This article discusses a comprehensive methodology for designing an Advanced Persistent Threat (APT), which is a stealthy and continuous type of cyberattack with a high level of sophistication suitable for the complex environment of Industrial Control Systems (ICS). The article also explains defensive strategies that can assist in thwarting cyberattacks. The APT design process begins with Reconnaissance, which is continuously undertaken throughout the lifetime of a cyberattack campaign. With regard to securing the network infrastructure of an ICS, best practices for network security should be enforced. These could include the use of firewalls, Intrusion Detection or Prevention Systems (IDS/IPS), and network separation between corporate and field networks. A new field of research for securing ICS relates to process-aware defense mechanisms. These mechanisms analyze information directly from the field and try to detect anomalies specific to the physical characteristics of an ICS process.
Cyberattacks are an emerging threat for Industrial Control Systems (ICS) that, given the tight coupling between the cyber and physical components, can have far-reaching implications. It is typical for contemporary ICS components to utilize Commercial-Off-The-Shelf (COTS) hardware and software, rendering them prone to vulnerabilities and exploitation techniques that afflict IT systems (Figure 1). In an effort to demonstrate the ICS cyber threat landscape, we discuss a comprehensive methodology for designing an Advanced Persistent Threat (APT), which is a stealthy and continuous type of cyberattack with a high level of sophistication suitable for the complex environment of ICS. Retracing the steps and studying the objectives an attacker would take into consideration when designing a cyberattack enables us to demonstrate the potential impact of these attacks and identify critical entry points, vulnerable flows, and services of ICS. Finally, leveraging the generated intelligence, we discuss defensive strategies that can assist in thwarting such attacks.
ICS are systems that monitor and control physical processes in industrial environments. Over the past decade, components used in ICS are under modernization with the inclusion of Information and Communication Technologies (ICT), towards increased efficiency and controllability, reduced downtime, and lower costs. The vision for the future of industrial automation is interconnected cyber-physical systems of systems, where components communicate with each other, have computational capabilities and are able to make decisions in a decentralized manner .
Despite the numerous benefits of this modernization trend, an immediate and pressing consequence is its negative impact on the cyber-security posture of ICS and the underlying physical processes. In order to enable the transition of ICS into the information age, contemporary ICS components utilize COTS hardware and software, such as ARM or Intel microprocessors and real-time versions of commercial operating systems . Figure 2 depicts the internals of an industrial controller, which include an ARM processor, COTS integrated circuits for control and communication, RJ45 sockets (Ethernet) for communication over common ICT protocols, as well as several memory chips.
The use of COTS components facilitates development and reduces commissioning time, but at the same time enables malicious actors to readily port ICT vulnerabilities to ICS environments, rendering ICS prone to the same vulnerabilities and exploitation techniques that plague ICT. ICS systems often control national critical infrastructure such as critical manufacturing, chemical plants, power grids, oil and gas systems, and nuclear plants. Taking this into consideration, the implications of cyber-security breaches can be far-reaching, including significant financial losses, environmental disasters, and loss of life.
Cyber-attacks targeting ICS are not only theoretical; several real attacks against ICS have been reported and studied to date. At the same time, the majority of cyber-security-related incidents are believed to remain unreported, since this would hurt the public image of vendors, industries, or even governments . A prominent example of an ICS-targeting cyber-attack is Stuxnet, a nation-state-sophisticated attack against an Iranian uranium enrichment plant in 2009 . More recent examples include an attack on a German steel mill in 2014  and a partial blackout of the Ukrainian power grid in 2015 . The common factor of these attacks is their physical world impact, demonstrating that cyber-attacks are no longer contained in the cyber realm. The forensic information gathered from known cyber-attacks indicates that, currently, the involved threat actors are highly motivated, sophisticated, and well-funded organizations or nation states. However, as more and more ICT and COTS components are deployed in ICS and the entry bar for threat actors is lower, we can expect the volume of cyber-attacks against industrial environments to increase.
Designing an advanced persistent threat
One of the most complex and evasive categories of cyber-attacks are Advanced Persistent Threats (APTs) . These attacks are advanced in the sense that the attack strategies and exploitation techniques they utilize are tailored, highly sophisticated, span multiple attack vectors, and are stealthy. They are persistent in the sense that they establish a strong foothold within the target infrastructure, pursue their objectives over extended periods of time, and adapt to defense mechanisms deployed to thwart them.
In an effort to highlight the dangers that ICS face from the cyber domain and stress the importance of ICS cyber-security, we guide the reader through the steps an attacker would follow while designing an APT for industrial environments. This structured approach enables us to demystify APTs, identify critical entry points, and generate intelligence that can be leveraged by ICS stakeholders to better protect their infrastructure from cyber-attacks.
The overall design flow of an APT can be broken down in five interdependent steps, namely, 1) Reconnaissance, 2) Vulnerability discovery, 3) Payload design, 4) Payload delivery, and 5) Attack persistence. Figure 3 shows the progression and interdependencies between the different steps.
The APT design process begins with Reconnaissance, which is continuously undertaken throughout the lifetime of a cyber-attack campaign. During reconnaissance, the attacker collects and analyzes information regarding all aspects of the target system. The gathered information is then used during Vulnerability discovery. In this step, the attacker's aim is to discover potentially exploitable vulnerabilities in subsystems, devices, or services of the target system. The actual payload is developed during Payload design, where the attacker takes into consideration the available delivery mechanisms and objectives of the campaign, in addition to information gathered during reconnaissance. If the final payload does not fulfill the campaign's objectives, the APT design process can revert to the vulnerability discovery step. Moving forward, in the Payload delivery step the adversary uses exploitation techniques to exploit the discovered vulnerabilities and establish a delivery mechanism for the actual attack (i.e., the payload). The feasibility of delivering a payload within the target system is informed by the findings of the reconnaissance. If effective delivery mechanisms are not found, the design process reverts to the vulnerability discovery step. The final step is Attack persistence. During this step, the attacker identifies any corrective or defensive actions taken by the ICS operators to thwart cyber-attacks, through information from the continuously ongoing reconnaissance step. The attacker adjusts the existing payloads and payload delivery mechanisms accordingly, or develops new attack vectors, in an effort to bypass any deployed security mechanisms and ensure persistence of the cyber-attack.
The above-described design process is repeated during the lifetime of a cyber-attack campaign, ensuring persistency and successful fulfillment of the campaign's objectives. A more extensive analysis of each step is presented below.
Reconnaissance is the process of gathering information regarding a target system or organization, with the purpose of extracting critical information that can enable an attack. Examples of such information include data regarding the users of a facility (e.g., business role, contact details, personal information), business strategies, network structure, hardware devices, configuration details, and software services .
A first source of information is any publicly available information. This can be in the form of publicly available websites, corporate documents, press releases, vendor success stories, or reports that the target organization is legally bound to release publicly (e.g., environmental impact reports). Further information can be obtained from network interfaces. Reconnaissance of ICS networks can borrow techniques, tools, and methodologies from ICT (e.g., the Network Mapper - Nmap ). Moreover, field devices may be directly routable from the public internet, either because of system requirements, or as a result of misconfigurations. In this case, information regarding ICS field devices can be extracted from device search engines such as Shodan .
One important objective of reconnaissance is to finger-print software services and hardware devices deployed within the target system, i.e., identify specific software services or physical devices. In the context of ICS, fingerprinting translates to identifying the specific hardware and software of field devices. Common ICT tools capable of fingerprinting (e.g., Nmap and p0f) might not always provide adequate information. However, it is possible to leverage variations between ICS device implementations for the purposes of fingerprinting. For example, information regarding field device make and model can be extracted over commonly used industrial protocols. Such an approach has proven to be able to fingerprint ICS devices via the Modbus protocol by carefully crafting packet requests. The technique effectively exploits the different implementations of the non-standardized Modbus protocol by vendors, combined with the lack of built-in authentication mechanisms, and was validated on real field-deployed ICS devices indexed by Shodan .
Leveraging the information gathered during reconnaissance, the attacker can focus on discovering vulnerabilities in the target process workflow, or the field-deployed devices themselves. During vulnerability discovery, the attacker typically has two options: 1) use existing, known vulnerabilities, or 2) study the system and discover new, previously unseen vulnerabilities, also known as 0-day vulnerabilities1.
In search of known vulnerabilities, the attacker could make use of readily available vulnerability scanner tools such as Nessus, Nikto, etc. . These scan the target system to find versions of software services and operating systems for which known vulnerabilities have been publicly disclosed. In addition to the use of scanner tools, the adversary could discover vulnerabilities by querying vulnerability and disclosure databases such as the Open Source Vulnerability Database and the U.S. National Vulnerability Database. For ICS vulnerabilities discovered in field devices, the U.S. Department of Homeland Security maintains the ICS-CERT database .
When known vulnerabilities cannot be found, or the campaign's objectives do not allow their use, 0-day vulnerabilities may be developed. 0-day discovery typically requires highly sophisticated technical analysis. Example methods include fuzzing2 of network services or hardware equipment, and reverse engineering the firmware3 of hardware devices. To facilitate the vulnerability discovery step, the attacker could obtain physical copies of the field devices used in the target organization, and replicate the target environment. To avoid the high cost of entire ICS facility replication and the inaccuracy of purely software simulations, a hybrid approach can be followed with Hardware-In-The-Loop testbeds. This setup adopts the benefits of both software simulations and hardware testbeds. At the same time, it enables realistic testing of vulnerabilities and keeps the cost low because of the reduced hardware requirements . Figure 4 depicts the Hardware-In-The-Loop setup developed at NYU Abu Dhabi for studying ICS cyber-security. By using this setup, it is possible to perform vulnerability assessments across all different layers that constitute an ICS system - the hardware, firmware, software, network, and process layer (Figure 5).
The cyber-attack's objectives and, by extension, the payload, may change throughout the evolution of a campaign. The payload design step is thus variable and adjusts to the needs and objectives of the campaign. A payload's goal in the initial phase of a campaign may be, for example, to exfiltrate critical data, or strengthen the foothold of the attacker within the target system. At a later stage, the payload may be directed at the field level and aim to change certain operational parameters of the ICS environment. The latter requires an in-depth understanding of the ICS process and the potential presence of interlocks deployed in the system . These types of attacks can be characterized as process-aware, since they are cognizant of details specific to the target ICS. By carefully analyzing the information from reconnaissance it is possible to construct a model of the ICS, identify the critical components of a system, and subsequently design a process-aware payload that can introduce arbitrary modifications to the process, including destroying the system . Furthermore, under certain constraints, payloads may be automatically generated .
Following design of the payload, the attacker can study possible attack delivery mechanisms, including the discovery of exploitation techniques. In the case of known vulnerabilities, it is possible that an exploit already exists and can be readily utilized. Exploitation frameworks, such as Metasploit and CANVAS, can be of assistance to the attacker during this step . These frameworks maintain databases of exploits, which they utilize to automatically exploit known vulnerabilities. In the case of a 0-day vulnerability, the attacker needs to develop new exploits. This can include modifying the firmware of field devices, using the network as a payload delivery mechanism (through the internet or the target's intranet), and using techniques to infiltrate and bridge air-gapped networks. Finally, physical devices programmed to automatically deploy an attack may play the role of Trojan horses. Users of the target facility could be tricked to deliver the attack (e.g., by dropping infected USB thumb drives in parking lots), or bribed/extorted to deploy a malicious node within the organization's secure perimeter. An attractive option that can act as a malicious physical implant is a smartphone. Contemporary smartphones incorporate a wide range of sensors, have advanced computational and communication capabilities, and can thus be orchestrated to automatically craft and launch a sophisticated cyber-attack .
After effective attack vectors have been discovered and verified, secondary campaign objectives may include ensuring and strengthening the attacker's foothold within the target system, increasing the quantity and quality of exfiltrated information, identifying new attack vectors, and developing contingency scenarios to ensure the cyber-attack is carried out successfully. During the attack persistence step, the attacker monitors information from the reconnaissance step and identifies any existing or newly-deployed security mechanisms within the target that can thwart or detect the cyber-attack. Depending on the findings, this could lead to modifying payload delivery mechanisms or payloads to maintain a stealthy presence and avoid attribution, while ensuring fulfillment of the campaign's objectives.
Defending Against ICS Cyber-Attacks
By analyzing the design process of an APT for ICS, we gain an understanding of the methodologies, resources, and tools available to threat actors. This information can be utilized to identify weak points of an ICS environment, and generate intelligence that can be used to address these weaknesses and better protect an ICS against cyber-attacks.
As humans are usually the weakest link of a system, personnel working in ICS facilities should be aware of the dangers their system faces from the cyber domain. This knowledge could render them more vigilant, and enable them to identify anomalies in the ICS process that can be indicators of a cyber breach. From a device perspective, strong authentication mechanisms should be used for field devices, and their firmware should be frequently updated. Vendors should promptly develop firmware updates to address known vulnerabilities. In addition, logs of the devices could be audited in a periodic fashion to identify any anomalous behavior. With regards to securing the network infrastructure of an ICS, best practices for network security should be enforced. These could include the use of firewalls, Intrusion Detection or Prevention Systems (IDS/IPS), and network separation between corporate and field networks. Finally, direct routes from the public internet to field devices should not be allowed.
A new field of research for securing ICS relates to process-aware defense mechanisms. These mechanisms analyze information directly from the field and try to detect anomalies specific to the physical characteristics of an ICS process. A unique characteristic of ICS is their cyber-physical nature; thus, effects that originate from cyber domain actions can have observable effects in the physical world. Despite the fact that attackers can alter the behavior of cyber components, they are unable to modify the underlying physical laws that govern these systems. Leveraging this observation, it is possible to design effective defense mechanisms that intelligently draw information from the physical world to detect anomalous behavior and assist in securing our critical infrastructure .
1A 0-day vulnerability is a type of vulnerability that is not reported prior to it being used, effectively allowing the program's authors zero days to create a patch or workaround to counteract it.
2Fuzzing is an automated or semi-automated method for software testing. During fuzzing, unexpected or random data are provided as inputs to a program. The program is then monitored for exceptions, crashes, or memory leaks indicating the existence of a software bug.
3Firmware is the intermediate layer between hardware and software, enabling low-level control and communication between the two. Embedded devices typically include firmware.
The authors wish to acknowledge Hossein Salehghaffari, Brian Cairl, Prasanth Krishnamurthi, Farshad Khorrami, and Ramesh Karri for their contributions to the presented work. Part of this work has been supported by the Office of Naval Research (#N000141512182, Program Manager: Sukarno Mertoguno) and the NYU Abu Dhabi Global PhD fellowship.