How ICS project files can be used to attack businesses [Q&A]
Industrial control systems (ICS) are usually kept separate from internet facing and other business applications. But researchers at Claroty have discovered a way to exploit ICS project files as an attack vector.
The attack was demonstrated at the recent DEF CON conference. We asked Nadav Erez, Claroty's research team lead, to explain more about why these files are particularly attractive to attackers.
BN: Exactly what are ICS project files?
NE: These are files that are generated by ICS engineering software and basically they contain all the information that the software saves, because these options are used by engineers to programme the equipment.
These files will contain a lot of information about the different assets you have in your plant or in your power generation facility, as well as the internal logic of the control system.
BN: How can these files be exploited by attackers?
NE: It's possible to create a malicious file, like you would have a malicious PDF. This can be executed and is able to basically reverse engineer computers or other devices. By sending a file as an attachment you can gain access to an engineer.
Although these might be skeptical people, they are also keen to help each other. So by using support forums they may be persuaded to open a malicious file masquerading as an ICS project file -- by someone claiming to be having trouble opening it, say. This file might contain a vulnerability that is called on execution, so when it's sent over to an engineer the attacker will gain full access to the engineer's computer which means direct access to the control systems and physical devices.
So you don't need to hack into the programmable logic controller (PLC) you can target its logic files and at some point these are likely to get uploaded to the PLC.
BN: How might these attacks be used?
NE: It could be phishing for information or it could be to implant ransomware or to cause disruption to systems. But if you look at cases that happened in the past couple of years, you can see the attackers basically just wanting to get to the physical devices in order to cause damage. Look at the attacks on the Ukraine. What they did was they got access to the systems in the power generation facility and basically they attacked them via the network. Once they had access to trusted network connections they could cause blackouts across Ukraine.
Attacks could also be motivated by stealing intellectual property to get knowledge of the network design and functionality.
BN: What can organizations do to protect themselves?
NE: The first step is to ensure endpoint protection on the engineers' computers, because whatever code is used will be executed on one. Next is to monitor network traffic to identify any anomalies or anyone trying to perform unusual actions around PLCs.
ICS systems are often air-gapped but the risk with this type of attack is because it's a project file, the engineer will copy it over to their engineering systems and so the air gap means nothing. Combine this with some social engineering and someone receiving a project file -- perhaps appearing to come from a colleague -- will treat it with a lot less suspicion than a file downloaded from the internet. Organizations therefore need to increase awareness of the risks so files aren't transferred or opened straight away without checking.