ICS Intel Benefits - Part 4

ICS Intel Benefits - Why Intelligence-Based Detections in ICS Fail: Part 4

Ron Fabela, SynSaber CTO & Co-founder
Ron Fabela

Part 4: ICS Intel Benefits – Where Intelligence Succeeds in Non-Detection Use Cases

The word “Detections” has been doing much of the heavy lifting in our previous blog posts (ICYMI: Part 1, Part 2, Part 3). Where intelligence-based detections in industrial are ineffective compared to enterprise, intelligence for industrial still has some major and significant benefits.

Let’s take a look at where intelligence for industrial has been a net positive, and how it can be properly utilized in the future.

ICS Intel Benefit #1: Historical and Real Attack Use Cases

It’s one thing to speculate on how a patient could succumb to injuries, but a fully documented autopsy is a whole other view on the situation. Intelligence in industrial used to be focused solely on vulnerability research, adjacent malware reversing, and hypothetical use cases. But when an incident really does go down, the amount of detailed and expert analysis of what occurred is valuable for any organization. Current industrial threat intelligence does a superb job closing this historical documentation gap.

Taking the INDUSTROYER example again using the wonderfully detailed account of the event by Joe Slowik, as presented at VirusBulletin 2018: https://www.virusbulletin.com/uploads/pdf/magazine/2018/VB2018-Slowik.pdf

Here we have a masterful breakdown of components and the attack. Some brief examples:

When discussing the adversaries movements within the ICS:

“While the original script was not recovered, in log data a series of rapid RPC authentication attempts to multiple hosts were observed for user ‘Administrator’ with the same password across over 100 endpoints, specified by host name.”

This is helpful context for how actual adversaries footprint and pivot around an industrial environment. Note that this isn’t even a sophisticated example, with sometimes the simplest being the best. Important, though, that it’s real and not out of the hypothetical.

Concerning the IEC-61850 Module:

“While a configuration file is specified (simply containing a list of IP addresses, one per line) both versions of the attack module also have functionality to dynamically perform network discovery. This is performed by first enumerating all network adapters on the victim machine, then enumerating all IPs connected to the network interfaces.
Based on the network address and broadcast address for connected IPs, the module then attempts to connect to every IP in the subnet via broadcast address. Each successful connection is stored in an internal array matching the format of ‘i.ini’. While effective, this routine represents a very blunt (and exceptionally noisy) mechanism for indiscriminately identifying other hosts within the network.”

The context of “blunt objects work just as well” is a huge intelligence win for defenders.

Context for the SIPROTEC Module:

“Unfortunately, in designing this software, which is appropriately named ‘dos.exe’, the attacker successfully implemented the specially crafted traffic to UDP 50000 that would trigger a denial of service condition, but failed to implement byte conversion for IP addresses when creating sockets. As a result, the module sends traffic to invalid, incorrect IP addresses.
For example, if targeting, the created socket would send traffic to As implemented, the ‘dos.exe’ module includes a hard-coded list of IP addresses for attack. As a result, even if this error is caught at run-time, the adversary could not ‘fudge’ execution by reading in a modified list of ‘reversed’ IP addresses. Thus this module is effectively useless for the attack.”

In Part 2, we discussed a bit about the SIPROTEC vulnerability. Interestingly, this module by the adversary was a complete failure, but still provides context as to how/what adversaries may target in the future.

Understanding the past can bring insights to future possibilities, as Joe Slowik elegantly states:

“Threat intelligence provides an insight into what has happened before, to drive an understanding of what may happen in the future. While not predictive and adversaries can always throw us for loops, accurate understanding of events defines the art of the possible which can be leveraged to appropriately invest in and vector security resources to meet existing threats.”

