2019 ICS Cyber Security Conference | USA

Social engineering is a primary method for obtaining unauthorized access to secure environments. Most attacks against critical infrastructure rely on some form of social engineering, with examples being email phishing, vishing, and other various techniques.

Control systems in many critical facilities are isolated from the Internet (air-gapped). This provides a false sense of security as it is common to exploit the human factor to “bridge the gap”. Even for “connected” facilities, it is often much easier to gain access using social engineering techniques than traditional hacking methods. Additionally, many control systems are not configured for proper role-based access control, with the worst offenders sharing credentials across many users with largely open permission sets. This widens the attack surface substantially and proves very helpful to the human hacker. On the other extreme, it is also possible to have a single individual responsible for all the actions in the control system. Even for the most trusted employee, this places them as a target for an Advanced Persistent Threat (APT).

In this talk, we will discuss social engineering and related attack methods with a special focus on critical facilities, SCADA systems, Operational Technology (OT) networks, vulnerabilities, and challenges. We will cover an end-to-end scenario, including target identification and reconnaissance via Open-Source Intelligence (OSINT), attack methods and useful devices (with demos) with the ultimate goal of illustrating how some attackers gain access to some of the most secure environments. Prevention strategies to avoid these attacks will then be discussed.

There are many approaches to preventing social engineering attacks on corporate environments (IT networks). These range from advanced email filtering appliances and voice recognition software to rapid credential rotation services with multi-factor authentication. Many of these technical solutions work well for IT networks, but many will pose challenges for their OT network counterparts. For instance, a security appliance should not be configured to heuristically deny traffic in a control system (for safety reasons).

OT networks are fundamentally different from IT networks and efforts to prevent attacks on these systems must consider their unique attributes. These attributes include the ability to require the “two-man rule” and “control escalation” where two people must be involved for a control action to take place (thus making it twice as difficult for the social engineer). Two-factor authentication is becoming more common in SCADA deployments (but remains disabled for various reasons).

This discussion will start with the basics and then quickly progress to more advanced techniques. Is your air-gapped environment secure? Attend this session to get assessment and prevention tips so that you can decide for yourself.