There has only been a small number of broadly documented cyber
attacks targeting operational technologies (OT) / industrial control
systems (ICS) over the last decade. While fewer attacks is clearly a
good thing, the lack of an adequate sample size to determine risk
thresholds can make it difficult for defenders to understand the
threat environment, prioritize security efforts, and justify resource allocation.
To address this problem, FireEye Mandiant
Threat Intelligence produces a range of reports for subscription
customers that focus on different indicators to predict future
threats. Insights from activity on dark web forums, anecdotes from the
field, ICS vulnerability research, and proof of concept research makes
it possible to illustrate the threat landscape even with limited
incident data. This blog post focuses on one of those source
sets—ICS-oriented intrusion and attack tools, which will be referred
to together in this post as cyber operation tools.
ICS-oriented cyber operation tools refer to hardware and software
that has the capability to either exploit weaknesses in ICS, or
interact with the equipment in such a way that could be utilized by
threat actors to support intrusions or attacks. For this blog post, we
separated exploit modules that are developed to run on top of
frameworks such as Metasploit, Core Impact, or
Canvas from other cyber operation tools due to their exceedingly
Cyber Operation Tools Reduce the Level of Specialized Knowledge
Attackers Need to Target ICS
As ICS are a distinct sub-domain to information and computer
technology, successful intrusions and attacks against these systems
often requires specialized knowledge, establishing a higher threshold
for successful attacks. Since intrusion and attack tools are often
developed by someone who already has the expertise, these tools can
help threat actors bypass the need for gaining some of this expertise
themselves, or it can help them gain the requisite knowledge more
quickly. Alternatively, experienced actors may resort to using known
tools and exploits to conceal their identity or maximize their budget.
Figure 1: ICS attacker knowledge curve
The development and subsequent adoption of standardized cyber
operation tools is a general indication of increasing adversarial
capability. Whether these tools were developed by researchers as
proof-of-concept or utilized during past incidents, access to them
lowers the barrier for a variety of actors to learn and develop future
skills or custom attack frameworks. Following this premise, equipment
that is vulnerable to exploits using known cyber operation tools
becomes low-hanging fruit for all sorts of attackers.
ICS Cyber Operation Tool Classification
Mandiant Intelligence tracks a large number of publicly available
ICS-specific cyber operation tools. The term “ICS-specific,”
as we employ it, does not have a hard-edged definition. While the vast
majority of cyber operation tools we track are clear-cut cases, we
have, in some instances, considered the intent of the tool’s
creator(s) and the tool’s reasonably foreseeable impact on ICS
software and equipment. Note, we excluded tools that are IT-based but
may affect OT systems, such as commodity malware or known network
utilities. We included only a few exceptions, where we identified
specialized adaptations or features that enabled the tool to interact
with ICS, such as the case of nmap scripts.
We assigned each tool to at least one of eight different categories
or classes, based on functionality.
Table 1: Classes of ICS-specific
intrusion and attack tools
While some of the tools included in our list were created as early
as 2004, most of the development has taken place during the last 10
years. The majority of the tools are also vendor agnostic, or
developed to target products from some of the largest ICS original
equipment manufacturers (OEM). Siemens stands out in this area, with
60 percent of the vendor-specific tools potentially targeting its
products. Other tools we identified were developed to target products
from Schneider Electric, GE, ABB, Digi International, Rockwell
Automation, and Wind River Systems.
Figure 2 depicts the number of tools by class. Of note, network
discovery tools make up more than a quarter of the tools. We also
highlight that in some cases, the software exploitation tools we track
host extended repositories of modules to target specific products or vulnerabilities.
Figure 2: ICS-specific intrusion and
attack tools by class
Software Exploit Modules
Software exploit modules are the most numerous subcomponents of
cyber operation tools given their overall simplicity and
accessibility. Most frequently, exploit modules are developed to take
advantage of a specific vulnerability and automate the exploitation
process. The module is then added to an exploit framework. The
framework works as a repository that may contain hundreds of modules
for targeting a wide variety of vulnerabilities, networks, and
devices. The most popular frameworks include Metasploit, Core Impact, and
Canvas. Also, since 2017, we have identified the development of
younger ICS-specific exploit frameworks such as Autosploit, Industrial Exploitation
Framework (ICSSPLOIT), and the Industrial Security Exploitation Framework.
Given the simplicity and accessibility of exploit modules, they are
attractive to actors with a variety of skill levels. Even less
sophisticated actors may take advantage of an exploit module without
completely understanding how a vulnerability works or knowing each of
the commands required to exploit it. We note that, although most of
the exploit modules we track were likely developed for research and
penetration testing, they could also be utilized throughout the attack lifecycle.
Exploit Modules Statistics
Since 2010, Mandiant Intelligence has tracked exploit modules for
the three major exploitation frameworks: Metasploit, Core Impact, and
Canvas. We currently track hundreds of ICS-specific exploit
modules related to more than 500 total vulnerabilities, 71 percent of
them being potential zero-days. The break down is depicted in Figure
3. Immunity Canvas currently has the most exploits due in large part
to the efforts of Russian security research firm GLEG.
Figure 3: ICS exploit modules by framework
Metasploit framework exploit modules deserve particular attention.
Even though it has the fewest number of modules, Metasploit is freely
available and broadly used for IT penetration testing, while Core
Impact and Immunity Canvas are both commercial tools. This makes
Metasploit the most accessible of the three frameworks. However, it
means that module development and maintenance are provided by the
community, which is likely contributing to the lower number of modules.
It is also worthwhile to examine the number of exploit modules by
ICS product vendor. The results of this analysis are depicted in
Figure 4, which displays vendors with the highest number of exploit
modules (over 10).
Figure 4: Vendors with 10 exploit modules
Figure 4 does not necessarily indicate which vendors are the most
targeted, but which products have received the most attention from
exploit writers. Several factors could contribute to this, including
the availability of software to experiment with, general ease of
writing an exploit on particular vulnerabilities, or how the
vulnerability matches against the expertise of the exploit writers.
Some of the vendors included in the graph have been acquired by
other companies, however we tracked them separately as the
vulnerability was identified prior to the acquisition. One example of
this is Schneider Electric, which acquired 7-Technologies in 2011 and
altered the names of their product portfolio. We also highlight that
the graph solely counts exploit modules, regardless of the
vulnerability exploited. Modules from separate frameworks could target
the same vulnerability and would each be counted separately.
ICS Cyber Operation Tools and Software Exploitation Frameworks
Bridge Knowledge and Expertise Gaps
ICS-specific cyber operation tools often released by researchers and
security practitioners are useful assets to help organizations learn
about ongoing threats and product vulnerabilities. However, as
anything publicly available, they can also lower the bar for threat
actors that hold an interest in targeting OT networks. Although
successful attacks against OT environments will normally require a
high level of skills and expertise from threat actors, the tools and
exploit modules discussed in this post are making it easier to bridge
the knowledge gap.
Awareness about the proliferation of ICS cyber operation tools
should serve as an important risk indicator of the evolving threat
landscape. These tools provide defenders with an opportunity to
perform risk assessments in test environments and to leverage
aggregated data to communicate and obtain support from company
executives. Organizations that do not pay attention to available ICS
cyber operation tools risk becoming low-hanging fruit for both
sophisticated and unexperienced threat actors exploring new capabilities.
FireEye Intelligence customers have access to the full list and
analysis of ICS cyber operation tools and exploit modules. Visit our
website to learn more about the FireEye
Mandiant Cyber Physical Threat Intelligence subscription.