IIOT, ICS & SCADA
Security Glossary

Until recently, most operational technology (OT) networks were considered air-gapped — that is, disconnected from the Internet and corporate IT networks. However, IT/OT convergence — driven by modern business initiatives such as SmartGrid and Industrie 4.0 — plus the need to remotely manage and monitor OT networks, has eliminated the air gap in the vast majority of organizations. In fact, ICS-CERT states that boundary protection has been the #1 weakness category for the past several years in a row.

BlackEnergy is a Remote Access Trojan (RAT) associated with the Sandworm team, which later evolved to be known as the TeleBots group. In December 2014, the ICS-CERT issued an alert entitled “Ongoing Sophisticated Malware Campaign Compromising ICS.” The alert stated that “ICS-CERT has identified a sophisticated malware campaign that has compromised numerous industrial control systems (ICSs) environments using a variant of the BlackEnergy malware. Analysis indicates that this campaign has been ongoing since at least 2011. Multiple companies working with ICS-CERT have identified the malware on Internet-connected human-machine interfaces (HMIs)” including GE Cimplicity, Siemens SIMATIC WinCC, and Advantech/BroadWin WebAccess.

BlackEnergy3 is the variant of BlackEnergy used in the first Ukrainian grid attack which occurred in December 2015. The malware was reportedly delivered via spear phishing emails with malicious Microsoft Office attachments. It is suspected that BlackEnergy may have been used as an initial access vector to acquire legitimate credentials, possibly for SSH access via the IT/OT firewall, as well as for cyber-reconnaissance and installation of further malware and backdoors. In May 2015, CyberX’s threat intelligence research team reverse-engineered Black Energy 3 (BE3) and found that it was designed to perform exfiltration of information from OT networks, specifically via RPC communication using named pipes over SMB. This capability would be especially useful during cyber-reconnaissance operations.

Operation BugDrop is a sophisticated large-scale cyber-reconnaissance operation discovered by CyberX’s threat intelligence research team in late 2016. The operation targets a broad range of critical infrastructure, scientific and media targets which are primarily located in the self-declared separatist states of Donetsk and Luhansk. Because it eavesdrops on sensitive conversations by remotely controlling PC microphones – in order to surreptitiously “bug” its targets – and uses Dropbox to store exfiltrated data, CyberX named it “Operation BugDrop.” The operation seeks to capture a range of sensitive information from its targets including audio recordings of conversations, screen shots, documents and passwords. Unlike video recordings, which are often blocked by users simply placing tape over the camera lens, it is virtually impossible to block your computer’s microphone without physically accessing and disabling the PC hardware. The malware uses encrypted DLLs to bypass common anti-virus and sandboxing programs, as well as Reflective DLL Injection, an advanced technique for injecting malware that was also used by BlackEnergy in the Ukrainian grid attacks and by Duqu in the Stuxnet attacks on Iranian nuclear facilities. It also uses legitimate free web hosting sites for its command-and-control infrastructure, a technique which makes it more difficult to identify their identities (compared to registering malicious domains, for example).

A cyber-physical system (CPS) is a mechanism controlled or monitored by computer-based algorithms, tightly integrated with the internet and its users. In cyber-physical systems, physical and software components are deeply intertwined, each operating on different spatial and temporal scales, exhibiting multiple and distinct behavioral modalities, and interacting with each other in a myriad of ways that change with context. Examples of CPS include the smart grid, autonomous automobile systems, medical monitoring, process control systems, robotics systems, and automatic pilot avionics.

CrashOverride, also referred to as Industroyer and first discovered by ESET, is targeted malware used during the second Ukrainian grid attack (December 2016). Its distinguishing characteristics are that it is autonomous and self-directed, making it much more scalable than attacker techniques used in the first Ukrainian grid attack, which relied on a remote desktop connection to a compromised HMI to manually control substation relays; it enumerates and subsequently hijacks ICS devices using their native ICS protocols (OPC, IEC 61850, IEC 104, etc.); and it has a modular and extensible architecture, so it can easily be adapted to other industrial verticals and protocols. Other modules include: an OPC module that creates “Denial of Visibility” to hamper troubleshooting; a wiper module that targets ABB PCM600 configuration files; and a DoS module that causes Siemens SIPROTEC digital relays to become unresponsive (exploiting CVE-105-5374). The 2016 attack cut power to 100,000 people in Kiev during the middle of winter, and is considered by some to have been a large-scale test of cyber capabilities. CrashOverride/Industroyer is the first ever known malware specifically designed to attack electrical grids.

