISA report incorporates essential information and data for anyone who wants to stay abreast of current and future threats affecting any type of organization.
Yesterday, Monday, January 28, 2018, ENISA published its annual threat report: the ENISA Threat Landscape Report 2018 – 15 Top Cyberthreats and Trends, which you can download at this link.
As usual, the report incorporates essential information and data for anyone who wants to stay abreast of current and future threats that affect, I would say, any type of organization.
In the following figure, you can see the main threats that have emerged during 2018 and their position with respect to those detected during 2017.
Additionally, in this entry, we would like to point out some of the most important data collected in the report related to SCADA/ICS systems and critical infrastructures.
Malware in SCADA/ICS environments
In point 3.1 of the report, it is highlighted how during the past year the malware Triton, was the first to affect the SIS (Safety Instrumented Systems), that is, the systems that allow executing “specific control functions”, when the process has entered conditions that can seriously affect the safety of workers or cause serious environmental incidents.
In addition, the report indicates that, in the coming years, operating environments and critical infrastructures in general will be a priority target for APT groups.
Similarly, within this malware section, the existence of a specific type of malware, Cryptojacking, appears for the first time as a threat. That is, it is a malware that infects OT systems and devices, allowing the malicious user to mine cryptocurrency. In OT environments, this type of malware can generate a significant degradation in system performance.
The report mentions the incident suffered by critical infrastructure in the water sector in February 2018, using said malware. As can be seen in the following figure from the report, attacks on critical infrastructures through “Cryptomining malware” are increasing sharply in recent months.
Attack vectors in SCADA/ICS environments
In section 5 of the report, “Attack Vectors”, mention is made of the so-called “Multi-staged and Modular Threats”, that is, those attacks that are carried out by groups that use very sophisticated, versatile and persistent malware. Some of the examples indicated are VPNFilter, BlackEnergy or CobInt, and these are their characteristics: self-propagation, self-destruction, hidden communications with the C2, persistent behaviors, obfuscation at the origin, etc.
The report provides a brief overview of the characteristics of the first VPNFilter, a malware that affected more than 500,000 network electronics devices. The following figure shows the stages followed by this malware to perpetrate its malicious actions.
Among the specific actions of this malware, it is worth noting that two “pluging modules” were found:
- One consisting of a “sniffer” that collected traffic and data (passwords) from infected networks, as well as traffic associated with the Modbus protocol.
- Another consisting of facilitating communication through TOR.
Cyber espionage in critical infrastructures
Throughout the report, emphasis is placed on alerting how organizations belonging to critical sectors are and will be a preferred target for malicious actions. It should be noted that the importance of monitoring the so-called “Supply Change attacks” is highlighted, as they are a growing threat.
On the other hand, the following data is significant. The use of RATs to exfiltrate sensitive information from OT networks and environments has increased sharply during 2018. A graph is shown revealing the countries in which this medium has been most used. Spain also appears.
Some conclusions
- Attackers change their techniques, tactics and procedures daily, improving and refining them.
- Risk management, a common practice in organizations, must include risk management linked to cybersecurity and information systems.
- End users are increasingly exposed to a huge number of threats.
- It is highly recommended to increase training and awareness actions at different levels.
- The differences between the regulatory and legal frameworks are a barrier to collecting information on threats.
From the industrial cybersecurity unit of Logitek we have and want to be up to date with current and future threats, with the aim of fulfilling our mission: to help our clients improve the security levels of their processes, systems and infrastructures associated with OT environments and critical infrastructures.
