The security economics of large-scale attacks against Internet-connected ICS devices
我的PLC何时支持Mirai?针对互联网连接的ICS设备的大规模攻击的安全经济学
一、摘要
我们使用一系列案例研究来开发针对连接互联网群体的大规模攻击的安全经济学模型,并用它来解释当前攻击者对ICS缺乏兴趣以及工业4.0的特性,这些特性将使ICS领域更易于访问并对攻击者更具吸引力。
二、介绍
连接互联网的ICS设备群体与吸引大规模犯罪活动的其他群体有许多共同特征,如规模、稳定性和缺乏长期支持,但我们发现ICS设备的实际风险很低。我们提供了迄今为止规模最大、相互作用高的ICS蜜罐研究的结果;监控扫描恶意软件以了解工业协议;从7000万个黑客论坛帖子的数据库中收集ICS的兴趣。总体而言,数据表明网络犯罪社区对ICS缺乏能力或兴趣。
为了解释这种低兴趣,我们引入了一个安全经济学模型,用于描述和预测连接互联网的设备群体中的大规模对抗性兴趣。该模型揭示了目前阻止大规模恶意关注ICS领域的几个因素,如ICS碎片分布、大多数ICS设备上有限的计算和内存资源以及高昂的进入成本。但ICS社区在同质性和连通性方面正在与物联网(IoT)社区融合,这种融合使ICS领域成为攻击者的一个有吸引力的目标。
本文的贡献:
- 描述和预测针对设备群的大规模攻击的安全经济学模型,以及我们针对ICS设备群的模型实证。
- 首次对连接互联网的ICS设备进行纵向研究,并证明可以通过使用公开的扫描数据对单个ICS设备追溯跟踪数年。
- 连接互联网的ICS群体增长的经济和可用性解释。
- 整合与ICS运行时间、工业4.0和工业物联网(IIoT)相关的现有文献,并分析这些变化如何影响该领域的网络犯罪利益。
三、安全经济学模型
为了更好地理解大规模利用连接互联网的ICS设备的风险,我们希望成功利用其他连接互联网的群体。使用Anderson等人的分类,我们将至少一个案例研究与每个大规模犯罪活动配对:勒索软件、加密挖掘恶意软件、租用分布式拒绝服务(DDoS)、垃圾邮件和破坏/破坏。我们利用这些研究开发了一个安全经济学模型,用于评估大规模利用连接互联网设备的风险。
表1(●)表示完全满足的促成因素,(◐)表示部分满足的,(○)表示未满足的。阴影栏代表了对当前上网群体的新分析以及基于当前互联互通趋势对未来群体的预测评估。
连接互联网的的ICS群体数量庞大、稳定、修补速度慢且不断增长,这符合大规模网络犯罪的几种促成因素(第三节);然而,表1的ICS:current一栏将连接互联网的的ICS设备与其他目标群体进行了比较,该栏显示了几个缺失的促成因素:同质性、可预测的响应和支撑资源。该模型预测,这些缺失的促成因素将抑制ICS领域的网络犯罪兴趣。
虽然目前的形势使ICS设备无法成为大规模攻击的目标,但行业的预期变化可能会克服ICS中缺失的促成因素:表1的ICS:current。
四、问题分析
我们尝试使用我们的安全经济学模型(表1)回答两个问题:
(1) 为什么当前联网的ICS设备用户不是大规模网络犯罪的目标?
(2) 不断变化的工业格局是否会使针对未来ICS设备群体的攻击更有可能发生?
使用表1的ICS:current和ICS:future列,我们通过查看每个类别来解决这些问题,描述ICS群体目前缺少的促成因素(当前情况),并说明这些促成因素如何满足或不满足于工业格局的预期变化(展望)。
A. Vulnerable population
(1) 现状
虽然连接互联网的的ICS群体接近10万,但它分散在数十家供应商之间,拥有专有硬件和软件的异构集合;即使攻击者为特定设备系列开发了可工作的恶意软件,易受攻击的群体也可能只包括几千台设备。此外,许多ICS设备安装在一个独特的物理系统中,对给定ICS设备操作的响应很难预测。这与许多独立IT和物联网资产形成对比,这些资产具有可预测且易于测试的响应。
(2)展望
制造商越来越多地使用运行时系统,IIoT硬件和软件集中在有限的供应商中,以及这些IIoT平台可用的硬件和软件资源不断增加,这些都克服了现有ICS群体的分散性和资源有限的问题。此外,鉴于连接互联网的的ICS群体的补丁节奏缓慢,攻击者可以预期在白帽社区中发现的漏洞在很长一段时间内仍然可以被利用。许多IIoT设备(如传感器)比传统的ICS设备(如PLC)更加独立,因此更容易预测设备和系统响应。
B. Attacker incentives
(1)现状
针对ICS设备的大规模攻击的商业化是一个挑战,原因有几个。首先,许多ICS设备的机载资源有限,从加密挖掘的角度来看,这使得它们缺乏吸引力。第二,ICS设备不太可能存储通常用于支持勒索软件活动的高价值数据,如购买订单、个人信息或财务记录。工业组织通常装备精良,可以处理设备故障而不会对操作产生重大影响,而加密的设备可以被简单地视为一个失败的设备。虽然开发大量ICS设备的潜在经济效益似乎很低,但开发和部署开发的成本似乎很高。此外,实际开发一个可变通的ICS漏洞已经被证明需要大量的专业知识和时间。最后,攻击者可能会造成犯罪。总的来说,与IT和物联网资产相比,开发漏洞的高成本、不确定的回报和被起诉的风险使得联网ICS设备缺乏吸引力。
(2)展望
工业物联网设备上更大的计算和内存资源使它们成为寄生恶意软件更有吸引力的主机,创造了可行的经济激励。此外,在这些设备上运行的完整操作系统和开发板的可用性简化了恶意软件的开发和测试。类似地,这些平台使修改和测试现有恶意软件(如Mirai)变得更容易,减少了不确定性,并降低了开发漏洞的成本。
C. Attacker tools and resources
(1)现状
蠕虫ICS恶意软件尚未打包,以供不熟练的攻击者部署。开发这种概念验证型恶意软件的专家证明了这种开发是合理的,但也承认目前还不实际。相反,现有的现成工具可以用于大规模攻击IT和物联网。此外,大量的例子表明,对大规模攻击工业感兴趣的对手不需要直接攻击ICS设备,因为针对windows基础设施的现成恶意软件足以长时间关闭工业流程。
(2)展望
基于linux或其他广泛使用的开源操作系统的设备为攻击者提供了更大的机会来开发或利用现有的漏洞,而对于连接互联网的ICS设备来说,补丁的缓慢加剧了这种情况。操作系统的同质性和使用的增加简化了开发或修改针对ICS设备的攻击的努力,满足了表1的攻击工具和资源类别中剩余的促成因素。
五、总结
我们多年来跟踪数千个ICS设备,显示了ICS设备群体的增长,设备所有者很少安装软件更新,大多数设备是持续连接的。尽管存在这些漏洞,但我们发现ICS社区的碎片化,开发和测试漏洞的高成本,以及攻击ICS的不可预测的盈利和后果,使它们成为网络犯罪社区不受欢迎的目标,特别是考虑到更大更同质的物联网群体的持续脆弱性。
为了解释这种现象,我们引入了一个安全经济学模型来描述和预测连接互联网的人群的大规模敌对利益。我们通过研究其他成功的大规模攻击研发了该模型,该模型提供了一个简洁的解释,说明网络罪犯明显不愿意攻击ICS设备。
