It's relatively hard for malware authors to write industrial control system (ICS)-specific malware. Compared with traditional IT malware, if you want to compromise ICS, you need to invest more effort, for several reasons.
First, you need to understand the target environment. Since ICS facilities are much more heterogenic than IT, attackers typically need to tailor their attack to a specific target and gather intelligence on that specific site.
Second, the attacker must understand the process they are targeting. Malware authors are typically not domain experts in metallurgy, energy production, or water desalination, and they must liaise with subject matter professionals to understand the underlying physical process if they wish to tamper with it.
Third, in ICS environments there are plenty of safety systems in place that prevent operators from making costly mistakes. Those systems are also relevant for containing cyberattacks, since they have controls over dangerous physical abnormalities.
Seven ICS-Centered Malware Families
Despite that, we have already seen seven malware families that specifically target ICS environments. Here is a brief historic overview of ICS-specific malware:
- Stuxnet (2010): Stuxnet was the first ICS malware found in the wild, when it was targeting the centrifuges in Iranian nuclear facilities, with the goal of inflicting physical damage by altering their rotation speed. It was considered novel at the time, and introduced some malicious techniques that are still used by adversaries today, regardless of ICS environments, such as process hollowing and persistence using WMI consumers.
Havex (2013): Havex (aka Dragonfly) was spotted in 2013 as a part of a wide-scope industrial espionage campaign. The threat actors behind Havex infected their targets with different techniques, including phishing emails, as well as compromising the websites of several ICS equipment vendors and replacing legitimate vendor software updates with malicious versions. When victims downloaded the Trojan-ized updates, they were infected with Havex malware, which allowed the threat actors to access infected networks remotely and harvest data from infected machines.
BlackEnergy2/3 (2014–2015): A year later, the BlackEnergy2 malware emerged. In 2014, the US Department of Homeland Security disclosed that it had been compromising the software controlling several national vital infrastructures, including nuclear power plants, electric grids, water purification systems, and oil and gas pipelines. A non-ICS specific variant, BlackEnergy3, was later used as a part of a 2015 campaign against the networks of Ukrainian energy companies. For both variants, after establishing footholds within the target, the attackers needed to traverse the network and cause damage manually.
Industroyer Crashoverride (2016): Unlike BlackEnergy2, which was used mainly to gain a foothold within the ICS and explore industrial processes, the purpose of Crashoverride malware is to cause physical damage to the electric grid operations automatically, without the need of the attackers having "hands on the keyboard" during the attack. To accomplish that, it was coded to communicate with target equipment using ICS-specific protocols and interact with grid equipment.
Trisis/Triton (2017): As mentioned earlier, ICS facilities are equipped with safety-instrumented systems (SIS) that automatically kick in as fail-safe measures once the underlying kinetic process displays dangerous behavior. For example, safety valves will automatically open to release pressure that exceeds normal levels in order to prevent human injuries and damage to equipment. Triton was the first ICS malware that specifically targeted safety equipment. In that sense, it was a step up in terms of tenacity and boldness of the attackers.
Industroyer2 (2022): After the original 2016 Industroyer was successfully used to halt electric grid operations in Ukraine, its successor, Industroyer2 was discovered, also in Ukraine, in 2022. According to Dragos, Industroyer2 is a stripped-down version of its predecessor, designed to (among other things) flip grid circuit breakers from open to closed and vice versa.
Pipedream (2022): Pipedream is the latest discovered and the most sophisticated ICS-specific malware to date, able to natively interact with a long list of ICS devices from various vendors. According to a CISA advisory, the malware is able to "scan for, compromise, and control certain ICS/SCADA devices." Those capabilities, according to Dragos, present "a clear and present threat to the availability, control, and safety of industrial control systems and processes" and "can be used to endanger operations and lives."
In the cybersecurity domain, we often analyze threats based on a triad of opportunity, capability, and intent. Threat actors must possess all three in order to launch successful attacks. Drawing on this brief history of ICS-specific malware, it appears that the threat groups are getting bolder by trying to inflict physical damage and strike safety systems, thereby indicating a growing general intent to cause harm. The technical analysis of the malware reveals a growing sophistication trend, indicating rising capability. It is on us, the cyber defenders, to learn from the past and make our networks hostile to attackers, thereby denying them the opportunities that they seek.