In 2023 the ransomware virus still threatened the security of global industrial control systems(ICSs), intensified geopolitical conflicts made the ICS become an important battlefield for hostile cyberattacks, and the supply chain once again became the soft underbelly of ICSs. Fortunately, much more attention was paid to ICS security and large-scale exercises were carried out by countries worldwide. Besides, there were many documents launched by authorities for ICS policies and standards.For techniques, vulnerabilities were newly found and the defense approaches were evolving. Specifically, the software and hardware vulnerabilities were still the unavoidable weakness of ICSs. The“living-off-the-land attack”did not use vulnerabilities but enabled“low-cost, big threat”operations over ICSs. Besides, there were novel attacks such as deep lateral move attack on the control level, the PLC ransomware virus, and the attack toolkit Pipedream. Security vendors and research institutions launched security-specific monitoring platforms for ICSs, produced the trustful DCS, developed the forensics tools, proposed the lightweight cryptographic algorithms, and designed zero trust mechanism sensors. The idea of“secure by design”was gradually taken into the design of ICSs. There were also advanced researches on runtime PLC security testing, protocol implementation correctness testing, protocol reverse analysis, and attack detection. The emerging technologies, such as artificial intelligence,digital twin, and large language model, brought opportunities to the ICS security. Moreover, the ICS security had spillover to satellite systems, and the Europe and US began to prepare for the battlefield of cyber warfare in the space.
CHENG Peng
,
ZHANG Zhenyong
,
CHE Xin
,
CHEN Jiming
. Hotspots of industrial control system security in 2023[J]. Science & Technology Review, 2024
, 42(1)
: 314
-328
.
DOI: 10.3981/j.issn.1000-7857.2024.01.021
[1] Montreal electricity organization latest victim in LockBit ransomware spree[EB/OL].(2023-08-31)[2023-12-23].https://therecord.media/montreal-electricity-organizationlockbit-victim.
[2] Semiconductor industry giant says ransomware attack on supplier will cost it$250 million[EB/OL].(2023-02-17)[2023-12-23]. https://therecord.media/applied-materialssupply-chain-mks-ransomware-attack.
[3] Italy's Alto Calore Servizi SpA confirms a ransomware attack[EB/OL].(2023-05-11)[2023-12-23]. https://izoologic.com/region/europe/italys-alto-calore-servizi-spa-confirms-a-ransomware-attack.
[4] ABB confirms data stolen in Black Basta ransomware attack[EB/OL].(2023-05-30)[2023-12-23]. https://www.scmagazine.com/news/abb-basta-ransomware-attack.
[5] Deconstructing a Cybersecurity event[EB/OL].(2023-05-10)[2023-12-23]. https://www.dragos.com/blog/deconstructing-a-cybersecurity-event.
[6] TSMC says supplier hacked after ransomware group claims attack on chip giant[EB/OL].(2023-06-30)[2023-12-23].https://www.securityweek.com/tsmc-says-supplier-hacked-after-ransomware-group-claims-attack-on-chip-giant.
[7] Ransomware attack on australian shipbuilder working for US navy[EB/OL].(2023-12-05)[2023-12-23]. https://australiancybersecuritymagazine.com.au/ransomware-attackon-australian-shipbuilder-working-for-us-navy.
[8] Israel's largest oil refinery website offline after DDoS attack[EB/OL].(2023-07-30)[2023-12-23]. https://www.bleepingcomputer.com/news/security/israels-largest-oil-refinery-website-offline-after-ddos-attack.
[9] Cyber attack leaves irrigation systems in Upper Galilee dysfunctional[EB/OL].(2023-04-09)[2023-12-23]. https://www.jpost.com/israel-news/article-738790.
[10] Iranian-linked cyber army had partial control of aliquippa water system[EB/OL].(2023-11-25)[2023-12-23].https://beavercountian.com/content/special-coverage/iranian-linked-cyber-army-had-partial-control-of-aliquippa-water-system.
[11] Iranian hackers exploit plcs in attack on water authority in U.S.[EB/OL].(2023-11-29)[2023-12-03]. https://thehackernews.com/2023/11/iranian-hackers-exploit-plcsin-attack.html.
