Energy plant cyber simulation

Using MITRE ATT&CK to simulate a cyber attack on an energy grid

The MITRE ATT&CK framework is a knowledge base of adversary tactics and techniques, used as a foundation for the development of threat models and methodologies It helps us understand the stages of a cyber-attack, enabling us to detect, prevent, and mitigate cyber threats.

It can be practically used as a framework for cyber-attack simulation in industrial control environments, specifically the energy sector. This is also a use case for a cyber security lab the Cyber Advisory team are developing to help better understand how cyber-attacks unfold in client environments.

MITRE ATT&CK for ICS

"MITRE ATT&CK for ICS" is a version of this framework specifically for Industrial Control Systems.

Some of the tactics across the top are different to the traditional Enterprise MITRE ATT&CK framework, such as "Inhibit Response Function" or "Impair Process Control". The ICS version still has IT techniques, specifically in early stages of the framework because compromising OT environments may start in IT / enterprise networks. The PURDUE security reference model shows how IT networks (level 4/5) interface with ICS networks (level 3 - 0).

Simulating a Cyber Attack

A practical use of ATT&CK is adversary emulation, allowing defenders to more effectively test networks and defences by enabling offensive (red) security teams to more actively model adversary behaviour. This approach allows security teams to understand threat behaviours, rather than relying on threat intelligence such as Indicators of Compromise (IOCs).

  1. Create a scenario

  2. Execute the scenario

  3. Identify security gaps

Creating the Scenario

Techniques can be selected from each of the tactics. The scenario will be in an energy facility that hosts a transmission substation, battery storage, and combined cycle gas turbine, as an example.

Executing the Attack

This part is hypothetical so can be considered as a paper or table top exercise (TTX), but goes into some technical detail about specific techniques.

Initial Access: Internet Accessible Device.

ICS devices are commonly left open to the internet due to misconfiguration, especially with devices like PLC's. According to ICS advisory project, field controllers (specifically PLC's) are most commonly connected directly to the internet, enabling adversaries to exploit vulnerabilities, giving them initial access to the environment.

Attackers usually find these points of entry through reconnaissance like port scanning. You can easily check the results in Shodan for Modbus related devices by searching "Modbus" or "port:502" - Modbus - Shodan Search.

Below is a list of devices Shodan has scanned and listed.

The first result shows ports 443 (HTTPS), 3306 (MySQL), 3389 (RDP), and 9092 (Kafka, a distributed streaming platform that allows). The last port that is running Kafka has Modbus and Energy devices listed in the data. If you research more, Kafka is often used to ingest data from Modbus TCP, RTU, and ASCII to Kafka brokers. All of these ports are a potential attack vector into a possible industrial network.

A cyber-attack can also start from the IT environment. The 2012 Telvent (maker of power-grid control systems and smart meters) that has been linked to a prolific Chinese hacking group, a lithium ion battery vendor was targeted and breached through a remote monitoring and access system, giving the adversary access into the network, moving around laterally almost undetected as it looked like authorised vendor behaviour. This is a supply chain attack.

Discovery : Network Scanning

Upon initial access, the adversary will want to perform some reconnaissance through port scanning and ping scanning to discover what is available.

Lateral Movement : Default Credentials

Adversaries may then leverage manufacturer or supplier default credentials on control system devices. These default credentials may have administrative permissions and may be necessary for initial configuration of the device. You can find these credentials in public documentation / manuals. Engineers often install devices out of the box without any further security controls.

For example, an adversary may have discovered a shared historian by using default credentials during their scan which can be used as a pivot into other networks. Here is an example of adversaries using known default credentials for Schneider Electric Wonderware Historians - Default Credentials Found in Schneider Electric Wonderware Historian | Threatpost

Command and Control : Standard Application Layer Protocol

Adversaries often use existing attack frameworks like Cobalt Strike. Cobalt Strike is a commercial adversary simulation software that is marketed to red teams but is also stolen and actively used by a wide range of threat actors from ransomware operators to espionage-focused Advanced Persistent Threats (APTs). In this case, they can create beacons to deliver malware payloads to establish a connection from the command and control (C2) server to the victim device.

An adversary in this example would be able to get access by pivoting through the poorly configured historian and get access to the turbine control HMI.

Collection : Screen Capture

An adversary at this point will look to gain as much information as they can about their new environment, the turbine control network. HMI's usually have a graphical user interface so a screen capture is an effective way to collect information, ideally without anyone knowing.

For example, once malware reached the centrifuges during 2010 Stuxnet attack against the Iranian nuclear program which resulted in almost one-fifth of Iran's nuclear centrifuges being torn apart, it would collect and replay "healthy" information for stealth and to avoid detection. More about this here: Stuxnet - Wikipedia

Impair Process Control : Unauthorised Command Messages

In the battery network, the adversary can use tools like SMOD: trouat/smod: MODBUS Penetration Testing Framework (github.com) in order to perform modbus fuzzing to understand what is possible to see if they can disrupt or deny it's running process, in order to prevent it from providing power within its batteries.

Impact : Manipulation of Control, Loss of Availability

At this stage of the kill chain, the adversary can remote connect into the combined cycle network through an engineering workstation or any computer that has access to the turbine control computer. At this point, the attacker can shut down the turbine, causing disruption and loss of availability.

Identify Security Gaps

Security teams are able to collect information during this exercise to understand what the behaviour looks like and how to better detect and respond. For instance, the tools used may produce certain logs that can be used to create detection rules such as unusual vendor activity (remote access), unusual PLC operations (forced stop, writing, program upload, …), port scanning (sequential ports), malware activity (C2 beacons), etc. Collecting all of this information and practicing these cyber-attacks can help organisations can create resources like playbooks in order to detect, respond and remediate the threats.

Some of the security gaps or vulnerabilities uncovered during this exercise could be:

  • Internet facing devices

  • Default credentials

  • Malware / payloads installed

  • Unauthorised PLC operations

Some recommendations based on these vulnerabilities could be:

  • Multi factor authentication and/or APNs for internet facing devices.

  • Network segmentation to prevent lateral movement and pivoting.

  • Visibility through log collection.

  • Playbooks for incident response.

PreviousConsequence-driven Cyber-informed Engineering (CCE)NextOT cyber risk assessment

Last updated