The importance of implementing stronger SCADA security has been getting attention as we learn about more and more successful attacks on SCADA systems in industrial and critical infrastructure organizations. Cyber-adversaries now have the necessary resources and tools to launch more sophisticated ICS/SCADA attacks, including ransomware attacks that can cost impacted organizations millions of dollars per hour. The business impact can also include catastrophic safety failures and environmental release of hazardous materials, leading to potential compliance violations and lawsuits.

Cyberwarfare involves the use and targeting of computers and networks in warfare. It involves both offensive and defensive operations pertaining to the threat of cyberattacks, espionage and sabotage. There has been controversy over whether such operations can duly be called “war”. Nevertheless, many nations have been developing their capabilities and engaged in cyberwarfare either as an offender, victim, or both.

A distributed control system (DCS) is a computerized control system for a process or plant, in which autonomous controllers are distributed throughout the system, but there is central operator supervisory control. This is in contrast to non-distributed control systems that use centralized controllers; either discrete controllers located at a central control room or within a central computer. The DCS concept increases reliability and reduces installation costs by localizing control functions near the process plant, but enables monitoring and supervisory control of the process remotely. Distributed control systems first emerged in large, high value, safety critical process industries, and were attractive because the DCS manufacturer would supply both the local control level and central supervisory equipment as an integrated package, thus reducing design integration risk. In the discussion of DCS vs SCADA it should be noted that today, the functionality of SCADA and DCS systems are very similar, but DCS tends to be used in large continuous process plants where high reliability and security is important, and the control room is not geographically remote.

In June 2014, Symantec published a blog post and report about the Dragonfly group (also known as Energetic Bear). Among the targets of Dragonfly were energy grid operators, major electricity generation firms, petroleum pipeline operators, and energy industry industrial equipment providers. The majority of the victims were located in the United States, Spain, France, Italy, Germany, Turkey, and Poland. Dragonlfy has been in operation since at least 2011 but may have been active even longer than that. Dragonfly initially targeted defense and aviation companies in the US and Canada before shifting its focus to US and European energy firms in early 2013. The group also targeted the update sites of suppliers of industrial control systems; three different ICS equipment providers were targeted and malware was inserted into the software bundles they had made available for download on their websites. Dragonfly has also used spam email campaigns and watering hole attacks to infect targeted organizations. Dragonfly’s favored malware tool is Backdoor.Oldrea, also known as Havex or the Energetic Bear RAT. Oldrea acts as a back door for the attackers on to the victim’s computer, allowing them to extract data and install further malware. According to SANS, the group also targeted the intellectual property of pharmaceutical organizations, such as proprietary recipes and production batch sequence steps, as well as network and device information indicating manufacturing plant volumes and capabilities. The Dragonfly malware contained an Industrial Protocol Scanner module that searched for devices on TCP ports 44818 (Omron, Rockwell Automation), 102 (Siemens) and 502 (Schneider Electric). These protocols and products have a higher installed base in packaging and manufacturing applications typically found in industries such as the pharmaceutical industry.

Uncovered by Symantec in September 2017, Dragonfly 2.0 is a campaign that targets energy companies in the U.S., Turkey, and Switzerland, with traces of activity in organizations outside of these countries. As it did in its prior campaign between 2011 and 2014, Dragonfly 2.0 uses a variety of infection vectors in an effort to gain access to a victim’s network, including malicious emails, watering hole attacks, and Trojanized software. The original Dragonfly campaigns now appear to have been a more exploratory phase where the attackers were simply trying to gain access to the networks of targeted organizations. The Dragonfly 2.0 campaigns show how the attackers may be entering into a new phase, with recent campaigns potentially providing them with access to operational technology (OT) networks, access that could be used for more disruptive purposes in future. Symantec has issued private warnings to more than 100 energy companies and organizations, including the North American Electricity Reliability Corporation (NERC) and the US Department of Homeland Security (DHS). The Dragonfly 2.0 campaign is believed to have begun in December 2015.