Joe Slowik, CEO, Paralus

ICS Intel Benefit #2: Informed and Effective Threat Hunting in Industrial

Before industrial attacks’ historical and real use cases, scenarios were stuck in the fantasy realm. 🍻 My peers in early BEER-ISAC meetings and I would share different ways we would effectively attack an industrial control system. But it was only just a dream (or nightmare) of well-informed consultants, operators, penetration testers, and auditors around conditions and actions necessary to actually take down the system. These attack scenarios, while well informed, were still hypothetical.

This meant that recommendations and best practices for defense were still technically hypothetical as well. With actual events and retrospectives from intelligence groups, the community finally had some breadcrumbs to follow. While they may never see the same exact attack as INDUSTROYER, we now have a blueprint for informed and effective threat hunting.

SANS White Paper from Gunter/Seitz

A white paper from Dan Gunter and Marc Seitz on threat hunting, using INDUSTROYER as a reference, is a perfect example of this idea:


What I feel is especially important is what Gunter/Seitz call out as “Phase 2: Hypothesis Development.” In summary, hypotheses can be derived from many different sources and perspectives, but having historical intelligence from previous events is a significant step in the right direction. That first step is often hard to take without reference material to spark the imagination, and cases like INDUSTROYER lay out the roadmap.

Sometimes this roadmap can be overwhelming (see below), and efforts need to be appropriately scoped, but what a wealth of knowledge!

CRASHOVERRIDE-INDUSTROYER Incident Adversary Techniques Chain from INL
From INL: https://inl.gov/wp-content/uploads/2021/12/CRASHOVERRIDE-CyOTE-Case-Study.pdf

Of course, there are plenty of nuances even within this benefit. As Dan Gunter from the previously referenced white paper recently shared with me:

“Threat intel can be a powerful tool for prevention, detection, and response as well as activities like threat hunting. As with all tools, it’s important to understand the strengths and weaknesses of threat intel and to continuously evaluate the accuracy and impact of threat intelligence. This allows asset owners to make informed decisions and properly assess risk.”

Dan Gunter, CEO & Founder, Insane Forensics

ICS Intel Benefit #3: Moving Mountains (CISOs and Budget)

Early on in ICS cyber security, most of the effort was around convincing decision-makers and budget approvers that industrial cyber threats were, in fact, real. We piled on proof points like vulnerability research, attack path analysis, penetration testing, and the little bits of intelligence we had about enterprise attacks against industrial companies (remember Shamoon, BlackEnergy, and Havex?).

But for the most part, it was difficult to gain traction. Pentesters could pivot all the way down to the control system, get administrator on an HMI, show they could impact the process, and often the question back was, “So what… who would actually figure out how to do this?” 🤦‍♂️

While we can still count the number of confirmed industrial attacks on a single hand, the intelligence deep dives described above and the resulting content to support have effectively moved industrial companies’ budgets and projects to improve security. For better or for worse, these events moved ICS attacks from purely hypothetical to current reality.

True, it’s important not to over-hype these events past their factual limits. Remember, “Phishing a Utility Does Not an ICS Threat Actor Make,” (https://synsaber.com/why-intelligence-based-detections-in-ics-fail-part-2/) but showing that threats are real, that attack paths exist, and that impact to industrial processes have occurred is a powerful force for change.

Visibility is the Key

While industrial threat intelligence may inspire, operations-based intelligence empowers.

Visibility crafted, maintained, and controlled by operators (security or industrial) defending their environments is the critical gap in the intelligence conversation.

Organizations cannot solely rely on external intelligence sources, even considering the benefits we’ve outlined above. Instead, they should match those external intelligence sources with internal “first party collected” visibility and data to make actionable and informed decisions. 

As we bring this series to a close, it’s important to reiterate that the goal isn’t to downplay the importance of intelligence, but to broaden the aperture a bit on where intelligence can be derived. For ICS, it’s vitally important to have a solid understanding and control of the single most effective intelligence generating environment you have: your own control system. To put it another way:

👉 No one knows your environment better than you and your operators 👈

Thanks again for being a part of this journey!

~Ron 💜🚀