As adversaries grow more sophisticated and ambitious, our vital infrastructure faces a growing threat of cyber attacks. To help protect industrial control systems, MITRE released ATT&CK for ICS.
Protecting Critical Infrastructure from Cyber Threats
Electricity. Clean water. Reliable energy. These are conveniences we’ve come to know and expect in our modern society.
It’s easy to forget how important they are until we lose access to them.
Of course, there's always the damage caused by natural disasters and physical attacks to worry about. But as the industrial control systems (ICS) that operate our nation’s critical infrastructure become more sophisticated, the threats posed by cyber attackers are also a major concern.
When cyber attackers threaten our energy transmission and distribution plants, oil refineries, and wastewater plants, the breaches can quickly become a direct threat to human life and the physical environment.
Fortunately, MITRE released ATT&CK for ICS in January 2020. Designed to contribute to a safer cyber environment for industrial control systems, ATT&CK for ICS helps ensure that industrial organizations are equipped for, and protected against, potential cyber threats, especially in these changing times.
ATT&CK for ICS is one of the latest iterations of MITRE ATT&CK® for Enterprise, a globally accessible knowledge base of adversary tactics and techniques. MITRE ATT&CK is used by a range of government organizations and industry sectors, including finance, technology, retail, and healthcare.
- Our final speaker is actually from the ATT&CK team.
It's our ATT&CK for ICS lead Otis Alexander.
- Thank you, Adam.
So what I'll do is I'll quickly give a update
on ATT&CK for ICS.
I'll let you know what we kinda got accomplished last year
and what's on the horizon.
So this is our press release when we released ATT&CK,
it's kinda surreal looking at this because I have a hard
time believing that this was released this year.
It seems like two years ago but nonetheless,
January 7th, 2020, we released ATT&CK for ICS
and it's a knowledge base that explains adversary behavior
against industrial control systems.
So given the short amount of time, around 11 months,
we've gotten a lot of attention around ATT&CK for ICS
from different entities in the ICS community.
And we couldn't fit everybody on this slide
but what I wanna say is thank you to everybody
who talks about how they use ATT&CK for ICS
and why it's important to the community.
So in the first blog post I released upon release
of ATT&CK for ICS, I kinda talked about what were some
of our short term goals in terms of ATT&CK for ICS.
What do we wanna add to it?
And one of the big things I talked about was you know,
the insecure by design nature of a lot of the components
and networks and the like in industrial control systems.
So we thought it would be prudent to first think
about the mitigations that are associated
with the adversary behavior and the techniques.
So our approach to that was to use ATT&CK for enterprise
and see what mitigations they had, how they apply
to the techniques that we've put into ATT&CK for ICS,
and then kind of figure out where the gaps were.
And we found some gaps that ended up in us creating 17 new
mitigations that really focus on industrial control systems.
So where applicable, each mitigation has a mapping
to IEC 62443 and NIST 800-53 in the info box
of the mitigation.
So you could use that to kinda cross reference
security controls.
And what we really try to do is to think low level,
what do we think would most benefit embedded controllers
as well as the networks but we really had a focus
on embedded controllers, protecting the operational
and management interfaces there.
And from asset owner operator perspective, you may say,
hey, I can't do anything there, it'll mess up
my certifications and you're most likely correct.
And we just want everybody to understand that
there's multiple stakeholders we're talking
to in terms of these mitigations.
So asset owners/operators, integrators, device vendors,
security vendors, they all have their part
in kind of implementing these mitigations.
So some other very exciting news is the STIX
and Navigator integration.
We got a lot of ask about when will we be integrating
these tools and would they be able to use these
and leverage them?
So as of ATT&CK version eight,
we released ATT&CK for ICS in STIX.
So now you can ingest any of your tools.
You could use it more programmatically.
And then also some good news is with the new version
of ATT&CK Navigator, you're now able to pick
ICS as a domain.
So now you can use it in visualizations and anything else
you wanna do with Navigator there.
So we're moving towards more integration and we hope
that you enjoy using these tools with ATT&CK for ICS.
So those are some of the highlights from last year.
What's on the horizon for us?
Well, one thing we really wanna do is focus
on data sources this year.
So these are really important to us.
Maintaining visibility into the ICS networks
is kind of in its infancy.
It's essential however for quickly detecting
and remediating cyber threats.
So understanding the various data sources
ahead of time before something happens is a key endeavor
to this mission.
While network traffic is really popular as king right now,
you see a lot of passive network detection solutions
coming out.
There are other valuable data sources that are often
overlooked and some examples are here, embedded device logs
so, we do see some companies doing some active polling.
