Intelligence-Based Detections in ICS, part 2

Why Intelligence-Based Detections in ICS Fail: Part 2

Ron Fabela, SynSaber CTO & Co-founder
Ron Fabela

Part 2: Understanding ICS

In part 1, we covered the basics of intelligence-based detections in ICS, primarily focusing on the intel-based detections topic to lay the foundation for the rest of our series. This week we dive into the ICS portion. ICS security is all about “location, location, location.” Let’s learn about what we are defending and why targets aren’t as important as objectives.

To understand industrial threats is to understand the environments in which they wish to act on their objectives. Current enterprise intelligence works splendidly due to the volume of telemetry/monitoring data, common threat actor objectives, and general uniformity of the attack surface.

But in industrial environments, not all of those factors are present. Here’s another foundational look at the why.

Intelligence-Based Detections in ICS: the TL;DR

Current ICS intelligence is ineffective because, in the absence of concrete use cases, data, and visibility, intelligence groups wrongly focus on the targets and not the objectives.

ICYMI: ICS for Cyber Geeks blog series

In a previous blog series, we covered some of the basics of ICS terms and architecture. Below are links to those posts in case you missed them when they were first published:

Not All ICS is the Same

There are some very easy misconceptions when bundling all of the world’s infrastructure into the bucket of ICS. These misconceptions take place even more so when it comes to security. The amount of vendor diversity alone is enough without considering the specific processes, configurations, operational procedures, safety, and human elements of industrial control. Although it may sound simple:

👉 The power grid in Ukraine has very little actual overlap with a power grid in Texas.

Every single piece of technology could match. PLCs/RTUs, relays, instrumentation, HMIs, EWS/OWS, historians, protocols… could all match precisely, and the operational posture of that system would vary wildly. Once designed and built, the operations of the asset cause a shift in how it can and should be secured.

Rockwell Example

Rockwell Automation is a major ICS vendor that provides hardware and software for industrial processes. Their ControlLogix controllers are the workhorses of large architectures, but smaller units such as the Compact/MicroLogix are also offered.

While these are built on the same common architecture (controllers may have the same hardware components, use similar software, understand the same protocols, etc.), the applications vary exponentially.

Example below, some of the industries that Rockwell serves:

Rockwell Automation website screenshot

Even if there is a devastating vulnerability for this product line (like, where a hardcoded key in the design software can be extracted and reused to gain authentication to most of these devices for basically all time), there are so many steps needed before and after for any exploitation to be effective.

With that, let’s talk about chains. ⛓️

No 2 ICS Attacks are the Same

Due to the purpose-built nature of ICS and even with diversity in technology, no two attack vectors are the same (so far). The areas of overlap exist only in the IT technologies that reside in the enterprise and provide initial access to the OT environments.

Let’s introduce some concepts that may seem played out, but are still applicable here.

The Cyber Kill Chain

Cyber Kill Chain by Lockheed Martin
Image from Lockheed Martin;

ICS Cyber Kill Chain

Cyber Kill Tree
Not really

The concept of cyber threat intelligence is great. Attackers have to generally follow the kill chain steps in order to act on objectives successfully. These actions can be mapped and detected, allowing defenders multiple opportunities to catch the badness. For an enterprise with tons of users exposed to the internet and other organizations, factoring in the latest TTPs gives blue teams an edge in detecting the latest threats.

History has shown us that for ICS attacks to be effective, the TTPs have to be so customized for the target as to not have much reuse. While individual attacks on assets by threat groups prove interest and academically provide use cases, not much of the intelligence proves effective in day-to-day operations.

It’s About Acting on Objectives

What we are really trying to prevent is for the threat actor to “act” on objectives. This changes depending on the environment. Enterprise operations may be targeted with ransomware while ICS is caught in the splash damage. An attack on ICS safety systems aims to disrupt the process and its failsafes while not really caring about data exfiltration.

For the most part, current ICS attacks, intelligence, and TTPs fall into two categories:

1. Phishing a Utility Does Not an ICS Threat Actor Make

Desperate for additional use cases and data, there is a wealth of “attacker happened to touch an ICS organization even though it’s unknown if the objective was to disrupt the ICS” options out there in the current intelligence landscape.

Intelligence-Based Detections in ICS: Bucket 1 intel

While most agree that spearphishing as an initial inject may lead to process disruption 20 steps down the kill chain, it doesn’t necessarily make the case that the TTP is specific to ICS.

2. Reversing ICS Malware

This is where a lot of the cool work is actually done. Brilliant reversers are out there with actual ICS-specific malware to investigate. When coupled with industrial experts, these reversers can really dig into how the threat actor intended to act on objectives.

Intelligence-Based Detections in ICS - Bucket 2 intel

Hey, actual intelligence! When this capability is applied to real ICS malware (of which you could count on one hand), the wealth of knowledge provided is staggering. The deep-dive reports that come out are typically well constructed, even if the media overhypes the impacts. However:

The intelligence data derived from existing ICS attacks/malware do not scale or apply outside their target. Stuxnet/Triton/Industroyer researched and documented at that moment in time will never resurface exactly elsewhere (and have not to date).


Next time we’ll get into the meat of what works, what doesn’t, and why it matters for ICS threat intelligence. Understanding that current ICS threat intelligence is overly focused on targets and not objectives isn’t necessarily a nail in the coffin.

Threat intelligence has its place in the world. In industrial, that world consists of wildly diverse architectures, systems, and processes where current intelligence has a minimal impact at the operational level.

~Ron 💜🚀