How machine learning can stop phishing attacks on critical infrastructure

By Eyal Benishti 

What does a prominent cyber attack against a German Steel Mill; a damaging cybersecurity event against a power plant in Ukraine and an attempted ransomware attack against Israel’s Electric Authority have in common? If your answer was that all three of these highly publicized cyber attacks on critical infrastructure used phishing or spear-phishing as the attack tool, then you’d be correct.

In previous blog posts, we’ve written about how the phishing epidemic is negatively impacting financial services and healthcare companies worldwide. For those industries specifically, skilled phishers use advanced techniques to target both vigilant and naïve employees with destructive, often zero-day attacks, including ransomware, malware, bots, spam, spoofing, and pharming.

In this blog post, we’ll examine the current threat landscape of critical infrastructure, detail phishing’s role in breaching Supervisory Control and Data Acquisition (SCADA) systems and industrial control systems (ICS), and explain how an automated phishing mitigation response powered by machine learning can thrive in this highly vulnerable environment.

Critical Infrastructure Under Attack Globally

Spear phishing was first identified as a threat to critical infrastructure as far back as 2013. In the years since, this technique has improved in sophistication and frequency, so much so that the SANS Institute now pinpoints 95 percent of all cybersecurity events, including those targeting critical infrastructure, to be caused by a spear phishing attack.

What constitutes critical infrastructure varies from country to country, but it in large part includes industries such as oil & gas, energy (including power and utilities), water and wastewater, manufacturing, transportation and national defense. Simply put, if society is reliant upon it to function, than it is likely considered critical in any country.

In the United States, the Department of Homeland Security (DHS) designates 16 sectors as critical infrastructure. In Israel, critical infrastructure is defined as: 

 “Anything that would undermine stability in society and thus lead to threats to national security. It is emphasized that infrastructure is a system that combines various objects, links between them, and providing certain types of human activity.”

What’s unique, and even down right scary, about critical infrastructure threats is that unlike the traditional financially motivated cyber attackers, those who seek to perpetrate attacks on infrastructure most often do so with damage and destruction as the impetus. As such, attacks targeting critical infrastructure are often strategically planned and executed by patient, well-funded nation states, cyber terrorists and anarchists with a political or ideological agenda. In fact, the first public ICS attack, known as Stuxnet, is widely believed, though never confirmed, to be a joint Israeli-American operation against Iran. Furthermore, according to an article in Dark Reading:

“Spear phishing campaigns, as an initial attack vector against ICS operators jumped dramatically from 42 reported incidents in 2014 to 109 in 2015, a 160 percent increase in 12 months.”

The increase in cyber attacks targeting critical infrastructure is gaining the world’s attention. While many organizations are hesitant to report any attempted or successful breach, the Industrial Control Systems Cybersecurity Emergency Response Team (ICS-CERT) in the United States reported a 20% uptick in attacks between 2015 and 2016. Other studies, such as SANS 2016 State of ICS Cybersecurity report, have similar findings.

The Vulnerability of Critical Systems

The majority of SCADA and ICS were built decades ago, long before interconnectivity was even a thought. These systems were designed with their own protocols to help automate and control critical processes in which reliability and availability were of the utmost importance. These networks were also built to only communicate with machines and equipment within a single location. Today, interconnectivity is all but ubiquitous and remote access and control have major cost savings benefits that cannot be ignored. However, introducing connectivity into legacy systems has created unprecedented vulnerabilities.

Also, employees themselves are risk-drivers to critical infrastructure. IT personnel do not typically manage SCADA and ICS, despite IT components increasingly attaching to them. Instead, operations technology (OT) professionals, who are primarily controls engineers and plant managers, hold this responsibility. But as IT and OT continue to converge, it is OT workers, many of whom are on the verge of retirement and lack basic cybersecurity knowledge, have been tasked with overseeing the digital safety of their networks and facilities.

In what seems like a conflict of interest, many of those on the frontlines of critical infrastructure defense are actually the least prepared to handle the job. For a more in depth overview of the challenges and unintended consequences of IT/OT convergence and interconnected SCADA systems and ICS, visit SANS ICS.

A Machine Learning Solution to Phishing Emails

Once an adversary is able to access a SCADA or ICS network, they often enter a period of stealthy reconnaissance in an effort to find the most appropriate time to begin their attack. As such, once a hacker has accessed the network, its very hard to find them, no less get them out, until they have shown their hand – which could very well not be until an attack against the electric grid, transportation system or defense facility is underway.

The most surefire way to mitigate critical infrastructure attacks is to eliminate phishing. While nobody knows for certain how many OT engineers are educated in phishing mitigation, we know that no matter how vigilant, everyone is susceptible. Just a few weeks ago, we wrote about how senior members of the Hillary Clinton campaign fell victim.

To solve the phishing problem, IRONSCALES developed IronTraps™, a patent-pending, automatic phishing incident response module that can supplement the due diligence of critical infrastructure operators and engineer. IronTraps automatically detects & blocks email phishing attacks in real-time, with or without human intervention.

When a phishing attack is discovered, either by human intelligence or machine learning, IRONSCALES’ servers automatically execute a system-wide scan that analyzes the number and skill ranking of the responders; Multi AV and Sandbox Scan results and other proprietary analytics. Within minutes, forensics is completed, and an intrusion signature is sent directly to endpoints, email servers and the SIEM, which then triggers an immediate enterprise-wide automatic mitigation response, such as quarantines, disabling links & attachments, and permanent removal of email, protecting the organization. Important event information is then automatically & anonymously shared with other users.

(This post was first published on IRNSCALES’ blog). 

Be the first to comment

Leave a Reply