Various application logs associated with engineering
applications or HMIs and the like.
And then operational databases such as work order databases,
historians and the like so,
there's a lot of options out there.
And the way we're really thinking about this is
what do these data sources provide us at a high level?
And what is attached to these high level categories?
So some things that we're looking at
are process information, so various events that can clue you
on to command execution if you miss it over a network
or you need some way to corroborate what you see
over to a network.
Also asset management is very important.
So condition-based monitoring, predictive maintenance.
How is your equipment running?
Is there any problems there?
And does that link up with other events that you've seen?
Or even things like work order great databases.
So, a program download isn't necessarily bad
but did the program download happen
when it was supposed to happen?
So this is something that we're really excited about
getting into ATT&CK for ICS and really refining
what we have so far.
And last but not least, we want to include the ICS ATT&CKs
in enterprise ATT&CKs so, one of the key tasks that we have
is mapping these ATT&CKs to enterprise techniques.
So you can see here, these are some ATT&CKs
that we're focusing on right now, Stuxnet, Ukraine 2015,
Industroyer and Triton.
And we're really responding to what we've heard
from industry and kind of what we've always said
is you kinda need to use these two knowledge bases together
because adversaries don't respect theoretical boundaries.
And it's important to have a deep understanding
of how they leverage IT platforms to access and impact ICS.
So we really want this to help explain the full gamut
of adversary behavior.
And as always, we need your help.
This is a community effort.
So we always are curious about how we can improve
ATT&CK for ICS.
Things that we're doing or how are you using it?
So for instance, the mitigations,
are you currently using them?
We've heard some great stories
from the device vendors so far.
And do you have any opinions about the direction that we're
taking, specifically in terms of our data source focus?
How would you do it?
What do you think is important there?
So that's all I have, thank you.
Always feel free to reach out,
let us know if you have any questions.
- Yeah, Otis should be available for questions in Slack.
I've got one set up for him.
Thank you again for joining us today.
Growing Threats for Industrial Control Systems
When cyber criminals target industrial control systems, they can cause catastrophic power shutdowns. For example, the series of attacks on portions of the Ukrainian power grid in 2015 and 2016, which left control centers nationwide not fully operational for months, set an ominous precedent for power grid security.
Otis Alexander, a MITRE principal cybersecurity engineer, is co-creator of ATT&CK for ICS and has led the project since its inception. “After the Ukrainian incidents, demand to understand how the ATT&CK structure and methodology could be applied to the ICS tech domain began to grow,” says Alexander. “Immediately, we challenged ourselves to investigate how well attacks against industrial control systems map to the existing knowledge base.”
ATT&CK for ICS shines a light on threats resulting from attacks on systems that help operate key industrial processes. Because system operators use specialized applications and protocols to interface with physical equipment, ATT&CK for ICS highlights their unique aspects and potential vulnerabilities.
For defenders, ATT&CK for ICS helps establish a standard language for security experts to use as they report incidents and work to improve incident response.
The result? A big win for frontline ICS network defenders. With a common lexicon for categorizing ICS-specific cyber threats and techniques, ATT&CK for ICS helps support reporting and further analysis—and, ultimately, a safer infrastructure.
“ATT&CK for ICS captures and defines distinctions in ICS environments, from tactics and techniques to domain-specific assets and technology,” Alexander explains. “It’s this focus that defines ATT&CK for ICS as a unique and vital knowledge base in the ATT&CK ecosystem.”
ATT&CK: Always Evolving to Protect Crucial Systems
MITRE ATT&CK is constantly being reimagined based on the latest cybersecurity threats and trends. And ATT&CK continues to set the standard by which industry leaders and major corporations evaluate their cyber defense effectiveness.
Organizations such as Microsoft, McAfee, BlackBerry, and CrowdStrike publicly highlighted their performance against the ATT&CK evaluation to add credibility to their cybersecurity products and services. Alex Stamos, former chief security officer of Facebook, called ATT&CK “an extremely useful resource for companies trying to explore all of the areas they should be considering.”
Cyber adversaries threaten nearly every part of our lives. From election security to medical information to financial institutions to critical infrastructure, understanding how adversaries attempt to infiltrate targets has made users safer and more secure. Every single day, these threats become more sophisticated and targeted.
By getting ahead of the threats with ATT&CK for ICS, critical infrastructure providers can focus on improving their services and protecting their employees instead of being forced to pay out millions of dollars to remediate damages.
“As more organizations adopt ATT&CK for ICS, existing uses will further develop and new ones may arise, to the benefit of the entire ICS community,” says Alexander. “We want users to have confidence in the knowledge base, understand how to use it, and recognize how they can shape its growth.”