Kicking off our 2021 (CS)2AI ONLINE event series with a bang, Joe Slowik of Domain Research is serving up a triple set of case studies illustrating the evolution and increasing dangerousness of control system attack methods.

Register now to reserve a seat and join the discussion!

Typical conceptions of ICS targeting focus on direct disruption of organizations through a single, specific action resulting in complete operational loss: opening breakers to interrupt the flow of electricity, or tripping a safety system to shut down a plant. Yet further analysis of ICS events over time indicates adversaries are pursuing far more interesting – and ambitious – attack patterns in industrial environments.

Following the 2015 Ukraine power event, ICS-focused attacks began to shift from a focus on direct disruption to changing, modifying, or otherwise undermining fundamental ICS processes to either stage more-serious attacks, or identifying specific process “pain points” with outsized value to the victim environment. While such attacks were previously theoretical in origin, developments from 2016 Ukraine to the present show clear evidence that adversaries are learning about process and operational dependencies in industrial environments – and how this can be leveraged to achieve maximum impact relative to attacker actions.

To illustrate the above point, three case studies will be examined: the 2016 Ukraine event, the 2017 TRISIS event, and (although not cyber, relevant for targeting purposes) the 2019 attack on the Abqaiq oil processing facility in Saudi Arabia. In each case, attackers identified specific operational “pain points” for targeting (protective relays, safety instrumented systems, hydrodesulfurization facilities) to create cascading or outsized impacts from specific device compromise (or destruction). Such operations show clear effort by attackers to learn about and understand industrial processes to identify “weak points” for attack, with the resulting capability of producing potentially disastrous results.

Given these developments, ICS security operations move beyond the realm of IT-centric defense (but on legacy or limited equipment) into a more interesting realm of fusing IT visibility with industrial process awareness. From a defensive point of view, understanding the process environment and identifying critical path nodes for the defended facility is vital to ensure appropriate defense where it matters most. By understanding how attackers have evolved, ICS and critical infrastructure defenders can ensure better resource allocation and better positioning to counter future ICS attacks.

Registration for this event is necessary at: