Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

ICS Matrix: Unauthorized initial access. Part 1

Posted date 24/04/2025
Author
INCIBE (INCIBE)
Acceso inicial no autorizado a equipos SCI. Candados, password, mapa del mundo, código binario.

What is the Initial Access tactic?


The Initial Access (TA00108) tactic consists of a set of techniques used by attackers to exploit weaknesses, incorrect configurations or vulnerabilities in the system, with the aim of gaining access to a protected system, that is, gaining a presence in an internal network that allows them to act on the network itself and the computers that make it up.

Although usually preceded by a reconnaissance and investigation stage, the initial access stage represents the first active interaction between an external attacker and the targeted ICS network.

The Initial Access tactic is made up of 12 techniques. The first six will be explained below, and the remaining ones will be discussed in a future article. For each section, a practical example and the corresponding mitigations according to MITRE are included. 

Execution Techniques

  • Drive by compromise: This technique is based on compromising an external website, usually unrelated to the organization targeted by the attacker, but which it is known that users of the target network will access. When a legitimate user on the internal network accesses the affected website, they can fall victim to malicious downloads, phishing attacks, or credential theft. The advantage of this technique for the attacker is the possibility of being able to affect multiple users of an organization without acting directly against it during the infection of the website.

    For example, during an attack on the Ukrainian energy sector in 2017, attackers camouflaged the download of their malware, BadRabbit, in a request to download drivers for Adobe Flash Player on a compromised website. In this way, they managed to gain access to the computers of the operators in the electricity sector when they accessed the website, downloaded and executed the malware due to ignorance.

    The mitigation measures proposed to prevent this type of attack are:

    • Application isolation and sandboxing: Zero Trust policies should be enforced, i.e., potentially dangerous executables and files from external web pages should first be executed in secure and isolated environments.
    • Exploits Protection: Enabling security settings and using endpoint protection tools allows you to restrict potentially dangerous actions, such as launching unknown executables.
    • Restrict Web-based content: in case access from the ICS network to the external network is essential, it should be considered to allow access only to reliable and necessary pages.
    • Software Update: specifically, the updating of browsers and web plugins. This prevents an attacker from using security vulnerabilities in the user's browser to gain access to their computer and allows them to take advantage of the security capabilities of more modern browsers
  • Exploit Poblic-Facing Application. Many industrial equipment has web applications, or other services accessible from the public network, to facilitate their management. However, this represents an input vector to the computers that host the services. For greater risk, it is common for these services to contain vulnerable components, few security measures, misconfigurations or be updated infrequently.
    In 2016, the Sandworm attacker team was able to gain access to HMIs used in the Ukrainian power sector through the web interfaces of these computers. These were accessible from the public network, and attackers were able to exploit their security vulnerabilities without needing to gain access to an internal network beforehand.
    The mitigations proposed to prevent this type of attack are as follows:
    • Application isolation and sandboxing: In case web applications accessible from the external network are required, it is strongly recommended that such applications run in isolated and secure environments.
    • Exploits Protection: specifically, by using tools, such as application firewalls to control and secure application communications accessible from the public network.
    • Network segmentation: Like using secure execution environments, network segmentation reduces the risk of intrusion by establishing a barrier between exposed services and the rest of the network.
    • Privileged Account Management: Users with access to web applications accessible from the public network should have the lowest possible level of privilege. Actionable actions should be limited to data read operations and actions with little impact on the equipment.
    • Software Update: Plugins used for web applications and software accessible from the public network should be kept up to date to prevent the exploitation of security vulnerabilities.
    • Escaneo de vulnerability Analysis: In turn, vulnerability management is critical for services accessible from the public network, not only monitoring known databases, but also performing scans and audits.
  • Exploitation of Remote Services. this technique, similar to the previous one, describes access to SCI networks through the exploitation of remote access services. These services are becoming increasingly popular in ICS, becoming increasingly essential tools for managing increasing interconnected systems. 
    A very common type of attack against ICS environments that use this technique is to gain access by exploiting vulnerabilities in vulnerable remote communication protocols. Multiple ransomware attacks (including WannaCry and BadRabbit) have affected ICS networks, using the MS17-010 vulnerability in the first version of the SMB protocol.
  • The mitigations proposed to prevent this type of attack are as follows:
    • Application isolation and sandboxing: Isolating vulnerable applications within the computers that require them is a good way to prevent the risk from spreading to more critical services.
    • Disable or remove features or programs: all unnecessary remote access applications or applications that introduce an unacceptable level of risk into ICS equipment should be eliminated during the industrial equipment hardening process.
    • Exploits Protection: The use of endpoint protection, intrusion detection and prevention, and communication flow control software is recommended to monitor and protect remote access to industrial equipment.
    • Network segmentation: ICS equipment using remote access services, especially those using vulnerable services, carries a considerable level of risk and should be separated from other critical equipment in the ICS network that does not require these services.
    • Privileged account management: It is recommended to limit the functions that can be performed remotely as much as possible. Actions that involve acting on control equipment should be especially limited.
    • Threat intelligence program: It is of special interest in this case to establish a procedure to monitor risks, threats and vulnerabilities that may affect vulnerable services.
    • Software Update: It is recommended that you replace outdated or vulnerable services with updated and secure versions. This measure is of special interest for services with remote capabilities, as they represent a gateway to the ICS network.
    • Vulnerability scanning: all services that act as an access door from the external network should be included as a priority in the scope of vulnerability management procedures.
  • External Remote Services. Although at first glance this technique may seem identical to the previous one, it refers to the use of legitimate features in remote access services to gain access to ICS without the need to exploit security vulnerabilities. Typically, this technique is associated with the use of known or predictable credentials, social engineering, misconfiguration, and more to gain access to legitimate accounts.
    An example that illustrates this difference very well is the attack on the water treatment system in Maroocy, Australia. Although in most cases nowadays these attacks are carried out through VPN software or similar tools. In this case, the field controllers were configured to communicate with the control center via radio frequency. Knowing this capability, the attackers were able to send legitimate commands at the same frequency that users use to communicate with controllers, gaining access to them.
    The mitigations proposed to prevent this type of attack are as follows:
  • Account Usage Policies: To help detect and prevent misuse of legitimate user accounts, we recommend implementing usage rules such as password policies, controlling times and locations from which they can be accessed, blocking after failed login attempts, and more.
    • Deactivate or eliminate functions or programs: Supporting the computers that host these services is critical, as it represents a vector for input and sending execution commands to ICS computers.
    • Limit access to resources over the network: Remote connections should be made to intermediate computers or centralized platforms. Direct connections to ICS control equipment from external networks should be avoided.