[12] Israeli hackers cause major disruptions in iranian electricity grid[EB/OL].(2023-10-18)[2023-12-23]. https://www.time.news/israeli-hackers-cause-major-disruptions-in-iranian-electricity-grid.
[13] Sandworm disrupts power in ukraine using a novel attack against operational technology[EB/OL].(2023-11-09)[2023-12-23]. https://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology.
[14] MOVEit zero-day vulnerability under active exploit, data already stolen[EB/OL].(2023-06-01)[2023-12-23].https://www.cybersecuritydive.com/news/moveit-zero-day-vulnerability-actively-exploited/651867.
[15] MOVEit transfer and MOVEit cloud vulnerability[EB/OL].(2023-07-05)[2023-12-23]. https://www.progress.com/security/moveit-transfer-and-moveit-cloud-vulnerability.
[16] Siemens energy, schneider electric targeted by ransomware group in MOVEit attack[EB/OL].(2023-06-28)[2023-12-23]. https://www.securityweek.com/siemensenergy-schneider-electric-targeted-by-ransomware-group-in-moveit-attack/.
[17] Cyberattack hits US lab contractor, nuclear waste site[EB/OL].(2023-06-16)[2023-12-23]. https://www.bloomberg.com/news/articles/2023-06-15/us-national-lab-nuclear-waste-site-hit-by-cyberattack.
[18] SANS ICS/OT cybersecurity survey:2023's challenges and tomorrow's defenses[EB/OL].(2023-09-18)[2023-12-23]. https://www.sans.org/white-papers/ics-ot-cybersecurity-survey-2023s-challenges-tomorrows-defenses.
[19] Cybersecurity incidents in industrial operations[EB/OL].(2023-08-01)[2023-12-23]. https://www.rockwellautomation.com/en-us/campaigns/cyentiareport.html.
[20] World's largest cyber defense exercise Locked Shields brings together ove 3000 participants[EB/OL].(2023-04-21)[2023-12-23]. https://ccdcoe.org/news/2023/6016.
[21] NATO Allies and Partners take part in world's largest cyber defence exercise[EB/OL].(2023-04-11)[2023-12-23]. https://www.nato.int/cps/en/natohq/news_214144.htm?selectedLocale=en.
[22] “铸网2022”网络安全演练表现突出单位颁奖在成都举行[EB/OL].(2023-02-28)[2023-12-23]. https://www.wangan.com/p/11v726a96d3340fc.
[23] “铸网2023”车联网赛道网络安全实网攻防演练在临港新片区启动[EB/OL].(2023-08-21)[2023-12-23]. https://www.sh.chinanews.com.cn/fzzx/2023-08-21/115161.shtml.
[24] Cybersecurity high-risk series:Challenges in protecting cyber critical infrastructure[EB/OL].(2023-02-07)[2023-12-23]. https://www.gao.gov/products/gao-23-106441.
[25] National cybersecurity strategy[EB/OL].(2023-03-01)[2023-12-23]. https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf.
[26] 3 guide to operational technology security[EB/OL].(2023-09-28)[2023-12-23]. https://csrc.nist.gov/pubs/sp/800/82/r3/final.
[27] 工业和信息化部关于印发《工业和信息化领域数据安全管理办法(试行)》的通知[EB/OL].(2022-12-08)[2023-12-23]. https://www.gov.cn/zhengce/zhengceku/2022-12/14/content_5731918.htm.
[28] 工业自动化和控制系统安全IACS环境下的补丁管理[EB/OL].(2023-03-17)[2023-12-23]. https://std.samr.gov.cn/gb/search/gbDetailed?id=F789206610FAB223E0-5397BE0A0AE533.
[29] ISO/IEC 24392:2023 Cybersecurity-Security reference model for industrial internet platform(SRM-IIP)[EB/OL].(2023-07-18)[2023-12-23]. https://www.iso. org/standard/78703.html.
[30] Operation Olympic Games:The first cyberweapon[EB/OL].(2023-11-29)[2023-12-23]. https://www.sandboxx.us/news/operation-olympic-games-the-first-cyberweapon.
[31] 美“震网”蠕虫病毒废掉伊朗1/5离心机[EB/OL].(2012-12-03)[2023-12-23]. https://www.yazhouribao.com/view/20121203000303.
