OT malware is malicious software, specifically designed to target Operational Technology.
The purpose of OT malware can range from modifying how an industrial process operates, through to disruptive or destructive attacks – what we call a cyber-physical attack.
This difference in the nature of potential outcomes is one of the differences I want to draw out between IT and OT Malware, in this blog post. I’ll also consider similarities between the two, and some effective means of combatting both varieties of malware.
What about ICS Malware?
Industrial Control Systems (ICS) and Operational Technologies (OT) are closely related. So, ICS malware is also known as OT malware. In this blog post, to cut down on the jargon, I’ll be using ‘OT Malware’.
The MO of OT malware
The way OT malware works depends on the complexity and context of the control system it’s attacking.
For systems that can be controlled remotely – like a Supervisory Control and Data Acquisition (SCADA) system – this might mean gaining control of a management workstation, which can then be used to make changes on the target system, and/or hide valid alerts.
Alternatively, malware can target individual components directly to cause malfunction. For example, changing the state of control system hardware, such as Programmable Logic Controllers (PLCs).
While some malware targets OT systems directly, other malware targets surrounding IT systems to attack a hybrid ICS/OT system. This type of malware can be used successfully by state and non-state actors alike, but can be sufficiently damaging none-the-less.
Examples of OT Malware
Probably the best way to draw out the specialised nature of OT malware is with a few examples. Here I’ve outlined a few of the best known, but there are many more.Stuxnet
Stuxnet, allegedly designed to disrupt Iran’s nuclear enrichment process, is likely the best known and earliest example of sophisticated OT malware.
Stuxnet leveraged multiple vulnerabilities in Windows to spread in a worm-like manner, looking for Siemens STEP7 engineering software. When it found this package, it replaced the system’s communication libraries and modified its project files. This enabled the virus to subtly change the program running on specific Siemens PLCs, whilst hiding these changes from the operator.
Havex and BlackEnergy2
Newer, albeit less sophisticated, examples of OT malware in recent years include Havex and BlackEnergy2.
Havex did not attempt to change an ICS process, but instead sought to discover and report the specific types of servers running in OT environments using a protocol called OLE for Process Control (OPC).
Havex spread by compromising the installation files of popular remote access software products used in OT environments. When users installed what they thought to be genuine software, they unknowingly also installed the Havex malware.
BlackEnergy2 contained an ICS component designed to exploit vulnerabilities in common Human Machine Interface (HMI) products. This allowed targeting of internet addressable and other unprotected HMIs.
CrashOverride (or Industroyer) is the name given to malware involved in the attacks on Ukraine’s Electrical Transmission network during 2016. This malware utilised several ICS-specific modules to orchestrate an outage.
The malware leveraged OLE for Process Control Data Access (OPC DA), IEC61850 and IEC60870-5-104 industrial protocols to enumerate and interact with the target network.
CrashOverride also included a denial of service capability, designed to render protective relay devices unresponsive and unable to perform their intended function.
In 2017 came TRITON (or TRISIS) became the first malware known to target Safety Instrumented Systems (SIS).
Once deployed on a safety engineering workstation, the malware exploited a zero-day vulnerability which enabled attackers to execute code on safety controllers. These devices are usually the last lines of defence protecting the real world from a potentially hazardous industrial process.
Although the ultimate effect-inducing code that may have been executed was not recovered, the TRITON attack is believed to have caused the safe shutdown of a Saudi Arabian petrochemical facility in the Middle East.
From IT to OT
Some IT malware can have an impact on OT systems.
EKANS was ransomware that attempted to identify and ‘kill’ processes relating to OT software on a target system.
Whilst ransomware like EKANS isn’t able to interact with ICS hardware itself (so far, at least), this type of malware can still be disruptive when deployed on workstations intended to run OT software, thus affecting the OT system indirectly.
SCADA workstations are a good example of this IT/OT bridge, where visibility and management of a control system is required. Engineering workstations also fall into this category, where they use bespoke software to interact with ICS hardware.
LockerGoga, an IT focused ransomware, caused disruption to business systems worldwide.
LockerGoga made headlines when it successfully hit Norsk Hydro, a Norwegian company which is, among other things, one of the world’s largest aluminium producers. Norsk Hydro was forced into manual operation for some of their plants and had to stop production at others.
