(CS)²AI Online™ Replay - Mission Kill: Process Targeting in ICS Attacks

This week we're bringing you a real gem from our archives, with a replay of researcher Joe Slowik's analysis of the original attack on the Ukrainian power grid and the changes in ICS cyberattacks that followed.

Typical conceptions of ICS targeting focus on direct disruption of organizations through a single, specific action resulting in total operational loss: opening breakers to interrupt electricity flow, or tripping a safety system to shut down a plant. Yet further analysis of ICS events over time indicates adversaries are pursuing far more interesting - and ambitious - attack patterns in industrial environments.

After the 2015 Ukraine power event, ICS-focused attacks began to shift from direct disruption to changing, modifying, or otherwise undermining fundamental ICS processes to stage more-serious attacks, or identifying specific process “pain points” with outsized value to victim environments. Previously theoretical, developments from 2016 Ukraine to present show clear evidence that adversaries are learning about process/operational dependencies and leveraging these to achieve industrial maximum impact.

We’ll examine 3 case studies: 2016 Ukraine, 2017 TRISIS, and (although not cyber, relevant for targeting purposes) the 2019 attack on the Abqaiq oil processing facility. In each, attackers identified operational “pain points” for targeting (protective relays, safety instrumented systems, hydrodesulfurization facilities) to create cascading or outsized impacts from specific device compromise (or destruction). Such operations show clear effort by attackers to learn about industrial processes to identify “weak points” for attack, with resulting capability of producing potentially disastrous results.

Given these developments, ICS security operations move beyond IT-centric defense (but on legacy or limited equipment) into a more interesting realm of fusing IT visibility with industrial process awareness. Understanding process environments and identifying critical path nodes for a defended facility is vital to ensure appropriate defense. By understanding how attackers have evolved, ICS and critical infrastructure defenders can ensure better resource allocation and positioning to counter future ICS attacks.

## Becoming a paid member is quick and easy (and helps us keep offering these educational opportunities!). It also offers discounts on events like the Level Zer0 ICS/OT Cyber Security Conference! Join now! https://www.cs2ai.org/plans-pricing

## All past seminars and symposiums are available to paid CS2AI.ORG members. Check out the Resources area of our website in the Members Portal https://www.cs2ai.org/

## Certificates for Professional Development/Continuing Education Units (PDUs/CEUs) are available for all registered individuals who attend at least one hour of the event.

## If you're interested in speaking at a future (CS)2AI event, having your organization become a Strategic Alliance Partner, or engaging in any of the other ways available, please contact us on our https://www.cs2ai.org/get-involved

## Please note that (CS)2AI ONLINE events are provided free of charge as educational career development content through the support of our paid members and the generous contributions of our corporate Strategic Alliance Partners. Contact information used in registering for our directly supported seminars may be shared with sponsors funding those specific events. Unless noted on the Gotowebinar registration page, all events are open for direct funding support.