1. Introduction
Suppliers and supply chains are increasingly vulnerable attack surfaces: state-level Advanced Persistent
Threats can exploit global supply chains to execute sophisticated, multi-step attack campaigns against
Industrial Control Systems in critical infrastructure sectors such as energy and water. Industrial Control Systems are used to manage and control essential services and operations, and their security is, therefore, of utmost importance and concern – especially in preventing large-scale outages and disruptions in infrastructure that could occur given access to such environments. The cybersecurity landscape of Industrial Control Systems is quickly resembling the larger internet landscape of the late 1990s and early 2000s, with highly motivated threat actors and sophisticated toolsets focusing on these networks and systems. The cybersecurity threat to Industrial Control Systems used to be reactive or curiosity-based, but times have changed. Recent cybersecurity intelligence shows that nation-states have taken notice, and they aim to exploit the Industrial Control Systems to achieve military and domestic objectives.
National firms and their security teams tasked with adding security controls to protect critical infrastructure are struggling to respond to near-daily disclosures about stealthy supply chain attacks. Supply chain disclosures predominantly focus on compromised code builds. International vendors of complex industrial systems that are widely used in critical infrastructure are a prime target for so-called Advanced Persistent Threats. The prominence of supply chain vendors on the international stage, as well as the potential of their systems and associated services to disrupt critical operations in many foreign territories, makes them a particularly ideal target for state-sponsored threat actors. Adversaries with access and deep knowledge of Internal Control System vulnerabilities are active in discrete and process automation in critical infrastructure systems around the world and play an important but underreported role in both domestic political strategies and military options. Even if they have not done so yet, planners cannot ignore their activities and potential because adversaries with supply chain access to these systems have significant potential for destruction. The plan is proactive and intelligence-based – a new framework, adapted to the 2020s, can rapidly recognize adversaries with such potential and make the decision to expel them.
1.1. Background of Industrial Control Systems (ICS)
1.1. Background Critical infrastructures primarily rely on Industrial Control Systems (ICS) to manage and automate their processes. Critical infrastructures include various sectors, such as energy, manufacturing, and logistics. ICSs are composed of both hardware and software components to control and manage processes and machinery. ICSs used to be isolated from corporate networks and the internet, offering an added layer of security. However, many ICSs have been interconnected with corporate networks to aid in receiving IT services, back-end management systems, remote access for third-party vendors, and cloud based solutions. Still, the increasing number of interconnected applications has significantly heightened their security vulnerabilities.
The technology that comprises ICS has evolved over many decades. Process controls were early valve-based pneumatic logic relays eventually crafted to accomplish specific functions. These physical control relays were then replaced in kind by digital systems, and their underlying functionalities did not really change. As such, these systems historically have evolved based on manufacturing’s economies. For the most part, the reliability and safety of control systems have been prioritized over security, as required for their general operation and processes. The degradation of an ICS system’s security and integrity levels can lead to catastrophic results, running the gamut between financial loss and human harm on a regional scale. This section also emphasizes the different types of ICSs that operate in today’s interconnected world, their various architectures as per standards, and their operational aspects. Together, this indicates the need for refining strategies as applied to ICS security posture in the given interconnectivity scenario.
2.Understanding Advanced Persistent Threats (APTs)
An advanced persistent threat (APT) can be described as an extended and more sophisticated cyberattack that has certain unique characteristics. The first is that the threat actor is able to maintain unauthorized access in the targeted organization’s network for a long period of time, allowing them to explore, gather intelligence from, and possibly damage the infrastructure according to their interests. By being “persistent,” the range and the depth of the actions the attacker performs will be wider. Moreover, the attacker starts with a particular goal in mind, mostly the exfiltration of sensitive data from the victim’s network. When compared to typical attacks like drive-by downloads or campaigns of the DoS type, APTs are considered to be much more serious. This increases the level of priority for businesses to protect their networks efficiently. Furthermore, the “advanced” part of its description underlines that significant resources and “skills” are employed.
