Session 4: Cyber Risks to ICS

Q: Is there any document for basic ICS & cyber risk?

A: The web site: https://www.cisa.gov/ics is an excellent resource for reference documents:
https://us-cert.cisa.gov/related-resources and more on-line training:
https://us-cert.cisa.gov/ics/Training-Available-Through-ICS-CERT
Q: For cyber risk assessments, CISA has the Cyber Resilience Review, via the CSA Program.
A: See the following: https://us-cert.cisa.gov/resources/assessments
Q: Do you recommend the NIST 800-53 controls or other guides/standards?
A: The NIST Special Publications (SP) 800-53 is the Recommended Security Controls for Federal
Information Systems and Organizations. SP 800-82 is the Guide to ICS Security. DHS/CISA has a free
tool (CSET) which will help organizations determine their cybersecurity posture:
https://github.com/cisagov/cset/releases
Q: From your OSINT slide… Could you elaborate a bit on what types of information the
regulatory organizations may inadvertently release/publish about organizations - and how might
this information be used by wrong-doers?
A: The FCC in the U.S. is an example of an organization that requires extensive documentation on
devices using communications. For devices using wireless communications, that documentation
includes internal and external photos, design schematics, chips used, power requirements, transmit
and receive frequencies, and more. For wireless communication towers, information that is
available to the public includes tower locations, ownership of towers and antennas along with
owner contact information, antenna types, power levels, transmit and receive frequencies, and
more. All of this information is available to the public. While the information may seem
inconsequential, attackers can use it for social engineering, cyber-physical attacks, and maybe able
to figure out other technologies interfacing with the equipment. Owners can request that certain
information be redacted or protected from the public. The point here isn’t necessarily how to
address this with a regulator, but an exercise in thinking of potential risks that might be
accompanied with exposure of company information that regulators have to share with the public.
It may result in you wanting to place additional security measures, but it may not.
Q: Do you have any more examples of train networks and systems?
A: See attached pdf file
Q: The link provided (web address) for the DNI report doesn't seem to work. Can you reply with
the correct web address?
A: https://www.dni.gov/files/ODNI/documents/2019-ATA-SFR---SSCI.pdf
Q: What are all the processes and tools to be used to increase gap between vulnerability and
mitigation?
A: First, a valid asset list must be compiled. Second, the assets must be investigated to determine
vulnerabilities and deficiencies. Finally, patches, updates, upgrades and isolation must be
administered the minimize the gap between vulnerabilities and mitigations.
Q: Will this slide presentation be available?
A: We will be sending out an email with a link for you to view the recorded session.
Q: Is the recorded link for last week's presentation also available, along with certificate? Thanks.
A: It is not uploaded yet but should be available this week.
Q: As an Auditor of critical infrastructures (e.g. drinking and clean water facilities, sewer
utilities, flood facilities) in New Jersey, this is of interest. Are there more known examples of
compromised infrastructures available?
A: See attached pdf file.
Q: They can start by visiting www.cisa.gov/ICS
A:
Q: Can you add more current attacks examples?
A: See attached pdf file.
Q: If you can create a package of multiple sectors will be great.
A: See attached pdf file.
Q: On the Threat Trend slide, how did the “attack sophistication” increase while the “intruder
knowledge” decreased?
A: As hackers created attacks they placed the code on the internet to get notoriety and the next
hacker modified or enhanced the code and placed that code on the internet and the attacks got
better and better.
Q: Why are there so few defensive tools available for the ICS environment?
A: ICS environments are very complex and diverse. With components not built to support
cybersecurity capabilities. Because the components are so different, it is difficult for vendors to
develop cyber tools that will defend a broad array of devices without a lot of customization.
Vendors want to make money and customization eats up profits really quickly.
Q: Can you give some examples of attacks that were modified from previous malware?
A: The Sony rootkit was instrumental in rootkits being included in most modern malware.
Crimeware kits used to compromise websites gained popularity and compromised websites
escalated correspondingly. SQL inject attacks were a leading threat and claimed many victims
such as IKEA. Stuxnet had spin-offs Duqu and Flame. CryptoWall and CryptoDefense were
spin-offs of Cryptolocker
Q: What types of malware are there?
A: The six most common types of malware are viruses, worms, Trojan Horses, spyware, adware,
and ransomware. There are variations on some of these six, such as malvertising, a form of
adware. Hybrids and Exotics are a combination of different types of malware, relying on each
type to propagate through a computer and/or network.
Q: I know IoT/IIoT was not covered, but what are the cyber risks associated with IoT/IIoT and
have there been compromises of these devices?
A: On October 21st, 2016, a widespread cyberattack took advantage of IoT vulnerabilities,
infecting hundreds of thousands of connected devices without their owners’ knowledge. This
toxic piece of malware is known as Mirai. IIoT devices use cellular technology and there are
some malware such as SMiShing, Simplocker and Gazon that were developed to compromise this
technology.
Q: How do we get our employees to be more cyber aware?
A: Here at the lab, our IT department has instituted a number of different awareness programs.
We have phishing campaigns throughout the year. They are conducting a phishing contest right
now to see which team(s) can recognize the most phishing emails.
Q: What other large organizations have been compromised?
A: Saudi Aramco (Shamoon), Iranian uranium enrichment facility near Natanz (Stuxnet), Sony
Pictures (Data mining attack), A, P. Moller-Maersk shipping (NotPetya) to name a few.
Q: Can you please provide more clarity on what the purple line indicates on the Threat Trend
diagram?
A: The purple curve represents the timeline when hackers started to target ICS. That is why the
intruder knowledge is indicated as “high”. But once attack code was developed and placed on the
internet, other hackers took the code and changed or enhanced it for other attacks. Such as the
spin-offs stated earlier.
Q: Are boxes running Windows Software the largest target on the ICS?
A: Windows systems are generally the most vulnerable devices on the ICS networks. Because the
ICS systems are 10, 20 or more years old. Therefore, the Windows systems are, for the most part,
end-of-life and patches are not available for the vulnerabilities that exist on them.
Q: On the Threat Trend slide, how did the “attack sophistication” increase while the “intruder
knowledge” decreased?
A: As hackers created attacks they placed the code on the internet to get notoriety and the next
hacker modified or enhanced the code and placed that code on the internet and the attacks got
better and better.

