… plotting to hijack ICS project files to infiltrate their victims’ kingdoms. Here are some tips for minimizing that attack surface.
While anti-malware systems have been developed to fight adversaries, these systems have historically not been present in industrial control systems (ICS).
Project files are integral to ICS, providing all the necessary data and instructions each machine on the operational technology (OT) network needs to operate with. While engineers will use them to ensure the smooth running of operations, security teams can use them to gather an accurate picture of what machines are running on the system, along with other critical data such as where they are and what they are supposed to be doing.
However, extracting information from ICS project files is not always straightforward. While some vendors offer simple import-export functionality supporting standardized file types such as CSV, others use binary, proprietary formats that can only be interpreted using vendor-specific software.
A lack of full visibility into what is running on the network and how it normally functions presents a significant security risk, because threat actors could infiltrate the network and the security team would be none the wiser.
Why threat actors target project files
The format of project files poses vulnerabilities that threat actors can exploit as part of their attack. The files saved in a .zip format, for example, can be modified to reroute paths, meaning that when these files are unzipped, malicious files can be uploaded to different locations.
If threat actors manage to access project files, they will have full access to understand the role of each machine connected to the network, as well as its function. Threat actors will be able to use this information to target crucial machines to cause disruption in operations or control over a system to overwrite programs.
There are also significant vulnerabilities within project files themselves that threat actors can exploit as part of their attack. For example, we have already seen that project files often come zipped, particularly when they need to be transferred from one system to another. The ‘zip slip’ vulnerability enables attackers to modify paths within a .zip file so that when it is unzipped, the files contained within it are uploaded to a different location to the target file. This means that the attacker can write files to anywhere on the network to which the file is extracted. Such a capability means that the attacker could take over a computer, for instance if they overwrite a program in the start-up directory.
The binary formats used in many types of project files are vulnerable because they are created using code that is usually many years old. This would often have been written in a time before coders were aware of how to protect their code, and this is unlikely to have been maintained since then. Vulnerabilities of binary formats continue to be published on a regular basis and create a real issue for owners.
Sample attack with project files
One way a threat actor could attack an OT network is through uploading a Dynamic Link Library (DLL) file, which contains instructions that other programs use to carry out specific tasks.
To carry out such an attack, a threat actor would first need to create or clone a project file that has a vulnerability, such as an instruction to import a file from a specified location when the project starts. They can then change the code to ensure the imported file contains a malicious DLL to carry out an assigned task, which could be used to shut down the system.
To get an engineer to open the file, the threat actor could send a phishing email with it attached. To make this look convincing, the file is likely to be in an engineer-friendly format, one that the victim would be familiar with and that opens through an ICS software.
This makes it more likely to pass casual scrutiny than, say, a .doc file, and makes the engineer more curious about the contents. This also has the added benefit that the engineer will open the file up on a computer that has engineering software on it, which will most likely be connected to the OT network. If it were a simple .doc file, the engineer might just use their home PC, meaning the threat actor would not be able to continue their attack.
Attacks against OT networks tend to focus on critical national infrastructure (CNI) and industries necessary to the economies of nation states. The idea is to cause as much disruption as possible. For example, an energy company in Taiwan was subjected to a ransomware attack last year, causing a system outage.
Protecting against attacks
To prevent malicious project files from being downloaded onto the network, organizations need to look at deploying strong endpoint protection and email security to prevent phishing emails getting through to the engineers, as well as restricting what they are able to download onto the OT network. This will prevent a vast majority of these files getting onto the system in the first place.
- Also worth considering is cybersecurity training for engineers so that they are able to spot a suspicious file and know how to handle it.
- Despite these measures, there is always a possibility that a malicious file will make it onto the network. As such, security teams require visibility of all project files on the OT network, regardless of what format they are in, and know how these should normally look.
- Further, they need to be able to monitor the network traffic to be able to identify anomalous behavior that could indicate a project file has been compromised.
- This monitoring should also include looking at any intersections between the IT and OT networks, so that any files being moved from one to the other (which could be a potential security risk) are flagged.
As the average OT network will run on many thousands of project files, this is not a task that can be achieved manually. Therefore, automated solutions that can carry out this monitoring and alert the security team to anything that requires attention are essential.
Project files are a vital component of any OT network, but they are also some of the most vulnerable assets. By knowing how they work and what the inherent risks are, security teams can take appropriate steps to ensure those project files that are so useful to engineers are not also exploited by threat actors.