The figure below describes the typical steps of an APT’s life cycle. There are four stages: the reconnaissance stage, the stage where the internal host is exploited, the command and control stage, and the data collection and exfiltration stage.
In the traditional military context, “espionage” is a key tool for security as it allows a head of state to receive information that can affect his or her decisions. Nation-states are as interested in financial data or upcoming intellectual property as they are in other military data. This is not only a matter of global security but also of competition in economics and industry between states, which could be considered an act of aggression. Therefore, the infringement of the sovereignty of another nation by exfiltrating from their corporate and other information systems is part of a balancing act to be continuously performed by nations in mutual strategic alliances. Therefore, the attack can never be attributed directly to a nation-state; hence we call it “sponsored.” Both the scope and resource availability to conduct an APT are significant, increasing the maximum effectiveness of an APT over a traditional cyberattack. Therefore, knowledge of the APT is primordial in the IT as well as the ICS domains, since it represents “the next level of cyber war.” It is even more disastrous when it includes a supply chain attack.
Since APTs are sophisticated in nature and occur step by step and not immediately like traditional attacks, it is important to have a good understanding of their life cycle for reactive measures. When studying cyber threats protecting industrial systems, it is easy to notice that the nature of threats can be different from the threats encountered in traditional IT systems. However, risks need to be minimized to keep the trust of the end users intact. When considering APTs or any other kind of cyber threat consisting of a spectrum of actions, one might reach the conclusion that effectively detecting and responding to cyber threats is a central theme. More sophisticated threats like advanced persistent threats (APTs) are described because it is important to know that adversaries with significant resources and expertise are part of the threat landscape. Moreover, as attackers try to conceal their presence for extended periods of time, it emphasizes the need for continuous monitoring.
2.1.Characteristics of APTs
Advanced Persistent Threats (APTs) describe cyber threats that differentiate themselves from traditional threats in several key ways. In particular, they are defined by their persistence, which can last from months to years. Additionally, these actors are typically organized, targeting specific groups and employing advanced tools and tactics to evade detection. The term advanced refers to the use of novel technical indicators by APTs to exploit vulnerabilities, while persistence involves continual access to a target network. Lastly, the actors behind APTs usually possess the required resources and authorization to engage in such long-term operations. Most APTs also have an end goal that revolves around the theft of proprietary information and not network disruption.
Some additional characteristics that distinguish APTs from other types of cyber attacks include: some level of customization for the target, but generally the motivation is intellectual property theft; highly organized and skilled attackers, including government intelligence agencies or proxy groups; the ability to maintain control of their attack channel even as dramatic changes occur within an organization; using the system in an invasive way that doesn’t raise suspicion; the ability to dynamically change their tactics in order to infiltrate a system, and to adjust their defense to unexpected countermeasures, use their system’s communication infrastructure for remote command and control purposes, and prefer to use encrypted communication protocols to blend into normal network traffic and avoid detection.
3. State-Sponsored Supply Chain Attacks
Supply chain attacks occur when an adversary renders a product useless or interferes with the manufacturing or design of a product to gain unauthorized advantages. Specifically, state actors frequently utilize supply chain attacks to indirectly compromise target systems in critical infrastructure, industrial environments, and national security networks. Typical motivations for these attacks include conducting espionage, causing disruption, undermining national defense, and attaining a strategic advantage during times of peace. These operations require substantial resources and several years of prepositioning in targeted supply chains to successfully carry out. For example, a high-precision supply chain attack may require several years to complete and involve numerous partners to accomplish.
These attacks have proven to be especially effective because adversaries, who often have backdoors embedded in legitimate equipment and software, employ a number of approaches to avoid detection. No single entity has complete insight into their entire supply chain, and a victim’s defensive security measures fail when they interact with vendors within the adversary’s attack path. As a result, incidents are particularly difficult to remediate. Likewise, targeted assets may have deep systemic advantages, as cross-industry collaboration commonly occurs to design, implement, operate, and secure information and operational technologies across an affected supply chain. For these reasons, public’s private sector collaborative innovations and methodologies are required to comprehend and counter these supply chain threats. Counteracting supply chain attacks related to national security and critical infrastructure is a significant focus of government efforts.