[32] The race to native code execution in PLCs:Using RCE to uncover siemens SIMATIC S7-1200/1500 hardcoded cryptographic keys[EB/OL].(2022-10-11)[2023-12-23]. https://claroty.com/team82/research/the-race-to-native-code-execution-in-plcs-using-rce-to-uncover-siemens-simatic-s7-1200-1500-hardcoded-cryptographickeys.
[33] A decade after stuxnet:How siemens S7 is still an attacker's heaven[EB/OL].(2022-12-11)[2023-12-23].https://i.blackhat.com/EU-23/Presentations/Whitepapers/EU-23-Finck-A-Decade-After-Stuxnet-How-SiemensS7-is-Still-an-Attackers-Heaven-wp.pdf.
[34] ICS CVE research:First half of 2023[EB/OL].(2023-11-16)[2023-12-23]. https://synsaber.com/resources/research-reports/ics-cve-reports/ics-cve-research-first-half-2023.
[35] Report:Dissecting our Q2 threat landscape research[EB/OL].(2017-08-21)[2023-12-23]. https://www.fortinet.com/blog/threat-research/dissecting-our-q2-threat-landscape-report.
[36] Advisory for WebWare components and related products[EB/OL].(2012-03-23)[2023-12-23]. https://library.e.abb.com/public/35df9dc4a94ae83ac12579ca0043acc1/SI-10231A2%20rev%200.pdf.
[37] The latest 2023 ransomware statistics[EB/OL].(2023-01-12)[2023-12-23]. https://aag-it.com/the-latest-ransomware-statistics.
[38] Living off the land attacks and countermeasures in industrial control systems[EB/OL].(2023-10-10)[2023-12-23]. https://www.sans.org/blog/living-off-land-attackscountermeasures-industrial-control-systems.
[39] Hacker tries to poison water supply of Florida city[EB/OL].(2021-02-08)[2023-12-23]. https://www.bbc.com/news/world-us-canada-55989843.
[40] Attackers deploy new ICS attack framework "TRITON" and cause operational disruption to critical infrastructure[EB/OL].(2017-12-14)[2023-12-23]. https://www.mandiant.com/resources/blog/attackers-deploy-new-ics-attack-framework-triton.
[41] Deep lateral movement in OT networks:When is a perimeter not a perimeter?[EB/OL].(2023-02-13)[2023-12-23]. https://www.forescout.com/blog/deep-lateral-movement-in-ot-networks-when-is-a-perimeter-not-a-perimeter.
[42] Derbyshire R, Green B, Walt C, et al. Dead man's PLC:Towards viable cyber extortion for operational technology[J/OL].[2023-12-23]. https://arxiv.org/abs/2307.09549.
[43] Chernovite's pipedream malware targeting industrial control systems(ICS)[EB/OL].(2022-04-13)[2023-12-23].https://www.dragos.com/blog/industry-news/chernovite-pipedream-malware-targeting-industrial-control-systems.
[44] Unleashing the power of network visualization with NPView's topology map[EB/OL].(2023-06-27)[2023-12-23]. https://network-perception.com/blog-unleashing-the-power-of-network-visualization.
[45] 国内首台全国产可信DCS系统成功投运[EB/OL].(2023-12-08)[2023-12-23]. https://www.chng.com.cn/detail_yxxw/-/article/2vMCKgtLDZqb/v/1181068.html.
[46] ICS forensics tools[EB/OL].(2023-08-10)[2023-12-23].https://www.blackhat.com/us-23/arsenal/schedule/index.html#ics-forensics-tools-32135.
[47] Lightweight cryptography standardization process:NIST selects ascon[EB/OL].(2023-02-07)[2023-12-23]. https://csrc.nist.gov/news/2023/lightweight-cryptography-nistselects-ascon.
[48] Next-Generation monitoring platform and advanced analytics for OT communications-IP, serial communications, and analog signals[EB/OL].(2023-03-12)[2023-12-23]. https://cynalytica.com/otnetguard.
[49] Standards address the need for secure-by-design industrial control system products[EB/OL].(2019-05-10)[2023-12-23]. https://www.arcweb.com/blog/standardsaddress-need-secure-design-industrial-control-systemproducts.
[50] Cyber-informed transmission planning[EB/OL].(2023-05-08)[2023-12-23]. https://www.nerc.com/comm/RSTC_Reliability_Guidelines/ERO_Enterprise_Whitepaper_Cyber_Planning_2023.pdf.
[51] 制造系统功能安全与信息安全技术发展趋势及一体化解决思路[EB/OL].(2023-07-06)[2023-12-23]. https://mp.weixin.qq.com/s/w35tP6qnqrAKCcMcpbeFQA.
[52] Bytes A, Rajput P H N, Doumanidis C, et al. FieldFuzz:In situ blackbox fuzzing of proprietary industrial automation runtimes via the network[C]//Proceedings of the26th International Symposium on Research in Attacks,Intrusions and Defenses. New York:ACM. 2023:499-512.
[53] Luo Z, Yu J, Zuo F, et al. Bleem:Packet sequence oriented fuzzing for protocol implementations[C]//The 32nd USENIX Security Symposium. Anaheim:USENIX Association, 2023:4481-4498.
[54] Meng J, Yang Z, Zhang Z, et al. SePanner:Analyzing semantics of controller variables in industrial control systems based on network traffic[C]//Proceedings of the39th Annual Computer Security Applications Conference.Austin:ACM, 2023:310-323.
[55] Chandler J, Wick A, Fisher K. BinaryInferno:A semantic-driven approach to field inference for binary message formats[C]//The 30th Network and Distributed System Security Symposium. San Diego:CCS, 2023.
[56] Ike M, Phan K, Sadoski K, et al. Scaphy:Detecting modern ICS attacks by correlating behaviors in scada and physical[C]//In 2023 IEEE Symposium on Security and Privacy. San Francisco:CA, 2023:20-37.
[57] Make data-driven patching decisions[EB/OL].(2023-01-09)[2023-12-23]. https://trackd.com/learn-more.
[58] Cyber digital twin by OTORIO[EB/OL].(2023-01-27)[2023-12-23]. https://www.otorio.com/resources/cyberdigital-twin-by-otorio.
[59] Allison D, Smith P, Mclaughlin K. Digital twin-enhanced incident response for cyber-physical systems[C]//Proceedings of the 18th International Conference on Availability, Reliability and Security. Barcelona:CCS,2023:1-10.
[60] SIMATIC S7-1500V familiar functionalities, completely virtual[EB/OL].(2023-04-14)[2023-12-23]. https://www.siemens.com/global/en/products/automation/systems/industrial/plc/simatic-s7-1500/virtual-plc.html.
[61] Sparks of Artificial General Intelligence:Early experiments with GPT-4[EB/OL].(2023-03-22)[2023-12-23]. https://www.microsoft.com/en-us/research/publication/sparks-of-artificial-general-intelligence-early-experiments-with-gpt-4.
[62] Ogundare O, Araya G Q, Akrotirianakis I, et al. Resiliency analysis of LLM generated models for Industrial Automation[J/OL].[2023-12-23]. https://arxiv.org/abs/2308.12129.
[63] Briefing 8:Ghostsec hackers target satellite networks via GNSS receivers[EB/OL].(2023-05-03)[2023-12-23].https://www.kratosdefense.com/constellations/articles/ghostsec-hackers-target-satellite-networks-via-gnss-receivers.
[64] Thales seizes control of esa demonstration satellite in first cybersecurity exercise of its kind[EB/OL].(2023-04-25)[2023-12-23]. https://www.thalesgroup.com/en/worldwide/security/press_release/thales-seizes-controlesa-demonstration-satellite-first.
[65] First in space:SpaceX and NASA launch satellite that hackers will attempt to infiltrate during DEF CON[EB/OL].(2023-06-05)[2023-12-23]. https://cyberscoop.com/moonlighter-hack-a-sat-defcon.
[66] How a hacking crew overtook a satellite from inside a Las Vegas convention center and won$50,000[EB/OL].(2023-08-16)[2023-12-23]. https://cyberscoop.com/mhackeroni-hackasat-space-def-con.
[67] Satellite Ground Segment:Applying the cybersecurity framework to satellite command and control[EB/OL].(2022-12-30)[2023-12-23]. https://csrc.nist.gov/pubs/ir/8401/final.
