The United States and other government entities seek to bolster the security of critical infrastructure networks due to a combination of high-profile, likely state-directed intrusions and increasingly disruptive criminally driven ransomware incidents. Events such as the SolarWinds and Microsoft attacks discovered in 2020 and the recent Colonial Pipeline ransomware incident show latent, pervasive vulnerabilities and weaknesses in the security posture of economically vital entities. In response to these and other events, the US government alone issued the following statements, executive orders, and legislative actions:
- A May 2021 executive order directing improvements in US cyber defense.
- A July 2021 National Security Memorandum focusing on improving standards and defense of critical infrastructure systems, with an emphasis on industrial control systems (ICS).
- Significant investment in critical infrastructure security within the 2021 bipartisan infrastructure bill.
While generating most attention, US actions are mirrored elsewhere as entities ranging from the European Union to Australia similarly work to strengthen network defense in critical infrastructure sectors. That a problem has been identified by multiple parties is obvious, but precisely how to deal with these security issues remains an open question in most instances.
Calls for modernization and improvement emphasize commercial buzzwords and marketing terminology ranging from "hybrid cloud adoption" to implementing "zero trust" security architecture. While these ideas have merit, and are cornerstones of the May 2021 Executive Order, they presuppose that organizations can rapidly adopt and implement complex, advanced security solutions. Unfortunately, the reality for many industries, including many of the sectors identified as "critical infrastructure" by entities such as the US Department of Homeland Security, reflects a distinct lack of maturity necessary to succeed.
First and foremost, organizations and critical infrastructure entities must ensure at least minimum levels of visibility — across both endpoint and network space — to have any hope of succeeding in security tasks. Put bluntly, organizations that lack inherent understanding of and visibility into networks and processes will be hard-pressed to ensure the security of the same. Yet, in leapfrogging these security "basics" toward more complex and exotic possibilities, well-intentioned and necessary efforts to modernize the security posture of critical infrastructure networks will almost certainly fail.
While certain intrusion scenarios, such as the SolarWinds/Microsoft incident, appear on their face to represent highly complex, near-insurmountable problems, closer examination indicates that a combination of visibility into network activity and examination of identified events can uncover even the most "complex" intrusions. As previously documented by multiple entities, post-intrusion operations after the supply chain portion of the incident, while still retaining relatively high degrees of operational security, nonetheless produced artifacts for identification and detection, including:
- Abnormal DNS queries containing encoded information
- Unusual traffic activity to network infrastructure not associated with any other, legitimate service
- Cobalt Strike Beacon command and control (C2) activity
While the entity behind this event — known as Nobelium, UNC2452, and Dark Halo, among other names — went to great lengths to both obscure and hide their activity, the above provides relatively simple items for observation in well-documented, well-architected network environments. Sufficient visibility into environments, combined with an ability to analyze and understand resulting observations, may not offer a perfect, impregnable defense, but it would give network defenders and system operators multiple possibilities for detecting unusual network activity relating to this campaign.
Reviewing other critical infrastructure incidents over the past decade, there are similar examples where basic visibility and investigation could enable early-stage detection and intrusion identification:
- In the 2015 and 2016 Ukraine power incidents, relatively common intrusion methodologies were deployed during ICS-specific intrusion phases of operations. Visibility into network traffic activity, even at just the network flow level, could identify initial access, lateral movement, and command-and-control behaviors prior to the execution of the disruptive events.
- For the 2017 Triton or Trisis incident, subsequent analysis revealed lateral movement and credential reuse activity, among other tradecraft, for migrating through the victim network en route to attempting execution of a likely destructive attack.
- Multiple intrusions into water and wastewater utilities in Israel and the US from 2019 through 2021 largely relied on insecure remote access mechanisms to authenticate to the victim environments. Monitoring for and tracking remote authentication and access activity could quickly identify such attempts when performed without significant obfuscation of traffic source.
- Recent ransomware events, from the Colonial Pipeline incident to JBS Foods, among others, appear to all utilize standard intrusion tradecraft for initial access and lateral movement prior to ransomware deployment. Yet lack of visibility in victim networks let these events progress from access to eventual operational disruption.