Lastly, accordingly to widespread cyber security reporting, the Sandworm team used BlackEnergy3 to gain access to Ukrainian electricity distribution networks, perform OT target reconnaissance, and steal credentials.
Despite having no OT specific capability itself, BlackEnergy3 was used to collect critical OT system information that ultimately enabled Sandworm to access control centre systems to launch a disruptive attack leading to power outages for 250,000 people.
Sandworm also impeded recovery by wiping the master boot records (MBR) of workstations, uploading bad firmware to devices communicating with substations (rendering them inoperable) and scheduling an outage on UPS systems.
Defending Against OT Malware
Adversaries deploy OT malware in much the same way as traditional IT malware, targeting weak network defences or individuals who likely do not recognise they are being exploited.
From an initial foothold, the attacker can work to propagate further into the system, or the malware can self-propagate laterally through the network, until it reaches its ultimate destination.
Even the most sophisticated and well-resourced adversaries prefer easy targets over hard targets. Consequently, strong cyber hygiene (see the Cyber Assessment Framework) across business, IT and OT networks can make accidental ICS intrusion far less likely and will make purposeful intrusion significantly more expensive and far less attractive.
NCSC guidance versus OT malware
The NCSC’s 10 Steps to Cyber Security would provide a strong defence against the malware examples listed above. In each case, the 10 Steps would have either mitigated the attack entirely or, at least made intrusion less effective and more difficult for the attacker. Some of the traditional mitigations which can be applied in an IT system, such as timely patching, can often be challenging in an OT system, particularly where availability is a priority.
Stuxnet, designed to spread via removable media (USB sticks) could have been partially mitigated by Removable Media Controls.
Close monitoring of systems that handle removable media, including host-based controls such as Endpoint Detection and Response (EDR) capabilities, should mitigate the introduction and ultimate spread of similar malware onto OT networks.
However, it’s important to pair this with carefully considered OT system monitoring and host-based detection at other critical points, to ensure that more sophisticated exploitation techniques – the ones that aren’t detected by antivirus or EDR tools – are also mitigated.
Havex and BlackEnergy2
Havex spread via compromised vendors of remote access software. The NCSC’s Principles of Supply Chain Security will help you address exactly this type of problem.
The Cyber Assessment Framework and the Network Security section of NCSC’s 10 Steps illuminate issues that, once resolved, would significantly hampered the effectiveness of Havex, and BlackEnergy2’s remote exploitation of internet facing HMIs.
Mitigations for IT malware on OT systems
BlackEnergy3, CrashOverride and TRITON leverage traditional IT attack techniques to reach OT networks and ICS devices, rather than targeting them directly.
In all three cases, the attackers likely started with a foothold in IT networks, performed reconnaissance, exfiltrated network documentation and probably credentials. Their goal was to reach OT systems from inter-connected IT segments of the network which they could more easily access. For example, operator workstations for the electricity distribution network (Ukraine 2015), substation automation servers (Ukraine 2016) or safety engineering workstations (TRITON).
Strong cyber hygiene may not mitigate these attacks in their entirety, but it will limit an attacker’s reach and make incident discovery and response faster and more effective.
Generally speaking, threat actors deploying OT-directed malware are likely to live off the land, taking advantage of standard IT systems for initial access and network reconnaissance. For this reason, appropriate security controls and monitoring at both a host and network level across IT and OT networks are key to increasing chances of intrusion detection and prevention.
OT malware is here to stay. While it is not possible to completely stop an advanced, highly motivated adversary from getting into critical networks, applying the NCSC’s Cyber Assessment Framework can make UK OT networks less attractive targets to highly sophisticated adversaries, while also helping to prevent accidental intrusion.
In the event of intrusion, fast and effective recovery is crucial. This means it is essential to conduct secure, offline backups of OT critical systems and device configurations, test critical system resilience, and practice recovery on a routine basis.
If your organisation needs help figuring out how to improve OT and related IT network cyber hygiene, the resources listed below should help. If these resources do not satisfy all your questions or needs, or if you think something is missing, feel free to contact us. We are constantly looking to improve guidance.