External Remote Services
|External Remote Services|
|Tactic||Initial Access, Lateral Movement|
|Data Sources||Authentication logs|
|Asset||Control Server, Input/Output Server|
Adversaries may leverage external remote services as a point of initial access into your network. These services allow users to connect to internal network resources from external locations. Examples are VPNs, Citrix, and other access mechanisms. Remote service gateways often manage connections and credential authentication for these services.1
External remote services allow administration of a control system from outside the system. Often, vendors and internal engineering groups have access to external remote services to control system networks via the corporate network. In some cases, this access is enabled directly from the internet. While remote access enables ease of maintenance when a control system is in a remote area, compromise of remote access solutions is a liability. The adversary may use these services to gain access to and execute attacks against a control system network. Access to valid accounts is often a requirement.
As they look for an entry point into the control system network, adversaries may begin searching for existing point‐to‐point VPN implementations at trusted third party networks or through remote support employee connections where split tunneling is enabled.2
In the Maroochy Attack, the adversary was able to gain remote computer access to the system over radio.
The 2015 attack on the Ukranian power grid showed the use of existing remote access tools within the environment to access the control system network. The adversary harvested worker credentials, some of them for VPNs the grid workers used to remotely log into the control system networks.3245 The VPNs into these networks appear to have lacked two‐factor authentication.2
- XENOTIME utilized remote desktop protocol (RDP) jump boxes to move into the ICS environment.6
- Bad Rabbit can utilize exposed SMB services to access industrial networks.7
- NotPetya can utilize exposed SMB services to access industrial networks.7
- WannaCry can utilize exposed SMB services to access industrial networks.7
- Restrict user privileges with Role-Based Access Control (RBAC). Configure and assign “roles” based on the principle of least privilege. Levels of access can dictate several factors, including the ability to view, use, and alter specific ICS data or device functions.8
- Configure remote control software to use unique user names and passwords, strong authentication, encryption if determined appropriate, and audit logs. Use of this software by remote users should be monitored on an almost real-time frequency.8
- Enable console user actions to be traceable, either manually (e.g., control room sign in) or automatically (e.g. ,login at the application and/or OS layer).8 Protect and restrict access to the resulting logs.
- In environments with a high risk of interception or intrusion, consider supplementing password authentication with other forms of authentication such as multi-factor authentication using biometric or physical tokens.8
- Secure and restrict access to the control room(s), which could be leveraged to set up an external remote service. Ensure VPNs, which are commonly used to provide secure access to ICS environments from untrusted networks, are properly configured.8
- Maintain awareness and observe use of External Remote Services with intrusion detection systems and solutions. Timely patch maintenance will assist with reducing the likelihood of Exploitation of Vulnerability for External Remote Service.8
- Daniel Oakley, Travis Smith, Tripwire. (n.d.). Retrieved May 30, 2018.
- Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018.
- Zetter, Kim. (2016, March 03). INSIDE THE CUNNING, UNPRECEDENTED HACK OF UKRAINE'S POWER GRID. Retrieved March 8, 2019.
- ICS-CERT. (2016, February 25). Cyber-Attack Against Ukrainian Critical Infrastructure. Retrieved March 8, 2019.
- John Hultquist. (2016, January 07). Sandworm Team and the Ukrainian Power Authority Attacks. Retrieved March 8, 2019.
- Dragos. (2017, December 13). TRISIS Malware Analysis of Safety System Targeted Malware. Retrieved January 12, 2018.
- Joe Slowik. (2019, April 10). Implications of IT Ransomware for ICS Environments. Retrieved October 27, 2019.
- Keith Stouffer. (2015, May). Guide to Industrial Control Systems (ICS) Security. Retrieved March 28, 2018.