General Electric (GE) is an American multinational conglomerate corporation incorporated in New York and headquartered in Boston, Massachusetts. GE Digital’s main HMI/SCADA products for ICS environments include iFix (formerly Proficy HMI/SCADA), Cimplicity, and Workflow (formerly Proficy Workflow). The company also offers a range of PLC and DCS systems, and developed the proprietary GE-SRTP protocol (Service Request Transport Protocol) for transfer of data from PLCs to HMIs over Ethernet.

In December 2016, the DHS/FBI released a report entitled “GRIZZLY STEPPE – Russian Malicious Cyber Activity” (JAR-16-20296). The report stated that Russians launched attacks on “critical infrastructure entities” in the US and “conducted damaging and/or disruptive cyber-attacks” on critical infrastructure networks in other countries. The report was published in conjunction with financial sanctions and ejections imposed on Russian intelligence operatives and private companies that supported the hacking operations.

Havex is a Remote Access Trojan (RAT). According to ICS-CERT, the update sites of three ICS vendors were infected with the Havex Trojan in 2014, which allowed attackers to access the ICS/SCADA networks of systems that installed the trojanized software. The Havex RAT communicates with a C&C server that can deploy payloads with additional functionality. One of the payloads enumerates all connected network resources such as computers or shared resources, and uses the classic DCOM-based (Distributed Component Object Model) version of the Open Platform Communications (OPC) standard to gather information about connected control system resources within the network. In particular, the payload gathers server information that includes Class Identification (CLSID), server name, Program ID, OPC version, vendor information, running state, group count, and server bandwidth, in addition to enumerating OPC tags such as tag name, type, access, and id.

A human-machine interface (HMI) is the user interface that connects an operator to the controller for an industrial system. Industrial control systems (ICS) are integrated hardware and software designed to monitor and control the operation of machinery and associated devices in industrial environments, including those that are designated critical infrastructure. An HMI includes electronic components for signaling and controlling automation systems. Some HMIs also translate data from industrial control systems into human-readable visual representations of the systems. Through the HMI, an operator can see schematics of the systems and turn switches and pumps on or off, for example, or raise or lower temperatures. HMIs are usually deployed on Windows-based machines, communicating with programmable logic controllers (PLC) and other industrial controllers. HMIs pose a significant risk for ICS security because they cannot easily be patched, and often run on older versions of Windows that are no longer supported by Microsoft (such as XP). In addition, some HMI vendors do not allow organizations to install anti-virus or other endpoint security products on their HMI workstations.

A procedure designed to reveal hidden IIoT and ICS risks in OT networks such as malware, unauthorized Internet and remote access connections, weak authentication, unknown connections between subnets, vulnerable firewall rules, and insecure and rogue devices.

Ignition is an integrated software platform for SCADA systems released by Inductive Automation in January 2010. It is based on a cross-platform architecture that incorporates open technologies like Java, SQL, Python, and OPC UA and features an unlimited licensing model.

Industrial automation deals primarily with the automation of manufacturing, quality control and material handling processes. Automation has been achieved by various means including mechanical, hydraulic, pneumatic, electrical, electronic devices and computers, usually in combination. Complicated systems, such as modern factories, airplanes and ships typically use all these combined techniques. The benefit of automation include labor savings, savings in electricity costs, savings in material costs, and improvements to quality, accuracy and precision. The term automation, inspired by the earlier word automatic (coming from automaton), was not widely used before 1947, when Ford established an automation department.

