How to model an attack on an Industrial Control Systems (ICS)

0
40

Attacks on OT (Operational Technology) systems are made easier due to the OT/IT convergence.

The figure below is showing an example of OT/IT convergence.

Attacks on OT and ICS systems are modeled by the ICS Cyber Kill Chain and the MITRE ATT&CK for ICS Matrix described below.

ICS Cyber Kill Chain

Published by SANS in 2015 by Michael Assante and Robert M. Lee as an adaptation of the traditional cyber kill chain developed by Lockheed Martin analysts as it applied to ICSs.

The ICS Cyber Kill Chain details the steps an adversary must follow to perform a high‐confidence attack on the ICS process and/or cause physical damage to equipment in a predictable and controllable way.

ICS Cyber Kill Chain has Two stages:

  • Stage 1 : Cyber Intrusion Preparation and Execution – « IT »
  • Stage 2 : ICS Attack Developpement and Execution – « OT »

ICS Cyber Kill Chain mapped to the ICS Zoned Architecture

ICS Zoned Architecture (left) : This is the Purdue Model for ICS Security

Cyber Kill Chain for Industrial Control Systems (right) : This is an ICS Attack as Cascading Events

The ICS Cyber Kill Chain is a powerful approach for Neutralizing a Cyber Attack reducing ICS cyber risk. Security Engineering has the challenge to Kill the Kill Chain

ICS Cyber Kill Chain applied to STUXNET

The figure below is the ICS Cyber Kill Chain applied to STUXNET

About the MITRE ATT&CK for ICS Matrix

To go futhermore convergence of IT and OT, and the concept of ICS (Industrial Control System), you can also have a look on the MITRE ATT&CK for ICS Matrix.

The MITRE ATT&CK for ICS Matrix is an overview of the tactics and techniques described in the ATT&CK for ICS knowledge base. It visually aligns individual techniques under the tactics in which they can be applied.

The MITRE ATT&CK for ICS matrix (Source: https://collaborate.mitre.org/attackics/index.php/Main_Page)

Mapping of Stuxnet attack on the ATT&CK for ICS matrix

Below is the mapping of Stuxnet attack on the ATT&CK for ICS matrix (Than’ks to Airbus Cybersecurity). « Mapping Stuxnet to the ATT&CK for ICS matrix, as shown in figure 3, quickly shows how complex this attack was. Business risk owners can now identify which techniques to focus on if they need to minimise the risk from strikes like Stuxnet. »

Mapping of Stuxnet on the ATT&CK for ICS matrix (Source: https://airbus-cyber-security.com/mitre-attck-for-ics-everything-you-need-to-know/)

Threat modeling on OT, ICS and embedded systems

MITRE released in May 2024, the EMB3D™ model, a Cybersecurity Threat Model dedicated for Embedded Devices.

EMB3D is aligned with and expands on several existing models, including Common Weakness EnumerationMITRE ATT&CK®, and Common Vulnerabilities and Exposures, but with a specific embedded-device focus. The threats defined within EMB3D are based on observation of use by threat actors, proof-of-concept and theoretical/conceptual security research publications, and device vulnerability and weakness reports. These threats are mapped to device properties to help users develop and tailor accurate threat models for specific embedded devices.

To go furthermore

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.