3.1. Motivations and Objectives
In this subsection, we analyze the motivations and objectives for state-sponsored supply chain attacks. Despite the fact that they are carried out by several kinds of organizations, the focus is on the attacks conducted by nation-states. State-sponsored supply chain attacks are conducted in order to further the strategic interests of a nation. A variety of motivations drive these attacks.
Geopolitical competition. Supply chain attacks are a covert method of restructuring power between two or more nations and are frequently just one aspect of an extremely complicated and multidimensional conflict. One objective of these campaigns is to gather proprietary technology and trade secrets, as well as other sensitive information such as personally identifiable information from government agencies, defense contractors, and other high-priority or sensitive targets of interest. Perpetrators frequently have an interest in disrupting critical infrastructure as it relates to one or more targets in a variety of different domains, including public health, electric power generation and distribution, and financial and commercial transaction processors. Theoretically, compromised systems can be shut down or disabled to mitigate or neutralize a threat, leaving a way open to accomplish one or more broader objectives. In addition to the two aforementioned motivations, perpetrators conduct supply chain attacks as a means of applying additional economic pressure. It is especially more common when trade tensions between the supply chain targets and those of other states have escalated, and the expectation of a trade deal is currently low to non-existent.
Sabotage, compromise, and/or exploit devices to harm the host organization’s digital and/or physical assets. Spies can gather intelligence on the configuration, function, and/or activity of systems in order to stage a more advanced attack later. Spies can gather intelligence on the configuration, function, and/or activity of systems in order to leverage later in negotiation. Spies can gather intelligence on the configuration, function, and/or activity of systems in order to bolster a developing domestic capability. Spies can casually deny service by disrupting routine processes.
4. Detection Techniques for APTs in ICS
There are different methodologies available for the detection of APTs in ICS. Anomaly detection can be used to identify unusual activities, as attack patterns may not be known in ICS. One of the main challenges for this technique is to distinguish between malicious and authorized activities in the complex and dynamic environment. Signature-based detection exploits characteristics of actual attack patterns. Despite the fact that signatures need regular updates as attack strategies evolve, behavioral analysis can be considered to determine relationships and dependencies in order to assess trust and confidence levels. The behavior of components might be determined by emulation, simulators, or software-based methods to observe the interaction of system components and gather data on typical behavior, which can be used to classify malicious activities. Nevertheless, the outlined methodologies indicate that possibilities for executing attacks exist. A modified tactic, technique, and procedure might not be covered by existing signatures or behavioral antitheses. Consequently, ICS calls for new solutions in order to improve threat detection. It is essential to have continuous updating in the form of threat intelligence and real-time monitoring for threat detection and data generation to allow forensic analysis to reengineer the sequence of events causing malfunctions. The challenge of implementing such detection techniques in ICS is that resources are mostly constrained. In addition to that, operations such as time-sensitive operations limit the use of blocking systems. Therefore, security solutions need to be implemented in a way to keep machines and plants operational and intact. Threat detection is only practical if operators and supervisors are capable of recognizing potential threats. This can be achieved by continuous training focusing on possible threats and the results of the detection system.
4.1. Behavioral Analysis
One potential way to detect APTs in ICS is to implement behavioral analysis, which collects and analyzes the behavior of an ICS over time and identifies deviations from that normal behavior that might be indicative of an ongoing APT. Behavioral analysis encompasses different detection mechanisms aimed at identifying the deviation of a system state from the state it operated in before the supply chain attack. One straightforward approach is signature-based analysis: it requires a thorough understanding of the existing system and its dependencies before the supply chain attack occurs. Generally, signature-based detection is part of an early detection framework that introduces heuristics or temporal policies into a defense strategy that becomes more efficient the older the actual dataset is. Behavioral analysis follows a different strategy: it is inherently built into what is called an anomaly detector. Behavioral analysis represents the processing unit where the artificial intelligence or the machine learning routine that is applied is executed. The ways of establishing, training, and providing input data to the machine learning module initially and during the asset operation can be different. The idea is to find an approach where the machine-learned model benefits from newly collected data and adapts its models to match the asset’s behavior. When the new data is collected, the time series processed by the model increases, making it possible to generate new models that are closer to the asset’s behavior. A behavioral analysis tries to recognize the asset’s behavior through the collected inputs and creates a model that becomes the reference in the learning phase. The approach uses input to train a machine learning model, such as a clustering algorithm or a classification algorithm. Once the input is processed, the routine determines which elements are out of scope and how far from the established reference the outputs are.
