How the industrial infrastructure was attacked at The Standoff: traffic analysis with PT ISIM

At the last The Standoff experts PT Expert Security Center, in this case, representing the team of the global SOC of the cyber polygon, monitored the actions of the teams of attackers and defenders of the digital copy of the FF metropolis, the confrontation took place in real time and lasted 123 hours. Earlier we wrote about how the global SOC followed behind everything that happens in the infrastructure of the virtual city, as a malware detection department fished and researched Trojan horses “redimers” using the PT Sandbox and how we followed behind all the web resources of the cyber polygon using PT Application Firewall. Now let’s talk about the security of technological networks of virtual city objects and the results of monitoring carried out using a system of in-depth analysis of technological traffic PT Industrial Security Incident Manager (PT ISIM).

In this article, we will talk about what attacks on the technological segment of the network of city facilities were detected by the system, and note how these threats correspond to the real level of security of industrial systems.

What was attacked at The Standoff

The model of the city on The Standoff cyber polygon included digital copies of infrastructure facilities controlled by real SCADA systems and PLCs: the exact same ones are installed in real enterprises. Here are the elements and objects that may have been attacked by competitors from read teams:

  • control systems for switches and barriers on the railway,

  • baggage tape at the airport,

  • telescopic gangway at the airport,

  • crane in the seaport,

  • HVAC business center,

  • a ferris wheel in an amusement park,

  • traffic lights in the business center,

  • street lighting,

  • substation (electricity of the whole city),

  • gate valves of an automated gas distribution station,

  • CHP turbine,

  • fire control cabinet for CHP,

  • wind turbines at a power plant,

  • production control systems at a petrochemical plant,

  • oil production control systems.

Now let’s look at the most interesting, as it seems to us, attacks that the global SOC The Standoff detected with PT ISIM.

Stopping oil production

Back2oaz and Codeby teams successfully attack the company Nuftwhich, within the framework of the city model, managed an oil field. Red teams got access to the SCADA server and sent teams using a specialized industrial protocol, which led to an accident – stopping the oil production process. In reality, the realization of such a business risk would lead to reputational damage, loss of profit and a drop in the company’s market value.

The attack development chain looked like this:

  1. Unauthorized RDP connection from a node from server segment 172.20.61.2 to SCADA server 172.20.22.11 (time 01:30). At this stage, access to the SCADA system was obtained.

  1. Submitting a CIP control command from the SCADA server 172.20.22.11 to the PLC 172.20.23.11 (09:02). At this stage, various control commands were enumerated (commands were submitted to different areas, including proprietary ones: 0x349, 0x68 (SFC Forces), 0x6b (SymbolObject)). This may indicate that the attack was carried out using engineering or specialized attack software.

RDP connection
RDP connection
Cycle through CIP commands
Cycle through CIP commands
Management incident
Management incident

In this case, there was a CIP control action. At the same time, the attackers, apparently, were picking teams blindly. Defenders in this situation had to take active action already in the previous, early stages of the attack, which were detected using MaxPatrol SIEM, PT Sandbox, PT NAD and PT ISIM. Naturally, according to the conditions of the exercises, only observation was made. After penetrating the ICS segment, the defenders had very little time to react to this attack, because from the side of the observer everything looked quite legitimate: a legitimate command to stop or change the setting is sent from the control AWP or from the SCADA server.

In this case, it would be possible to count on the protocol command whitelisting mechanism, which would allow attackers to detect command selection. Again, if the intruder possesses data about the attacked object, then he will not brute force, but will immediately give a dangerous command. In real life, failures in the operation of systems are still more common and, as a result, the passage of dangerous commands or data in the network, which can be detected using the systems of continuous analysis of technological traffic and the already mentioned white lists.

Extreme revolutions of the Ferris wheel

FF was in town and company 25 Hours, which, according to the script, owned the amusement park. She had to face an attack from the Back2oaz team, during which remote access to the SCADA server was carried out and commands were sent using a specialized industrial protocol. This made it possible to provoke an emergency situation – the attackers gained access to the Ferris wheel control system and increased the rotation speed of the attraction to maximum, which led to the wheel falling.

The attack developed as follows:

  1. Unauthorized TCP connection from host 172.17.61.17 to SCADA server 172.17.22.11 (03:29). Most likely, it was intelligence.

