Boosting OT Security with Cyber Deception
The aim of this article is to present a couple of use cases where deception technologies can be used to provide an extra dimension to Operational Technology (OT) networks. Firstly, we need to define exactly what we mean by an OT network.
An OT network is the information infrastructure deployed for non-IT systems. These can be as varied as oil-well head pumps to medical devices; machine-tools to power station control networks. These, typically industrial systems rely on communication networks to relay operational data, which can be as complex as full management of a production line to a simple open/closed status of a fluid control valve.
Many of these networks use communication protocols that are specific to the system being managed, or more common protocols such as Modbus-Over-Ethernet.
The word acronym SCADA (Supervisory Control And Data Acquisition) is another term associated with OT networks. SCADA describes an architecture for industrial control systems, typically linking a Human-Machine Interface (HMI) to Programmable Logic Controllers (PLCs) to send and receive controls signals. For example, in the case of an industrial oven, PLCs are used to control the valves for the gas burners. The temperature of the oven is measured by sensors in the oven and displayed on the HMI. The HMI allows the operator to send signals to the PLCs to open or close the gas valves to raise or lower the temperature of the oven. This process would normally be automated and monitored through the HMI.
There is another key characteristic of OT networks: they are critical, occasionally fragile, and often employ obsolete IT technology. Industrial machines can have an operational life of many years. This means that there are systems in the wild that are using operating systems that are no longer supported by the manufacturer. Additionally, many HMI systems run on bare-bones operating systems and hardware that has been “optimised” to be the minimum necessary. This often means patches are not compatible, or you have to wait months for an “HMI compatible” patch to be made available by the manufacturer. In a real-life case, a multi-million-dollar device was supplied that required access to the local IT network to transfer work files. As part of their security policy the customer installed an endpoint anti-virus solution, and then watched as the device ground to a halt! The system requirements of the AV pushed the onboard HMI over the limit and the device crashed… This brings up a policy that exists in many OT networks: “If it’s working, for heaven’s sake don’t touch it!"
OK, so what do we do? There are many ways to secure OT networks, but as we mentioned before, this article is about how deception technologies, and specifically the CounterCraft Cyber Deception Platform can be used to add zero impact security and gather valuable first-hand threat intel on those who are targeting your OT systems. The following attack scenarios offered here can equally be applied to internal or external attacks.
Deception Campaigns
The following campaigns can be used individually or as a phased deception deployment.
Stage One
The idea behind this campaign is to detect anyone looking to gains access to the OT network from within. Stage one is to create a series of breadcrumbs that point to a portal or dual-homed machine that allows access to the OT network. The breadcrumbs can take multiple forms for example:
i) Credentials in the Active Directory Domain Controllers
ii) Documents in a shared folder such as deployment guides, or access instructions with credentials
iii) SCF files within the shared folders
iv) RDP links to the dual homed device or access portal
This is a good example of a mix of active and passive breadcrumbs. The passive breadcrumbs are snippets of data like the credentials, that by themselves do not do anything, but are a powerful bait to lead the adversary deeper into the deception. The SCF files and fake documents are active documents - not only to they provide bait to lure the adversary deeper, but they also call home when they are touched, to provide an instant alert that the adversary has opened a particular folder or has opened a particular document. The active breadcrumbs provide detailed threat intel by collecting data from the adversary such as connecting IP address, IP ASN, user agent, OS, cookies, etc.
Both of these deception techniques are useful to build a picture of what the goals of the adversary are. For example, we can set up the folder structure to provide choices. By mapping which folders were opened first, you can gain insight into what the attacker is looking for: manufacturing drawings, process data, or just access?
The web portal itself is a dead-end, but we can register the login data and track the credentials used to identify where they were discovered by the adversary, providing additional data to track the attack path and identify the point of compromise.
This is a basic level campaign that is straightforward to deploy, but that provides valuable threat intelligence.
Stage Two
If the stage one campaign is getting hits, the next stage is to amplify the deception. We do this by give the adversary what they are looking for - a fully instrumented HMI. For the deception to be credible, the ideal is to use the same HMI software that is used in production. Using the Cyber Deception Platform, it is an easy task to instrument a pre-configured HMI server, or build one from scratch. We can use similar breadcrumbs to those deployed in Stage One to attract the adversary.
Now, when the adversary accesses the web portal to the OT network, they will be able to access the deception HMI. As the HMI service is running on a fully instrumented deception host, all adversary interaction will be captured and sent to the CounterCraft CDP. In this way we capture a full record of exactly what the adversary does, and the full telemetry collected.
This is an intermediate level campaign.
Stage Three
The idea behind stage three is to expand on the deception created for Stage Two by providing a fully instrumented OT environment to access and explore. Having gained access to the HMI server, the next step would be for the adversary to try to traverse the OT network. The design of Stage Three provides a series of PLC devices with which they can interact. Using the full OT possibilities of the Cyber Deception Platform we can set up a series of emulated PLCs and even deploy an SQL server to act as a historian. This provides a fully populated OT environment for the adversary to explore. Using the Conpot PLC emulators we can set up devices within the network that react in the same way as a PLC. The PLCs react in the same way if interrogated. The SQL database of the historian can even be used to lead to other deception hosts, deeper within the deception environment in order to maximise the adversary dwell time.
Depending on the design of the campaign, it’s possible to react automatically to adversary behaviour using rules-based responses. In this way, if an adversary exhibits a particular form of behaviour the deception environment can be modified on-the-fly to add more aspects to the environment or to add increased credibility. For example, if the adversary were to perform a port scan, new virtual machines could be activated to increase the scope to the environment and to increase the time the adversary interacts with the deception. The longer they are held within the deception environment, the longer we can observe their tactics, techniques, and procedures (TTPs) and the more time we have to perfect our response.
This is an advanced level campaign.
The Future
The CounterCraft Cyber Deception Platform is a constantly evolving solution. We are always looking to improve our deception coverage and to increase the credibility of our deception environments, and to simplify deployment. The next step within the area of OT networks will be the ability to reply process data replay to bring additional credibility, and even to simulate real processes.
Conclusion
We have seen with these examples that using deception, it is possible to detect malicious activity, collect valuable threat intel and also create and respond to adversary activity in real time.
All of this is achieved with zero impact on existing systems, and zero risk to business continuity.
Any deployments of this sort would be carried out in full cooperation with CounterCraft or one of our trusted Partners. It goes without saying that as OT is such a critical component, protecting it correctly is key. Using deception technology provides an effective way to add an extra layer of protection to your existing security systems.
Next Steps
Find out more by contacting CounterCraft. We are only too happy to explain what we do and how we can help you get the best out of deploying deception – from an initial conversation or simple demo, to a fully featured deployment: https://www.countercraftsec.com/contact.html