2023年,勒索病毒仍然威胁着全球工业控制系统安全,地缘政治冲突加剧导致工控系统成为敌对双方网络攻击的重要战场,供应链攻击再度成为工控系统的软肋。工控系统安全行业关注度持续提升,各国围绕工控系统安全展开大规模演习;工控系统安全政策、标准相继出台,相关行业有规可循、有法可依;软硬件漏洞仍然是工控系统“硬伤”,而“离地攻击”则可绕开漏洞实施“低成本、大威胁”攻击;研究人员开发了新型攻击手段,深度横向移动攻击、PLC勒索病毒使得威胁直指工控系统控制层,模块化、功能强大的工控系统攻击工具Pipedream为攻击者指明攻击路径;工控系统安全防护技术持续迭代更新,安全厂商和研究机构相继推出安全监控平台、可信DCS、攻击取证工具、轻量级密码算法、零信任机制传感器,网络安全逐渐被考虑纳入工控系统设计环节,功能安全、信息安全一体化协同设计取得突破;在PLC运行时安全测试、协议实现正确性测试、协议逆向分析技术、攻击检测技术方面都有创新性研究成果;新兴技术如人工智能、数字孪生、大语言模型等为工控系统安全带来机遇;工控安全外溢到卫星系统,欧美等国开始为网络战的空天战场作准备。
In 2023 the ransomware virus still threatened the security of global industrial control systems(ICSs), intensified geopolitical conflicts made the ICS become an important battlefield for hostile cyberattacks, and the supply chain once again became the soft underbelly of ICSs. Fortunately, much more attention was paid to ICS security and large-scale exercises were carried out by countries worldwide. Besides, there were many documents launched by authorities for ICS policies and standards.For techniques, vulnerabilities were newly found and the defense approaches were evolving. Specifically, the software and hardware vulnerabilities were still the unavoidable weakness of ICSs. The“living-off-the-land attack”did not use vulnerabilities but enabled“low-cost, big threat”operations over ICSs. Besides, there were novel attacks such as deep lateral move attack on the control level, the PLC ransomware virus, and the attack toolkit Pipedream. Security vendors and research institutions launched security-specific monitoring platforms for ICSs, produced the trustful DCS, developed the forensics tools, proposed the lightweight cryptographic algorithms, and designed zero trust mechanism sensors. The idea of“secure by design”was gradually taken into the design of ICSs. There were also advanced researches on runtime PLC security testing, protocol implementation correctness testing, protocol reverse analysis, and attack detection. The emerging technologies, such as artificial intelligence,digital twin, and large language model, brought opportunities to the ICS security. Moreover, the ICS security had spillover to satellite systems, and the Europe and US began to prepare for the battlefield of cyber warfare in the space.
[1] Montreal electricity organization latest victim in LockBit ransomware spree[EB/OL].(2023-08-31)[2023-12-23].https://therecord.media/montreal-electricity-organizationlockbit-victim.
[2] Semiconductor industry giant says ransomware attack on supplier will cost it$250 million[EB/OL].(2023-02-17)[2023-12-23]. https://therecord.media/applied-materialssupply-chain-mks-ransomware-attack.
[3] Italy's Alto Calore Servizi SpA confirms a ransomware attack[EB/OL].(2023-05-11)[2023-12-23]. https://izoologic.com/region/europe/italys-alto-calore-servizi-spa-confirms-a-ransomware-attack.
[4] ABB confirms data stolen in Black Basta ransomware attack[EB/OL].(2023-05-30)[2023-12-23]. https://www.scmagazine.com/news/abb-basta-ransomware-attack.
[5] Deconstructing a Cybersecurity event[EB/OL].(2023-05-10)[2023-12-23]. https://www.dragos.com/blog/deconstructing-a-cybersecurity-event.
[6] TSMC says supplier hacked after ransomware group claims attack on chip giant[EB/OL].(2023-06-30)[2023-12-23].https://www.securityweek.com/tsmc-says-supplier-hacked-after-ransomware-group-claims-attack-on-chip-giant.
[7] Ransomware attack on australian shipbuilder working for US navy[EB/OL].(2023-12-05)[2023-12-23]. https://australiancybersecuritymagazine.com.au/ransomware-attackon-australian-shipbuilder-working-for-us-navy.
[8] Israel's largest oil refinery website offline after DDoS attack[EB/OL].(2023-07-30)[2023-12-23]. https://www.bleepingcomputer.com/news/security/israels-largest-oil-refinery-website-offline-after-ddos-attack.
[9] Cyber attack leaves irrigation systems in Upper Galilee dysfunctional[EB/OL].(2023-04-09)[2023-12-23]. https://www.jpost.com/israel-news/article-738790.
[10] Iranian-linked cyber army had partial control of aliquippa water system[EB/OL].(2023-11-25)[2023-12-23].https://beavercountian.com/content/special-coverage/iranian-linked-cyber-army-had-partial-control-of-aliquippa-water-system.
[11] Iranian hackers exploit plcs in attack on water authority in U.S.[EB/OL].(2023-11-29)[2023-12-03]. https://thehackernews.com/2023/11/iranian-hackers-exploit-plcsin-attack.html.
[12] Israeli hackers cause major disruptions in iranian electricity grid[EB/OL].(2023-10-18)[2023-12-23]. https://www.time.news/israeli-hackers-cause-major-disruptions-in-iranian-electricity-grid.
[13] Sandworm disrupts power in ukraine using a novel attack against operational technology[EB/OL].(2023-11-09)[2023-12-23]. https://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology.
[14] MOVEit zero-day vulnerability under active exploit, data already stolen[EB/OL].(2023-06-01)[2023-12-23].https://www.cybersecuritydive.com/news/moveit-zero-day-vulnerability-actively-exploited/651867.
[15] MOVEit transfer and MOVEit cloud vulnerability[EB/OL].(2023-07-05)[2023-12-23]. https://www.progress.com/security/moveit-transfer-and-moveit-cloud-vulnerability.
[16] Siemens energy, schneider electric targeted by ransomware group in MOVEit attack[EB/OL].(2023-06-28)[2023-12-23]. https://www.securityweek.com/siemensenergy-schneider-electric-targeted-by-ransomware-group-in-moveit-attack/.
[17] Cyberattack hits US lab contractor, nuclear waste site[EB/OL].(2023-06-16)[2023-12-23]. https://www.bloomberg.com/news/articles/2023-06-15/us-national-lab-nuclear-waste-site-hit-by-cyberattack.
[18] SANS ICS/OT cybersecurity survey:2023's challenges and tomorrow's defenses[EB/OL].(2023-09-18)[2023-12-23]. https://www.sans.org/white-papers/ics-ot-cybersecurity-survey-2023s-challenges-tomorrows-defenses.
[19] Cybersecurity incidents in industrial operations[EB/OL].(2023-08-01)[2023-12-23]. https://www.rockwellautomation.com/en-us/campaigns/cyentiareport.html.
[20] World's largest cyber defense exercise Locked Shields brings together ove 3000 participants[EB/OL].(2023-04-21)[2023-12-23]. https://ccdcoe.org/news/2023/6016.
[21] NATO Allies and Partners take part in world's largest cyber defence exercise[EB/OL].(2023-04-11)[2023-12-23]. https://www.nato.int/cps/en/natohq/news_214144.htm?selectedLocale=en.
[22] “铸网2022”网络安全演练表现突出单位颁奖在成都举行[EB/OL].(2023-02-28)[2023-12-23]. https://www.wangan.com/p/11v726a96d3340fc.
[23] “铸网2023”车联网赛道网络安全实网攻防演练在临港新片区启动[EB/OL].(2023-08-21)[2023-12-23]. https://www.sh.chinanews.com.cn/fzzx/2023-08-21/115161.shtml.
[24] Cybersecurity high-risk series:Challenges in protecting cyber critical infrastructure[EB/OL].(2023-02-07)[2023-12-23]. https://www.gao.gov/products/gao-23-106441.
[25] National cybersecurity strategy[EB/OL].(2023-03-01)[2023-12-23]. https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf.
[26] 3 guide to operational technology security[EB/OL].(2023-09-28)[2023-12-23]. https://csrc.nist.gov/pubs/sp/800/82/r3/final.
[27] 工业和信息化部关于印发《工业和信息化领域数据安全管理办法(试行)》的通知[EB/OL].(2022-12-08)[2023-12-23]. https://www.gov.cn/zhengce/zhengceku/2022-12/14/content_5731918.htm.
[28] 工业自动化和控制系统安全IACS环境下的补丁管理[EB/OL].(2023-03-17)[2023-12-23]. https://std.samr.gov.cn/gb/search/gbDetailed?id=F789206610FAB223E0-5397BE0A0AE533.
[29] ISO/IEC 24392:2023 Cybersecurity-Security reference model for industrial internet platform(SRM-IIP)[EB/OL].(2023-07-18)[2023-12-23]. https://www.iso. org/standard/78703.html.
[30] Operation Olympic Games:The first cyberweapon[EB/OL].(2023-11-29)[2023-12-23]. https://www.sandboxx.us/news/operation-olympic-games-the-first-cyberweapon.
[31] 美“震网”蠕虫病毒废掉伊朗1/5离心机[EB/OL].(2012-12-03)[2023-12-23]. https://www.yazhouribao.com/view/20121203000303.
[32] The race to native code execution in PLCs:Using RCE to uncover siemens SIMATIC S7-1200/1500 hardcoded cryptographic keys[EB/OL].(2022-10-11)[2023-12-23]. https://claroty.com/team82/research/the-race-to-native-code-execution-in-plcs-using-rce-to-uncover-siemens-simatic-s7-1200-1500-hardcoded-cryptographickeys.
[33] A decade after stuxnet:How siemens S7 is still an attacker's heaven[EB/OL].(2022-12-11)[2023-12-23].https://i.blackhat.com/EU-23/Presentations/Whitepapers/EU-23-Finck-A-Decade-After-Stuxnet-How-SiemensS7-is-Still-an-Attackers-Heaven-wp.pdf.
[34] ICS CVE research:First half of 2023[EB/OL].(2023-11-16)[2023-12-23]. https://synsaber.com/resources/research-reports/ics-cve-reports/ics-cve-research-first-half-2023.
[35] Report:Dissecting our Q2 threat landscape research[EB/OL].(2017-08-21)[2023-12-23]. https://www.fortinet.com/blog/threat-research/dissecting-our-q2-threat-landscape-report.
[36] Advisory for WebWare components and related products[EB/OL].(2012-03-23)[2023-12-23]. https://library.e.abb.com/public/35df9dc4a94ae83ac12579ca0043acc1/SI-10231A2%20rev%200.pdf.
[37] The latest 2023 ransomware statistics[EB/OL].(2023-01-12)[2023-12-23]. https://aag-it.com/the-latest-ransomware-statistics.
[38] Living off the land attacks and countermeasures in industrial control systems[EB/OL].(2023-10-10)[2023-12-23]. https://www.sans.org/blog/living-off-land-attackscountermeasures-industrial-control-systems.
[39] Hacker tries to poison water supply of Florida city[EB/OL].(2021-02-08)[2023-12-23]. https://www.bbc.com/news/world-us-canada-55989843.
[40] Attackers deploy new ICS attack framework "TRITON" and cause operational disruption to critical infrastructure[EB/OL].(2017-12-14)[2023-12-23]. https://www.mandiant.com/resources/blog/attackers-deploy-new-ics-attack-framework-triton.
[41] Deep lateral movement in OT networks:When is a perimeter not a perimeter?[EB/OL].(2023-02-13)[2023-12-23]. https://www.forescout.com/blog/deep-lateral-movement-in-ot-networks-when-is-a-perimeter-not-a-perimeter.
[42] Derbyshire R, Green B, Walt C, et al. Dead man's PLC:Towards viable cyber extortion for operational technology[J/OL].[2023-12-23]. https://arxiv.org/abs/2307.09549.
[43] Chernovite's pipedream malware targeting industrial control systems(ICS)[EB/OL].(2022-04-13)[2023-12-23].https://www.dragos.com/blog/industry-news/chernovite-pipedream-malware-targeting-industrial-control-systems.
[44] Unleashing the power of network visualization with NPView's topology map[EB/OL].(2023-06-27)[2023-12-23]. https://network-perception.com/blog-unleashing-the-power-of-network-visualization.
[45] 国内首台全国产可信DCS系统成功投运[EB/OL].(2023-12-08)[2023-12-23]. https://www.chng.com.cn/detail_yxxw/-/article/2vMCKgtLDZqb/v/1181068.html.
[46] ICS forensics tools[EB/OL].(2023-08-10)[2023-12-23].https://www.blackhat.com/us-23/arsenal/schedule/index.html#ics-forensics-tools-32135.
[47] Lightweight cryptography standardization process:NIST selects ascon[EB/OL].(2023-02-07)[2023-12-23]. https://csrc.nist.gov/news/2023/lightweight-cryptography-nistselects-ascon.
[48] Next-Generation monitoring platform and advanced analytics for OT communications-IP, serial communications, and analog signals[EB/OL].(2023-03-12)[2023-12-23]. https://cynalytica.com/otnetguard.
[49] Standards address the need for secure-by-design industrial control system products[EB/OL].(2019-05-10)[2023-12-23]. https://www.arcweb.com/blog/standardsaddress-need-secure-design-industrial-control-systemproducts.
[50] Cyber-informed transmission planning[EB/OL].(2023-05-08)[2023-12-23]. https://www.nerc.com/comm/RSTC_Reliability_Guidelines/ERO_Enterprise_Whitepaper_Cyber_Planning_2023.pdf.
[51] 制造系统功能安全与信息安全技术发展趋势及一体化解决思路[EB/OL].(2023-07-06)[2023-12-23]. https://mp.weixin.qq.com/s/w35tP6qnqrAKCcMcpbeFQA.
[52] Bytes A, Rajput P H N, Doumanidis C, et al. FieldFuzz:In situ blackbox fuzzing of proprietary industrial automation runtimes via the network[C]//Proceedings of the26th International Symposium on Research in Attacks,Intrusions and Defenses. New York:ACM. 2023:499-512.
[53] Luo Z, Yu J, Zuo F, et al. Bleem:Packet sequence oriented fuzzing for protocol implementations[C]//The 32nd USENIX Security Symposium. Anaheim:USENIX Association, 2023:4481-4498.
[54] Meng J, Yang Z, Zhang Z, et al. SePanner:Analyzing semantics of controller variables in industrial control systems based on network traffic[C]//Proceedings of the39th Annual Computer Security Applications Conference.Austin:ACM, 2023:310-323.
[55] Chandler J, Wick A, Fisher K. BinaryInferno:A semantic-driven approach to field inference for binary message formats[C]//The 30th Network and Distributed System Security Symposium. San Diego:CCS, 2023.
[56] Ike M, Phan K, Sadoski K, et al. Scaphy:Detecting modern ICS attacks by correlating behaviors in scada and physical[C]//In 2023 IEEE Symposium on Security and Privacy. San Francisco:CA, 2023:20-37.
[57] Make data-driven patching decisions[EB/OL].(2023-01-09)[2023-12-23]. https://trackd.com/learn-more.
[58] Cyber digital twin by OTORIO[EB/OL].(2023-01-27)[2023-12-23]. https://www.otorio.com/resources/cyberdigital-twin-by-otorio.
[59] Allison D, Smith P, Mclaughlin K. Digital twin-enhanced incident response for cyber-physical systems[C]//Proceedings of the 18th International Conference on Availability, Reliability and Security. Barcelona:CCS,2023:1-10.
[60] SIMATIC S7-1500V familiar functionalities, completely virtual[EB/OL].(2023-04-14)[2023-12-23]. https://www.siemens.com/global/en/products/automation/systems/industrial/plc/simatic-s7-1500/virtual-plc.html.
[61] Sparks of Artificial General Intelligence:Early experiments with GPT-4[EB/OL].(2023-03-22)[2023-12-23]. https://www.microsoft.com/en-us/research/publication/sparks-of-artificial-general-intelligence-early-experiments-with-gpt-4.
[62] Ogundare O, Araya G Q, Akrotirianakis I, et al. Resiliency analysis of LLM generated models for Industrial Automation[J/OL].[2023-12-23]. https://arxiv.org/abs/2308.12129.
[63] Briefing 8:Ghostsec hackers target satellite networks via GNSS receivers[EB/OL].(2023-05-03)[2023-12-23].https://www.kratosdefense.com/constellations/articles/ghostsec-hackers-target-satellite-networks-via-gnss-receivers.
[64] Thales seizes control of esa demonstration satellite in first cybersecurity exercise of its kind[EB/OL].(2023-04-25)[2023-12-23]. https://www.thalesgroup.com/en/worldwide/security/press_release/thales-seizes-controlesa-demonstration-satellite-first.
[65] First in space:SpaceX and NASA launch satellite that hackers will attempt to infiltrate during DEF CON[EB/OL].(2023-06-05)[2023-12-23]. https://cyberscoop.com/moonlighter-hack-a-sat-defcon.
[66] How a hacking crew overtook a satellite from inside a Las Vegas convention center and won$50,000[EB/OL].(2023-08-16)[2023-12-23]. https://cyberscoop.com/mhackeroni-hackasat-space-def-con.
[67] Satellite Ground Segment:Applying the cybersecurity framework to satellite command and control[EB/OL].(2022-12-30)[2023-12-23]. https://csrc.nist.gov/pubs/ir/8401/final.
