Industrial Control Systems Malware
KNOWN ICS MALWARE
This list may not be exhaustive. The ICS threat profile is meant to provide an overview of the most prevalent ICS malware impacting US victims and will be updated regularly with new information.
WHAT ARE INDUSTRIAL CONTROL SYSTEMS?
Industrial control systems (ICS) is a collective term for several types of control systems and other equipment used to operate and/or automate industrial processes, and includes supervisory control and data acquisition (SCADA) systems – often incorrectly used interchangeably with ICS – and distributed control systems (DCS).
Types of ICS?
SCADA systems provide control at the supervisory level through Programmable Logic Controllers (PLCs) distributed in several field locations. SCADA systems acquire and transmit data and are integrated with a Human Machine Interface (HMI) that provides centralized monitoring and control. SCADA systems are used for monitoring and control of field sites through a centralized control system. They are common in pipeline monitoring and control, water treatment and distribution, and electrical power transmission and distribution.
A DCS is used to control production systems found in one location. It controls valves and actuators, instructing them to operate to maintain a setpoint. It uses a centralized supervisory control loop to manage devices and controllers in the production process. A DCS can reduce the impact of a single fault on the system. These are commonly used in industries such as manufacturing, electric power generation, chemical manufacturing, oil refineries, and water and wastewater treatment. When implemented in an ICS environment, it may be coupled with SCADA systems.
Who uses ICS?
ICS devices are used in virtually every industrial and critical infrastructure sector, including energy, manufacturing, transportation, and water treatment.
COMPONENTS OF AN ICS ENVIRONMENT
Operational Technology (OT): All computing systems used in an operational environment. This includes the computers and other IT devices used in the business operation of the owner/operator though, in some instances, the business network is improperly connected in one way or another to the operational environment.
Programmable Logic Controller (PLC): Used in SCADA systems and DCS to control and manage processes run through control devices, such as sensors and actuators. PLCs provide the same function as RTUs in SCADA system environments.
Master Terminal Unit (MTU): Issues commands to the Remote Terminal Units (RTUs) in the field.
Remote Terminal Unit (RTU): Microprocessor-controlled field device that receives commands and sends information to the MTU.
Human Machine Interface (HMI): A graphical user interface (GUI) application that connects the human operator to the industrial system controllers, allowing them to control and make changes to system components, such as PLCs. It often displays current and historical data from ICS devices. It monitors and configures setpoints, control algorithms, and establishes restrictions for the controllers.
Control Loop: Interprets signals from breakers, control valves, sensors, and switches, and transmits the data to the controller to complete a process. Control loops consist of PLCs, actuators, and other hardware.
Control Server: DCS and PLC supervisory control software is located on this server.
Data Historian: Central database for logs of all process information within the ICS.
Intelligent Electronic Device (IED): A “smart” device used by SCADA systems and DCS to acquire data, communicate with devices, and perform local processing and set controls automatically.
HOW DO ICS COMMUNICATE INFORMATION?
Modbus: One of the oldest ICS protocols, used to communicate with PLCs. Serial Modbus connections use the high-level data link control (HDLC) standard to transmit data and Modbus-TCP uses the TCP/IP protocol stack to transmit data.
Common Industrial Protocol (CIP): Industrial protocol supported by ODVA for industrial automation applications. It allows these applications to be integrated with enterprise-level Ethernet networks and the internet. It is used in EtherNet/IP, DeviceNet, CompoNet, and ControlNet.
Process Field Bus (PROFIBUS): Standard for communications in automation technology and facilitates the transmission of data from RTU to RTU, RTU to MTU, and MTU to MTU. The most common variant, PROFIBUS DP (decentralized peripherals), is used to operate sensors and actuators via a central controller. PROFIBUS PA (process automation) is application-specific and used to monitor measuring equipment via a process control system.
Ethernet for Control Automation Technology (EtherCAT): An open-source communications protocol used to incorporate Ethernet into industrial environments. It is applied to automation applications with short data update times and low communication jitter.
Distributed Network Protocol (DNP3): A three-layer protocol operating at the data link, application, and transport layers and is widely used in electricity and water and wastewater treatment plants.
Building Automation and Control Networks (BACnet): A communications protocol designed to control heating, ventilating, and air-conditioning (HVAC); lighting; building access; and fire detection.
RECOMMENDATIONS FOR DEFENDING ICS
Defense-in-Depth: A strategy to improve a network’s security posture by layering defenses so that, in the event one defense fails, another defense will block the threat.
Network Segmentation: Separate vital components into security zones and implement layers of protection to isolate critical parts of the system.
Application Whitelisting: This will detect and prevent attempted access or malware execution on an ICS. Database servers and HMIs are ideal components to apply application whitelisting.
Patch Management: Components should be patched with the latest update and priority should be given to those components with the most accessibility. When updating is not feasible, apply workarounds when possible.
Physical and Logical Access Controls: Physical security controls should be applied around sensitive systems and components. Access Control Lists and the Principle of Least Privilege should be applied for network and system access.
Intrusion Detection Systems: Monitor system activity to identify potentially malicious activity on the network.
System Hardening: Only allow essential functions for various components and lock down all unnecessary features, functions, ports, and protocols.
Antivirus Software: Run antivirus on the network and keep malware signatures updated.
Endpoint Protection: Endpoints are considered to present the highest risk in an ICS-based organization and, therefore, protection of these assets is critical.
Configuration Management: Create change management policies and procedures for modifications made to hardware, firmware, and software to protect against improper modifications to the ICS.
Audits and Assessments: Test to verify the security of a system and the presence of any unpatched vulnerabilities.
Secure Remote Access: Use Firewalls, callback (for dial-up connections), Virtual Private Networks (VPNs), multi-factor authentication, and user access controls for secure remote access.
Massachusetts Institute of Technology:
SANS Institute InfoSec Reading Room:
Software Engineering Institute, Carnegie Mellon University:
If you or your organization is the victim of ICS Malware, please contact a Cyber Liaison Officer at firstname.lastname@example.org.