  2. Unauthorized SMB connection from node 172.17.61.17 to SCADA server 172.17.22.11 (06:06). Search for files on a shared resource in order to find sensitive information or hints on further connection. In addition, at this stage, the payload can be left for further operation.

  3. Unauthorized RDP connection from node 172.17.61.17 to SCADA server 172.17.22.11 (08:07). Access to the SCADA system was obtained.

  4. Changing parameters or giving a control action on the mnemonic diagram, which caused the control command to be sent from the SCADA server 172.17.22.11 to the PLC 172.17.23.11 (08:25). This part of the attack, provided that the SCADA server was penetrated, could be performed in a fairly simple way – by issuing a command directly from the mnemonic diagram. Nevertheless, the attackers seriously investigated the system, identified control tags, and carried out a meaningful attack using engineering or special software. In this case, the SCADA system and the PLC did not have protective mechanisms designed to prevent dangerous situations. It is important to note that from the point of view of NTA, the sent command is absolutely legitimate (if we do not take into account the context of the technological process, which can be set at the level of PT ISIM proView Sensor).

This is how this attack was reflected in the PT ISIM interface.

SCADA Server Interaction Summary
SCADA Server Interaction Summary

The attackers were able to conduct a dangerous attack, because after penetrating the technological network, they examined the infrastructure of the facility. They were able to access the engineering software, figure out the control tags, and send them to the PLC. As in the case described above, the defenders should have taken active steps already in the previous stages of the attack, which were detected using MaxPatrol SIEM, PT Sandbox, PT NAD and PT ISIM. After penetrating the ICS segment, in this case, the defenders had enough opportunities to react in real time, but in real conditions it would not be enough. During the exercise, when every incident is in plain sight, the attackers have several hours at their disposal to bring the attack to completion. In real life, cybercriminals may have much more time both to research the infrastructure and to carry out the attack itself. At its final stage, such an attack can be detected using a deep analysis of the industrial protocol with analysis of the configuration and identification of dangerous operator actions, such as exceeding the permissible wheel rotation power or unauthorized stop.

Disruption and interruption of the chemical production process

The Nuft company mentioned above owned another important property in the city – petrochemical plant… Back2oaz’s attacking team also reached its technological network. They managed to log into the SCADA RDP server, as well as disrupt the operation of the PLC with the help of specialized engineering software, as a result, a business risk was realized – disruption and stoppage of production. The possible consequences of such attacks in real life can be license revocation, a drop in the company’s capitalization, resignation of management, injuries to the company’s employees, casualties among the city’s population, a man-made accident and an environmental disaster.

The attack development chain looked like this:

  1. Unauthorized RDP connection from 172.20.61.17 to SCADA server 172.20.22.10 (19:30). Access to the SCADA system was obtained.

  2. The command to reboot into the service mode via a proprietary protocol, transmitted by the engineering software from the SCADA server 172.20.22.10 to the PLC 172.20.23.10 (01:51 the next day). To realize this risk, the attackers used specialized software for working with PLCs, which is routinely used for this technological process. Switching to the service mode means actually stopping the execution of the main code and interrupting the technological process. In the absence of redundancy and protective mechanisms on the low-level controllers, this can lead to a serious accident, in particular to overheating, disruption of the production process and, as a result, to a complete stop of production.

PT ISIM detected every step of the attackers.

RDP connection
RDP connection
Command to transfer the PLC to service mode
Command to transfer the PLC to service mode
Information exchange between SCADA server and PLC
Information exchange between SCADA server and PLC

Cyber ​​polygons and reality

At The Standoff, of course, there were some conditions that make life easier for attackers and should not be found in real industrial facilities. For example, engineering software for control workstations or default passwords for access to various systems. However, in practice it turns out that they can still be found in the infrastructure of industrial companies. There are frequent cases of connecting an industrial network to a corporate network with Internet access. In such conditions, it is extremely important to use systems for in-depth analysis of technological traffic in conjunction with other tools – SIEM systems, solutions for managing vulnerabilities; this allows you to detect attacks on industrial facilities and promptly respond to emerging threats.

Author: Sergey Petrov, Head of Industrial Systems Expertise Department Positive Technologies

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *