OT/PCAP Analyzer (aka OPA)
Human-readable PCAPs for an understanding of the devices and protocols on your network.
Get Access
Co-founder
In Part 1, no actual Unicorns were harmed, 🦄 but we slayed the toxic manifestation of what the ICS Unicorn had become. Today we take on a more sinister beastie: The ICS Basilisk…
Same disclaimer as before, this isn’t a judgment on the past, but rather a look to the future.
As a reminder, for each mythical creature in this series, we’ll cover:
- The Creature: What it represents
- The Reason: Why it was necessary in the past
- The Manifestation: What this beast has become now
- The Actions: 3 things you and I can do to create a better future
Time to Slay ⚔️ The ICS Basilisk
The feared basilisk is a serpent-like beast capable of destroying other creatures through its deadly stare; it is a monstrous creature, and “all who behold its eyes fall dead upon the spot.”
This scary creature rears its ugly head more and more within the ICS security community and presents a formidable challenge.
While it’s not so easy to take down control systems with a single glance, there are unavoidable conversations and use cases about the inherent insecurity of our operational environments.
The Reason
Scary mythical creatures were created because we didn’t yet have real-life examples. It was an industry full of what-ifs, and when there was an event, the community grasped for context.
The Aurora Generator attack demonstration: could it happen everywhere? Could attacks against Ukraine substations really occur in the US?
The community had plenty to worry about. Here are just 3 examples:
Increased ICS Attack Surface
The insecure by design concept is exacerbated by the increase in ICS attack surface. Mythical “gaps” were bridged years ago; convergences have been converged. As systems have become more interconnected, hypotheticals become at least possible, if not probable.
But sometimes hypotheticals aren’t enough, so we created beasts with scary names from far away lands.
Outside Pressures
With attacks affecting ICS becoming more mainstream, external pressures to do something have increased. That pressure may come from the government in the form of additional guidance and regulations. Sometimes it’s pressure on leadership to act.
Managing this successfully while still moving the security needle is more important than ever.
But while real attacks were still few and far between…
Serious Impacts
…the potential impacts have never been greater.
We are seeing the proverbial toe dip into the safety side of the pool. Ransomware attacks, while still indirect, are causing organizations to degrade or shut down their industrial environments. These are real scenarios, with real impact.
However, scary creatures coming to burn our village and kill with a single glance started to become overplayed in our community, in mainstream media, and with decision-makers.
While it was necessary to “paint a word picture” to convince everyone of the potential impact, it manifested into something more frightening — FUD (Fear, Uncertainty, and Doubt).
The Manifestation
The ICS Basilisk never really existed, at least not like everyone was playing it up to be. Quickly it became bad “creature of the week” episodes where a new, scarier monster appears, and our heroes slay it. Nice and easy, right?
However, what ended up happening was a feeling of frustration and helplessness. After all, what could the operators do if they faced such formidable creatures themselves?
Here are the concepts that need to be slain in order to put more power back into the hands of operators and properly arm them for battle.
Overwhelming, Powerful Attackers
We still hear time and time again about the all-powerful bogeymen: the nation-state hacker, the ICS ransomware, and the push for more and more outward-facing knowledge and intelligence.
State of the Art TTPs
When it comes to security, it’s hard for anyone to admit that the tactics, techniques, and procedures employed in most cyberattacks (not just industrial) are common, basic, and known. But in order to sell the idea of advanced countermeasures, there must be advanced attackers to justify the cost.
This isn’t to say that there aren’t elegant and advanced attacks known to the industry, but they can be counted on a single hand. Magic level TTPs being cast by wizards of the cyber arts leads to another concept we need to slay…
You Need a Hero
All of this evokes a sense of hopelessness. If [insert nation-state] is already in our grid, then what can we do? If adversaries are so advanced, what hope is there?
This is the hero mentality sold by so many in our community, that if only you had that person, that tool, that technology, or that training, then you too could combat the Basilisks of the industry.
⚔️ We need fewer heroes and more hero makers. Not the person swinging the sword, but blacksmiths forging them for others. ⚒️
The Actions
So what can we do to slay the mythical ICS Basilisk? It’s time to pull back the curtain and reveal the wizard…
Today: CONNECT
We have a vast wealth of knowledge when it comes to attacks and defenses. Go forth and learn about one attack technique, just 1. Search something up from the MITRE ATT&CK framework, read about the technique, find a tool that automates it, and go DISCOVER!
Example:
- The first technique is “Active Scanning” https://attack.mitre.org/techniques/T1595/
- Read about NMAP scanning https://www.upguard.com/blog/how-to-use-nmap
- Watch Stephen Hilt, author of many NMAP NSE scripts for ICS https://www.youtube.com/watch?v=7jfshUL-0yM
Don’t have a lab? Just reading and watching helps demystify, and demystifying these attacks makes you stronger.
Next Week: EXPAND
Apply that knowledge to the context of your organization and environment. You know this better than anyone in the world.
What tactics, techniques, and procedures would you use in your organization to have the best effect?
This Year: CONTRIBUTE
Extend that contextual knowledge to your larger community. Teach some classes in your local area. Reach out to your industry’s ISAC. Make a pull request to your favorite tool, help with documentation, or do some testing of your own!
Because there is more information, data, and examples out there, the effectiveness of scary fire-breathing monsters has diminished.
This does not mean we should create even bigger, scarier monsters.
Adding a big beefy arm won’t suddenly get everyone’s attention.
ICS Basilisk Myth: In Summary
👏 Scaring Operators & CISOs With Fantastical & Fire-Breathing Creatures Is Not Necessary 👏
Sure, things seem pretty scary at times: New threats and vulnerabilities seemingly every day, and activity groups with names in ALLCAPS. There’s no need to over-hype these into mythical creatures that will eat your network alive if you don’t do X.
Real life is much, much more interesting with plenty of challenges to solve.
You don’t need a hero or a knight in shining armor to slay the beast. You are the hero, and if we help each other out, we can defend against everyday threats and even the dreaded ICS Basilisk if it ever really appears someday.
Next week we’ll slay our final ICS mythical creature — the ICS Werewolf. 🐺 *arrrrooooooooo*
~Ron 💜🚀
Become a Subscriber
SYNSABER WILL NEVER SELL, RENT, LOAN, OR DISTRIBUTE YOUR EMAIL ADDRESS TO ANY THIRD PARTY. THAT’S JUST PLAIN RUDE.