Industrial control system Industrial control system (ICS) is a general term that encompasses several types of control systems and associated instrumentation used for Process control industrial process control. Such systems can range from a few modular panel-mounted controllers to large interconnected and interactive distributed control systems with many thousands of field connections. All systems receive data received from remote sensors measuring process variables (PVs), compare these with desired set points (SPs) and derive command functions which are used to control a process though the final control elements (FCEs), such as control valves. The larger systems are usually implemented by Supervisory Control and Data Acquisition (SCADA) systems, or distributed control systems (DCS), and programmable logic controllers (PLCs), though SCADA and PLC systems are scalable down to small systems with few control loops. Such systems are extensively used in industries such as chemical processing, pulp and paper manufacture, power generation, oil and gas processing and telecommunications. Most ICS systems were designed when the threat of cyberattacks was extremely low. As such, most ICS environments do not incorporate modern IT security controls such as strong authentication, asset inventory, regular patching, continuous monitoring, defense-in-depth and incident response.

Industrial cybersecurity refers to the application of security to OT (operational technology) environments. Successful cyberattacks — such as the NotPetya attacks on factories and logistics companies in June 2017; the destruction of a German steel mill in 2015; the attacks on the Ukrainian power grid during both 2015 and 2016; the malware infestation at the Gundremmingen nuclear plant in April 2016; and Stuxnet — are real-world examples of industrial cybersecurity incidents that have had major consequences on cyber-physical systems.

Industrial protocols, also referred to as SCADA protocols or ICS protocols, are communication network protocols used for process or industrial automation, building automation, substation automation, automatic meter reading and vehicle automation applications. Examples of industrial protocols include: Ethernet/IP, Profinet, DNP3, MODBUS, ICCP, ICMP, DNS, BACnet, GE-SRTP, Siemens S7, OPC, IEC-61850, and many more.

Industroyer, first discovered by ESET and also known as CrashOverride, is targeted malware used during the second Ukrainian grid attack (December 2016). Its distinguishing characteristics are that it is autonomous and self-directed, making it much more scalable than attacker techniques used in the first Ukrainian grid attack, which relied on a remote desktop connection to a compromised HMI to manually control substation relays; it enumerates and subsequently hijacks ICS devices using their native ICS protocols (OPC, IEC 61850, IEC 104, etc.); and it has a modular and extensible architecture, so it can easily be adapted to other industrial verticals and protocols. Other modules include: an OPC module that creates “Denial of Visibility” to hamper troubleshooting; a wiper module that targets ABB PCM600 configuration files; and a DoS module that causes Siemens SIPROTEC digital relays to become unresponsive (exploiting CVE-105-5374). The 2016 attack cut power to 100,000 people in Kiev during the middle of winter, and is considered by some to have been a large-scale test of cyber capabilities. CrashOverride/Industroyer is the first ever known malware specifically designed to attack electrical grids.

KillDisk is destructive disk-wiping malware that gained notoriety as a component of the successful attack against the Ukrainian power grid in December 2015. More recently, ESET researchers detected planned cyber-sabotage attacks against a number of different targets within Ukraine’s financial sector. Since then, KillDisk attack campaigns have continued, aimed at several targets in the maritime transport sector. In late 2016, CyberX’s threat intelligence team discovered that KillDisk had evolved into ransomware. This was a significant discovery because it was the first time we found evidence of ransomware entering the industrial domain (5 months before WannaCry and 6 months before NotPetya disrupted production operations at major manufacturers worldwide). It is believed that this ransomware variant was developed by the TeleBots gang, a group of Russian cybercriminals believed to have evolved from the Sandworm gang.

Machine-to-machine (M2M) communications is used for automated data transmission and measurement between mechanical or electronic devices. M2M communication has unique characteristics that can be modeled, with the appropriate M2M-specific algorithms, for ICS-specific behavioral analytics intended to detect anomalous behavior.

The NERC CIP (North American Electric Reliability Corporation critical infrastructure protection) plan is a set of requirements designed to secure the assets required for operating North America’s bulk electric system.

Network Visibility builds on the concepts and capabilities of Deep Packet Inspection (DPI), Packet Capture and Business Intelligence (BI). It examines, in real time, IP data packets that cross communications networks by identifying the protocols used and extracting packet content and metadata for rapid analysis of data relationships and communications patterns.