    • Multi-factor Authentication: Today, multi-factor authentication has become an essential requirement for remote access applications. Using this security measure avoids relying solely on the security level of the user's credentials and makes it easier to manage login and access tokens to computers.
    • Network Segmentation: in general, it is recommended to segment the ICS network according to whether or not the equipment requires external connections for its operation.
    • Password Policies: establishing a password policy and making operators aware of its use is essential to avoid common flaws that allow attackers to gain access to legitimate user accounts.
    • User Account Management:  The use of tools that allow the dynamic management of user accounts is recommended, i.e. tools through which user account permissions can be monitored, blocked and managed.
  • Internet Accesible Device. This technique is a more direct version of access than external remote services. While in the latter the attackers took advantage of remote access solutions on SCI equipment, on the Internet-accessible device technique, the attack is carried out by taking advantage of ICS equipment accessible directly from the external network. This is the extreme case of lack of segmentation in ICS networks, where equipment from the internal network has a direct connection to the public network. This type of connection is highly discouraged in ICS environments, due to the risk of having equipment exposed to traffic and personnel outside the organization.
    One of the most common variants of this technique is to attack modems that service ICS equipment. For example, in 2016 a group of attackers managed to break the security of a modem at the Bowman Dam in New York through a brute force attack. The impact of this incident was, fortunately, less as the dam gates were disconnected from the grid for maintenance at the time of the attack.
    An effective mitigation measure against this technique is network segmentation. Under no circumstances is it recommended to deploy ICS networks in contact with public networks as a normal operating procedure. Connections to the external network must always go through perimeter protections and traffic control and monitoring measures, including protections between the border elements and the rest of the control network.
  • Remote Services. Remote access services are risk-free only if they are accessible from outside the internal network. It is possible to create communication channels that represent a security vulnerability in an ICS system during the deployment of remote services between different networks and internal segments. An ICS network usually entails a high level of criticality, and a lower number of users or recurrent accesses required. Therefore, it is common that, within an organization, the ICS network has a higher level of security than other segments and 'adjacent' networks. This means that communication channels between various areas introduce a risk vector. 
    For example, a technology commonly used in this technique is the Remote Desktop Protocol (RDP), available by default on many Windows-based computers, used for example in the cyberattack against a refinery in Saudi Arabia in 2017 that ended up forcing the plant to close for a week. In this incident, Triton malware was able to access the ICS network from the company's corporate network using RDP, taking advantage of misconfigured firewall rules.
    There are multiple mitigations to reduce the risk of this technique:
    • Access Management: Applying access controls to all remote services, especially in critical assets, it allows you to control user activity, as well as increase the traceability of their actions.
    • Authorization Application: for access management to be effective, it must be accompanied by an authentication policy that requires all users to verify their identity before accessing computers through remote services.
    • Network Traffic Filtering: Traffic filtering allows you to dynamically restrict remote access to industrial equipment. It is recommended to deny remote connections by default in firewalls and network protection equipment, allowing them only when expressly necessary.
    • Network Whitelisting:  Similarly, using endpoint-level network whitelisting solutions it is possible to limit the remote connections that are allowed to be established directly from the device itself.
    • Network Management: As mentioned above, it is common for remote services to compromise, inadvertently or intentionally, the segmentation between networks. Reviewing the network channels and the security of their perimeter is essential to ensure that the effectiveness of this measure is maintained.
    • Password Policies: Establishing a strong password policy is essential to maintaining the security of user accounts that use remote services. Especially since, in many cases, these services do not allow additional security measures such as multi-factor authentication.
    • Authentication of Human users and Software processes or devices: whether the remote service is used by a human user or a system (other computer/software), its authenticity must be verified before giving access to the computer remotely.
    • User Account Management: the principle of least privileges must be maintained, reducing the number of users who can use remote services, as well as the privileges granted to them.

 

Conclusions

The Initial Access tactic is usually the first step attackers take in ICS networks. The mitigations applied against this technique will be key to preventing an incident, even before the attacker can access our systems.

Although there are many techniques ascribed to the Initial Access tactic, as has been observed throughout this article, most are related to taking advantage of porous, unconstrained or unprotected network perimeters. These features are widespread in today's industrial environments due to the continuous increase in interconnectivity between systems and the scale and complexity of ICS.

Therefore, although it is not advisable to rely solely on prevention and perimeter access measures when protecting against incidents, these should never be neglected to focus on internal security measures. It is common not to appreciate the effect that these measures have on the security of our network, an attacker detected within a control system demands greater attention than a few attackers arrested before they gain access to the network, even though the latter case is the key to maintaining cybersecurity incidents. As an occasional occurrence, if not prevent it entirely.

In the second part of this article, which will be published next week, it will be explored in depth the rest of the Initial Access techniques and their applications in industrial systems. In it, you can discover more advanced tactics, practical examples, and mitigations proposed by MITRE to keep our ICS secure and deal with unauthorized access.

Etiquetas