Edge Cyber Threats: A Report

In 2018, Symantec reported a 600% increase in attacks on IoT/Edge devices along with a 29% increase in attacks on industrial control systems (ICS).
These attacks put the Edge at the center of a cybersecurity struggle that pits sophisticated attackers against a set of highly valuable targets. Prudent leaders in both the private and public sectors should develop proactive defense strategies to protect their critical assets.

Real World Edge Attack: TRITON
In December 2017 a Saudi Arabian oil and gas petrochemical facility experienced a safety system shutdown as the result of a malware attack. The malware, named TRITON (also known as TRISIS or HatMan), directly attacked a Safety Instrumented System (SIS). SIS are the last line of automated safety defense for industrial facilities, designed to prevent equipment failure and catastrophic incidents such as explosions or fire
SIS systems use a special type of PLC (Programmable Logic Controllers) designed with predictability and reliability in mind. They include multiple main processors, built-in diagnostics, redundancy management systems, and failure detection for inputs and outputs. The attack reprogrammed the facility’s SIS controllers, causing them to enter a failed state, and resulting in an automatic shutdown of the industrial process.
The SIS that was attacked was a Triconex Safety Instrumented System from Schneider Electric. This type of SIS is commissioned in a consistent way across many industries and is widely used.
It’s a golden age to be an attacker against critical infrastructure. If you are in critical infrastructure you should plan to be targeted. And if you are targeted, you will be compromised. It’s that simple.
Since 2000, the Cybersecurity firm FireEye has identified more than 1,700 publicly disclosed industrial control system vulnerabilities. Nearly all of these, more than 1,550, have been discovered since 2010.

Patching these systems is a real challenge since many ICS and Edge vendors are slow to provide patches. One third of these ICS vulnerabilities had no vendor fixes. And, operators are slow to apply fixes when available given the risk of instability and downtime when the patch is loaded.

Real World Edge Attack: INDUSTROYER
On Dec. 23, 2015, three Ukrainian electricity distributors were compromised by a cyber attack. The attack invaded systems and triggered power outages across three regions in western Ukraine. The attackers systemically shut down the flow of electricity. Then, attackers used two previously unknown vulnerabilities (zero day attacks) to inhibit the utilities’ ability to restore power and maintain control of the grid.
Then, on Dec 17th 2016, attackers used a tool called INDUSTROYER to turn off electrical power to Kiev, the capital of Ukraine. These attacks targeted a vulnerability in Siemens SIPROTEC 4 and SIPROTEC Compact devices, as well as ABB MicroScada software.
Industroyer is notable for its use of four payload components, which are designed to gain direct control of switches and circuit breakers at an electricity distribution substation.

Source: ICS-CERT 2/11/2019

Sources: Cisco, Ponemon Institute, M-Trends, CyberX, Symantec