An incident that leads to an industrial process deviating from normal operation. The causes are varied and can include equipment malfunction, accidental or malicious misconfiguration, malware or a targeted cyberattack. Since operational incidents can have major consequences — including costly downtime, risks to human and asset safety, and environmental impacts — asset owners place a high value on anticipating them before they occur, and understanding their root cause after they have occurred.

An Operational Technology (OT) network, is comprised of computers (hardware and software) that monitor or modify physical processes or states of a system, in industrial and critical infrastructure facilities. It is distinguished from Information Technology (IT) which is typically used in corporate business networks.

Operational Technology security, or OT security, refers to security controls applied to the OT environment. It is distinguished from Information Technology (IT) security which is typically used in corporate business networks. Whereas IT security has traditionally been focused on Confidentiality, Integrity and Availability (CIA), OT security is focused on the same high-level principles but in a different priority order, namely: Availability (including safety), Integrity and Confidentiality.

A programmable logic controller (PLC), or programmable controller is an industrial digital computer which has been ruggedized and adapted for the control of manufacturing processes, such as assembly lines, or robotic devices, or any activity that requires high reliability control and ease of programming and process fault diagnosis. They were first developed in the automobile industry to provide flexible, ruggedized and easily programmable controllers to replace hard-wired relays and timers. Since then they have been widely adopted as high-reliability automation controllers suitable for harsh environments. A PLC is an example of a “hard” real-time system since output results must be produced in response to input conditions within a limited time, otherwise unintended operation will result.

Predictive maintenance techniques are designed to help determine the condition of in-service equipment in order to predict when maintenance should be performed. This approach promises cost savings over routine or time-based preventive maintenance, because tasks are performed only when warranted.

Rockwell Automation, Inc. (NYSE: ROK), is an American provider of industrial automation and information products. Brands include Allen-Bradley and Rockwell Software. Headquartered in Milwaukee, Wisconsin, Rockwell Automation employs over 22,000 people and has customers in more than 80 countries worldwide. The Fortune 500 company reported $6.35 billion in sales during fiscal 2013.

A Remote Terminal Unit is a microprocessor-controlled electronic device that interfaces objects in the physical world to a distributed control system or SCADA system by transmitting telemetry data to a master system, and by using messages from the master supervisory system to control connected objects. Other terms that may be used for RTU is remote telemetry unit or remote telecontrol unit.

The SCADA acronym stands for Supervisory control and data acquisition (SCADA), a control system architecture that uses computers, networked data communications and graphical user interfaces for high-level process supervisory management, but uses other peripheral devices such as programmable logic controllers and discrete PID controllers to interface to the process plant or machinery. The operator interfaces which enable monitoring and the issuing of process commands, such as controller set point changes, are handled through the SCADA supervisory computer system. However, the real-time control logic or controller calculations are performed by networked modules which connect to the field sensors and actuators. The SCADA concept was developed as a universal means of remote access to a variety of local control modules, which could be from different manufacturers but allowing access through standard automation protocols. In practice, large SCADA systems have grown to become very similar to distributed control systems in function, but using multiple means of interfacing with the plant. They can control large-scale processes that can include multiple sites, and work over large distances. SCADA is one of the most commonly-used types of industrial control systems.

An energy management system (EMS) is a system of computer-aided tools used by operators of electric utility grids to monitor, control, and optimize the performance of the generation and/or transmission system.

SCADA Engineers manage SCADA data and design, program and implement industrial controls and data points. SCADA jobs often require engineers to have analytical and problem-solving skills.

More and more control system and SCADA engineers are seeking SCADA security training in order to develop cybersecurity skills they need in order to address the new reality of cyberattacks targeting industrial and critical infrastructure facilities. The SANS Institute is one of the most respected training organizations offering these types of courses.

Schneider Electric (SE) is a French multinational corporation that specializes in energy management and automation solutions, spanning hardware, software, and services. Headquartered in France, the company has offices throughout the world. A Global 500 company, Schneider Electric is publicly traded on the Euronext Exchange and is a component of the Euro Stoxx 50 stock market index. In FY2016, the company posted revenues of about €25 billion. “Citect SCADA is a reliable, flexible and high performance Supervisory Control and Data Acquisition (SCADA) software solution for industrial process customers.”

