What Phase Of The Cyber Kill Chain Is Your Network In?
By Samu Konttinen
It was like a CEO’s nightmare come to life. In March 2019, Norsk Hydro, a Norwegian aluminum company, suffered a ransomware attack that, shudderingly, “affected our entire global organization,” including 160 plants, according to CEO Svein Richard Brandtzæg.
For Norsk, like any manufacturer, product must ship or the business will suffer or possibly even crumble. So the aluminum maker’s employees scrambled.
They volunteered to work into the night and on weekends to restore processes that usually operate automatically. Shipments that took a moment earlier this year now took three to four hours. More than a month after the attack, more than half of the plants were still being run in manual mode. And the costs of the attack could end up being as high as $75 million.
This heroic effort by the employees of Norsk Hydo should be a warning to everyone who works in the process industry (or any industry): One or more of the attacks you’re likely suffering on a weekly, if not daily, basis will eventually succeed. And any successful attack could lead to the intrusion that takes your business down.
So here are the questions you need to answer now: When this happens, will you know in time to stop the attackers from reaching their objectives? And, more importantly, do you have the capabilities to stop them red-handed?
Everything connected; everything at risk
Financial gain and industrial espionage are the main motives behind cyberattacks on the industry, according to the latest Verizon Data Breach Investigations Report. And the attackers who go after this sector are generally well resourced and professional.
While the drive to digitize everything tends to increase productivity, it also can increase opportunities for attackers aiming to exploit the vulnerabilities created.
Think of all the systems manufacturers have to secure.
Start with the corporate network (i.e., the traditional IT systems). Add in operations technology, combined with commercial, off-the-shelf platforms. Put that all on top of legacy technologies that encompass a variety of systems, all taxed to produce maximum results. Then multiply all of the above by the demands for more and more data to optimize production in order to meet the constant needs to lower costs and increase market share.
There’s so much you have to get right. Criminals just have to get in.
To get a sense of how an attack progresses, think of the cyber kill chain in two different phases. The first phase targets your IT. When that’s successful, the hackers move on to the industrial control systems.
Hackers do their homework
Phase I starts where you are now — on the internet.
Like top analysts and investors, motivated hackers track the news, looking for any information about your business, plant, employees, customers or third-party vendors.
But unlike analysts and investors, they eagerly seek out information anywhere they can find it — public or private, legitimate or illegitimate — until they find some way into your internal systems.
Now, the intrusion begins
Often, the first step into your corporate network takes the form of a spear-phishing email that contains a remote access trojan. Now the attackers have a foothold. At this point, they have a decision to make: Do they risk being detected by grabbing what they want quickly, or do they move stealthily, deliberately gathering intelligence? Either way, the goal is complete access.
The attack is almost ready, but first the hackers need to know as much about your networks as possible. This is when the pros figure out how they’re going to make the leap from your corporate network to your industrial control systems. This often requires months of reconnaissance.
The criminals will try to map the different systems and software versions by looking for known or unknown vulnerabilities. Many legacy systems still in operation today were built decades before the internet was in everyday use and before the term “cybersecurity” was even invented.
Programmable logic computers and distributed control system equipment will be identified and targeted, along with any other user credentials the attackers can find or phish. Gigabytes of information may be downloaded as the crooks utilize their control of internal machines by accessing them after hours or during weekends.
Any weakness — whether it’s an easily exploitable legacy system or even a Post-it note with a user’s credentials on a computer monitor that’s visible in a photo stored on a compromised server — will be exploited.
Designed to do the most damage to your business
Now the criminals must identify their target (or targets). In this case, it could be a million or several. They map out the system and may decide to focus on a plant’s manufacturing execution system, which links operations to the corporate network.
Finally, the attack is ready. The hackers know how and when the plant works so they can time their attack and calibrate a payload that works around the normal operations as detection is difficult, if not impossible, especially if the company hasn’t deployed advanced detection and response resources.
Now the actual attack can begin.
How can your business avoid this sort of waking nightmare?
The earlier in the cyber kill chain you detect an intruder, the less damage you’re likely to face. Enforce strict password rules, and restrict access controls to your systems. Perform assessments on your systems to identify risks and vulnerabilities in order to replace legacy systems and keep your software updated. Review the type of network access your systems have (e.g., whether they require access to the internet or not).
Also, regularly keep backups for data recovery. And know that your employees are constantly being targeted through phishing and other means of pretexting, so train them to recognize these common methods, and test your procedures.
But since a persistent attacker will eventually get in, make sure you have to capability to detect and respond to a live intrusion in your network — because the Norsk Hyrdo attack reminds us that if you don’t, the results could be even worse than you’ve imagined.