THE
CONTROL SYSTEM KILL CHAIN
Glenn Johnson, Editor
UNDERSTANDING EXTERNAL ICS CYBER THREATS — PART 2 Greater connectivity between industrial control systems, business IT systems and the internet promises to provide great advances in industrial efficiency — but comes with greater cybersecurity risk.
I
n Part 1 of this article reviewing some of the currently published literature on the subject of ICS cyber threats, the types of advanced threats to Australian industrial businesses were reviewed and explored in the light of current industry trends, and the concept of the intrusion kill chain was introduced.
The intrusion kill chain To recap, it is important to understand in a general sense the process an adversary may take to achieve their goal. In Part 1, the military concept of a kill chain was defined as follows1: “A kill chain is a systematic process to target and engage an adversary to create desired effects. US military targeting doctrine defines the steps of this process as find, fix, track, target, engage, assess (F2T2EA): find adversary targets suitable for engagement; fix their location; track and observe; target with suitable weapon or asset to create desired effects; engage adversary; assess effects…” The reason it is called a chain is because it is an end-to-end process — a failure at any point in the chain interrupts the process. Hutchins et al (2010)1 proposed a six-step kill chain model specifically for explaining the methodology for cyber intrusions, defined as reconnaissance, weaponisation, delivery, exploitation, installation, command and control (C2), and actions on objectives: • Reconnaissance: At this point the intruder is researching, identifying and selecting targets. The steps involved can be relatively
40 WHAT'S NEW IN PROCESS TECHNOLOGY - MAY 2016
difficult to detect because they may involve steps as simple as crawling websites, mailing lists, forms and blogs, or exploiting social relationships and researching relevant technologies. • Weaponisation: Today this often involves developing a remoteaccess bot to be delivered as a payload via some tool. The tool for delivery (the weaponiser) may be as simple as a PDF, a Word document or malicious code behind a URL link. • Delivery: This is the delivery of the ‘weapon’ to the target environment. Currently the three most common forms of delivery are email attachments, website links and USB removable media. • Exploitation and installation: After the weapon has been delivered, its code is triggered. It may exploit a target system vulnerability or simply deploy itself and connect back to the adversary for further commands, allowing the adversary to establish a presence inside the target environment. • Command and control (C2): Once the adversary has established a presence, they can exploit the remote access they have given themselves. They then have effective ‘control’. • Actions on objectives: Once this step has been reached, the adversary can now take action on their original objectives. In most cases this involves covert data exfiltration (theft), but may alternatively simply as act as a hop to compromise other systems laterally inside the network or through to a partner network.
www.ProcessOnline.com.au