5. Mitigation Strategies
Strategies for mitigating the risk of APTs in the industrial control system environment require both proactive and reactive approaches. Cybersecurity policies, procedures, and standards are important since they provide organizations with a framework for potentially responding if APT activity is discovered or suspected. Training awareness is also important because dealing with APTs generally involves changes in how employees use the technology. Generally, all mitigation strategies revolve around formulating and enacting a multi-layered situational approach. The goal of a layered defense strategy is to prevent an actor from gaining an initial foothold or, at the very least, prevent an attack from progressing to its ultimate goal. Although resilience against attack is a fundamental principle for industrial control systems, the design and operation of ICS require mitigation and resistance to APTs, particularly when the attack vector shifts to technology made outside the control of the OT environment, like a supply chain exploit.
Resilient critical infrastructure management requires user authentication and access control, but also limits the potential extent of APT-infected systems. Organizations should minimize the attack vector by implementing network segmentation and security zones to isolate control networks from external networks as well as enterprise computing systems. Organizations can also apply network and service domain segmentation internally to reduce the risk of APT infection or lateral movement. Role-based access control can help an organization limit APT access to certain individuals. Network out-of-band management and network traffic capturing can help an organization visualize an ongoing APT. Furthermore, conducting routine backups and automated system, file, or program logging alongside active monitoring and alerts can help an organization limit the potential damage of an APT on the organization. While each of these technical controls can increase the operational cost to the organization, these same controls can also translate into reduced attack surface area or the ability to minimize potential APT attacks. Collaboration with the public and private sectors for securing the infrastructure is helpful and recommended.
5.1. Secure Software Development Practices
Software vulnerabilities can provide entry points for APTs, making it vital to adopt secure software development practices in the development lifecycle to reduce security weaknesses for adversaries to exploit inside ICS environments. This can be accomplished by establishing a secure software development lifecycle that includes secure coding practices as part of the SDLC phases. Secure coding is associated with identifying risky source code constructs and best practices for programming applications that reduce software runtime vulnerabilities. Many methodologies and frameworks exist that can be used as a guide for software developers and security assessors in integrating security activities throughout the SDLC.
Some of the main activities of these SDLCs include the following: conducting regular security assessments, code reviews, and source code vulnerability testing; more frequent scanning for potential weaknesses and hardening configurations based on the outcomes of the scans; and focusing on automation capabilities in release pipelines to include human-curated and automatically generated security review comments. These activities ensure the systems pose less of a risk and are less attractive targets for adversaries to exploit. Building security into software that is deployed in ICS environments is a fundamental objective of the SDLCs and has the potential for widespread impact in reducing the risk of exploitation of ICS applications. A system that has been developed with a secure foundation is more capable of resisting attacks by APTs targeting software vulnerabilities.
In a practical sense, IC software development teams may not utilize secure code development practices because they have not been trained in such practices, the core curriculum may not contain secure programming instruction, or developers may not have had recent training in this area. Collaborations between security teams and IC software teams are a part of some maturity levels of applying the framework. These models are concerned with adapting activity from the supply chain risk management community for software development practices. Applying the Software Development risk principles enables the fortification of an IC development supply chain from man-in-the-middle, tampering, reverse engineering, or adding items into a supply chain of components, embedded software, or any firmware. Security programming information is a source and component of risk in developing secure code for ICS-related software. The current solution approach does not mitigate the risk of APTs developing or using zero-day concepts to compromise ICS or supply chain connected systems. The purpose of the use case studies is to provide an educational forum for practitioners using the framework.