(Note – we started the post S4x13 coverage with this presentation since Nicole Perlroth of the NY Times has an online and print article on this today)
The most important lesson to learn from the S4 ICS Spear Phishing presentation is it demonstrates that computers on corporate, Internet and external networks are easily compromised and should not regularly connect to ICS. These connections should be limited to emergency situations with specific processes to enable the temporary access.
Put another way — key ICS personnel will be spear phished with highly targeted emails. Some will open the file or click on the link. Asset owners should prevent spear phishing success from compromising the ICS by eliminating regular corporate and other remote access to the ICS.
Background
Based on the spear phishing results on generic corporate users, and the number of asset owners that allow numerous corporate computers/users to access the ICS, we felt confident that spear phishing ICS administrators, technicians and others would be an easy way for an Internet attacker to gain access to an ICS. But there were no statistics or evidence to prove this point.
So we put together a team to test the assumption and create an interesting S4x13 presentation.
- Step 1 was to find a researcher who could perform the Open Source Intelligence (OSINT) and identify the spear phishing targets and their emails. We believe that Critical Intelligence is the best at ICS OSINT, and they graciously assigned Tyler Klingler to the research project.
- Step 2 was to find an organization to perform the spear phishing. After Digital Bond received a spear phishing attack we had some conversations with PhishMe. They have an engine and procedures to perform and monitor spear phishing attacks as security awareness efforts. PhishMe quickly signed on to the efforts.
- Step 3 was to find ICS asset owners to participate. They would get the OSINT, spear phishing and analysis at no charge. All results would be anonymized to the asset owner’s satisfaction. Even with this free service, it took a bit of doing to find three organizations to participate.
Approach
We will have the presentation video up shortly, but the short version is Tyler had little difficulty finding about 40 targets in each organization. He also found information about the systems and applications that were being used and generated a series of very targeted spear phishing emails.
The email addresses and the targeted emails were passed to PhishMe to run the test.
Results
Just over 25% of the highly targeted recipients fell victim to the spear phishing and clicked on the link. If their browsers were missing security patches or the attacker had an 0-day, the computer would be compromised. An attacker could load a keystroke logger and or other programs and gain whatever access that computer or user had to the ICS.
The money slide in the presentation was the job titles of those that clicked on the link:
- Control System Supervisor
- Automation Technician
- Equipment Diagnostics Lead
- Instrument Technician
- Senior VP of Operations and Maintenance
- more
These are the type of jobs that often have anytime remote access to the ICS from their corporate computers in many organizations.
The wrong lesson to take from this exercise is asset owners need to stop spear phishing. Yes, there should be security awareness efforts to make users less susceptible to spear phishing. Yes, this security awareness effort should include highly targeted ICS emails. And yes, asset owners should be working on the detection and response to spear phishing successes. Companies like PhishMe are now available to help asset owners with these efforts as are tools like the Social Engineering Toolkit.
The right lesson is to treat the corporate network as an untrusted network and prevent inbound access to the ICS except for emergency situations — as well as get working on your spear phishing portion of the security awareness program and incident response capability.
Image by Cleanplait