Siemens SCADA systems include brands such as SIMATIC WinCC.

Situational awareness or situation awareness (SA) is the perception of environmental elements and events with respect to time or space, the comprehension of their meaning, and the projection of their status after some variable has changed, such as time, or some other variable, such as a predetermined event. It is also a field of study concerned with gaining an understanding of the environment critical to decision-makers in complex, dynamic areas from aviation, air traffic control, ship navigation, power plant operations, military command and control, and emergency services such as fire-fighting and policing; to more ordinary but nevertheless complex tasks such as driving an automobile or riding a bicycle. More recently, it has been applied to cybersecurity in terms of being continuously aware of threats and vulnerabilities that can compromise the environment.

A finite-state machine (FSM) is a mathematical model of computation. It is an abstract machine that can be in exactly one of a finite number of states at any given time. The FSM can change from one state to another in response to some external inputs; the change from one state to another is called a transition. A FSM is defined by a list of its states, its initial state, and the conditions for each transition. The behavior of state machines can be observed in many devices in modern society that perform a predetermined sequence of actions depending on a sequence of events with which they are presented. Examples are vending machines, which dispense products when the proper combination of coins is deposited, elevators, whose sequence of stops is determined by the floors requested by riders, traffic lights, which change sequence when cars are waiting, and combination locks, which require the input of combination numbers in the proper order. A state machine model is a behavioral software design pattern that implements a state machine in an object-oriented way. OT networks can be modeled as state machines for purposes of detecting anomalous behavior. This is the core concept behind CyberX’s patent-pending Industrial Finite State Modeling (IFSM) technology. This unique machine learning technology enables the CyberX platform to immediately detect any anomalous or unauthorized activity with minimal false positives.

Stuxnet is a malicious computer worm, first identified in 2010, that targets industrial computer systems and was responsible for causing substantial damage to Iran’s nuclear program. The worm is believed to have been introduced into Iran’s air-gapped ICS networks via infected laptops and USB drives. It leveraged eight different propagation mechanisms, including four zero-day vulnerabilities. Stuxnet specifically targeted Siemens Step 7 and WinCC software and Simatic S7-300 PLCs that were being used in Iran’s nuclear facilities, causing the fast-spinning nuclear centrifuges to tear themselves apart.

PLC is an actual hardware device used to read field sensors (physical signal), and deliver the controlled output. SCADA is the software that is interfaced to the PLC, in order to monitor, control and acquire data from remote locations.

The TRITON malware was identified by FireEye/Mandiant in December 2017. It is believed to have been deployed in Saudi Arabia where it shut down a facility by triggering the Safety Instrumented System (SIS) that provides automatic emergency shutdown of plant processes, such as an oil refinery process that exceeds safe temperatures or pressures. The likely intent of such an approach would be to disable the safety system in order to lay the groundwork for a 2nd cyberattack that would cause catastrophic damage to the facility itself, potentially causing large-scale environmental damage and loss of human life. TRITON is considered a watershed attack because it: • Exposed SIS controllers as a new class of target for attackers seeking to compromise industrial operations. • Exhibited an entirely new level of Stuxnet-like sophistication. In particular, the attackers exploited a zero-day in the PLC firmware in order to inject a Remote Access Trojan (RAT) with escalated privileges into the firmware memory region of the controller — without interrupting its normal operation and without being detected. CyberX believes the purpose of the RAT was to enable persistent access to the controller, even when the physical memory-protection key was turned to RUN mode — which is designed to prevent unauthorized updates to the PLC code — rather than PROGRAM mode. • Although TRITON was a targeted attack specifically designed to compromise a particular model and firmware revision level of SIS devices manufactured by Schneider Electric, the tradecraft exhibited by the attackers is now available to other adversaries — who can quickly learn from it to design similar malware attacking a broader range of environments, controller types, and industrial automation manufacturers. Other researchers re-named the malware to TRISYS or HatMan (DHS). You can read CyberX’s analysis of the malware here.

Wonderware is a brand of industrial HMI software sold by Schneider Electric. Wonderware was part of Invensys plc, and Invensys plc was acquired in January 2014 by Schneider Electric.