Q: Why are there so few defensive tools available for the ICS environment?

A: ICS environments are very complex and diverse. With components not built to support
cybersecurity capabilities. Because the components are so different, it is difficult for vendors to
develop cyber tools that will defend a broad array of devices without a lot of customization.
Vendors want to make money and customization eats up profits really quickly.

Q: Can you give some examples of attacks that were modified from previous malware?

A: The Sony rootkit was instrumental in rootkits being included in most modern malware.
Crimeware kits used to compromise websites gained popularity and compromised websites
escalated correspondingly. SQL inject attacks were a leading threat and claimed many victims
such as IKEA. Stuxnet had spin-offs Duqu and Flame. CryptoWall and CryptoDefense were
spin-offs of Cryptolocker.

Q: What types of malware are there?

A: The six most common types of malware are viruses, worms, Trojan Horses, spyware, adware, and
ransomware. There are variations on some of these six, such as malvertising, a form of adware.
Hybrids and Exotics are a combination of different types of malware, relying on each type to propagate
through a computer and/or network.

Q: know IoT/IIoT was not covered, but what are the cyber risks associated with IoT/IIoT and
have there been compromises of these devices?

A: On October 21st, 2016, a widespread cyberattack took advantage of IoT vulnerabilities,

infecting hundreds of thousands of connected devices without their owners’ knowledge. This
toxic piece of malware is known as Mirai. IIoT devices use cellular technology and there are
some malware such as SMiShing, Simplocker and Gazon that were developed to compromise this
technology.

Q: How do we get our employees to be more cyber aware?

A: Here at the lab, our IT department has instituted a number of different awareness programs.
We have phishing campaigns throughout the year. They are conducting a phishing contest right
now to see which team(s) can recognize the most phishing emails.

Q: What other large organizations have been compromised?

A: Saudi Aramco (Shamoon), Iranian uranium enrichment facility near Natanz (Stuxnet), Sony
Pictures (Data mining attack), A, P. Moller-Maersk shipping (NotPetya) to name a few.

Q: Can you please provide more clarity on what the purple line indicates on the Threat Trend
diagram?

A: The purple curve represents the timeline when hackers started to target ICS. That is why the
intruder knowledge is indicated as “high”. But once attack code was developed and placed on the
internet, other hackers took the code and changed or enhanced it for other attacks. Such as the
spin-offs stated earlier.

Q: Are boxes running Windows Software the largest target on the ICS?

A: Windows systems are generally the most vulnerable devices on the ICS networks. Because the
ICS systems are 10, 20 or more years old. Therefore, the Windows systems are, for the most part,
end-of-life and patches are not available for the vulnerabilities that exist on them.