虽然目前的ICS设备可能不是大规模攻击的有吸引力的目标,但我们调查了正在进行的和预期的工业环境变化,这些变化将增加可连接ICS设备的数量,并将推动工业向更加同质化的硬件、软件和开发环境发展,更大的计算和内存资源,和操作系统。我们的模型预测,这些变化将使ICS社区与其他目标群体(如物联网)保持一致;因此,我们有理由期待网络犯罪社区对ICS给予更大的关注。
[1] A. Mirian, Z. Ma, D. Adrian, M. Tischer, T. Chuenchujit, T. Yardley,
R. Berthier, J. Mason, Z. Durumeric, J. A. Halderman, and M. Bailey,
“An Internet-wide view of ICS devices,”Conference on Privacy, Security
and Trust (PST), 2016.
[2] M. Niedermaier, J.-O. Malchow, F. Fischer, D. Marzin, D. Merli, and
V . Roth, “Y ou snooze, you lose: Measuring PLC cycle times under
attacks,” inUSENIX Workshop on Offensive Technologies (WOOT),
2018.
[3] É. P . Leverett, “Quantitatively assessing and visualising industrial
system attack surfaces,”University of Cambridge MPhil Thesis, 2011.
[Online]. Available: https://perma.cc/83Z9-Q5J9
[4] B. Radvanovsky and J. Brodsky, “Project SHINE (SHodan INtelligence
Extraction),”Infracritical Technical Report, 2014. [Online]. Available:
https://perma.cc/HA8J-5SNZ
[5] C. D. Schuett, “Programmable logic controller modification attacks for
use in detection analysis,”Air F orce Institute of Technology Master’s
Thesis, 2014. [Online]. Available: https://perma.cc/Q7GZ-8JQM
[6] P . M. Williams, “Distinguishing Internet-facing ICS devices using PLC
programming information,”Air F orce Institute of Technology Master’s
Thesis, 2014. [Online]. Available: https://perma.cc/W7YL-7J7T
[7] M. Dahlmanns, J. Lohmöller, I. B. Fink, J. Pennekamp, K. Wehrle,
and M. Henze, “Easing the conscience with OPC UA: An Internet-wide
study on insecure deployments,”ACM Internet Measurement Conference
IMC), Oct. 2020.
[8] Shodan, “Shodan,” 2020. [Online]. Available: https://www.shodan.io/
[9] Censys, “Censys,” 2020. [Online]. Available: http://censys.io/
[10] Z. Durumeric, D. Adrian, A. Mirian, M. Bailey, and J. A. Halderman,
“A search engine backed by Internet-wide scanning,”ACM SIGSAC
Conference on Computer and Communications Security (CCS), 2015.
[11] G. Barbieri, M. Conti, N. O. Tippenhauer, and F. Turrin, “Sorry,
Shodan is not enough! Assessing ICS security via IXP network
traffic analysis,”arXiv preprint arXiv:2007.01114, Jul. 2020. [Online].
Available: http://arxiv.org/abs/2007.01114
[12] R. Anderson, C. Barton, R. Bohme, R. Clayton, C. Ganan, T. Grasso,
M. Levi, T. Moore, and M. V asek, “Measuring the changing cost
of cybercrime,”Workshop on the Economics of Information Security
(WEIS), 2019. [Online]. Available: https://perma.cc/ZKB4-C6Q6
[13] S. Karnouskos, “Stuxnet worm impact on industrial cyber-physical
system security,”Conference of the IEEE Industrial Electronics Society
(IECON), 2011.
[14] Electricity Information Sharing and Analysis Center, “Analysis of the
cyber attack on the Ukrainian power grid,”Electricity Information
Sharing and Analysis Center (E-ISAC), 2016. [Online]. Available:
https://perma.cc/74V7-TN7J
[15] “CRASHOVERRIDE: Analysis of the threat to electric grid operations,”
Dragos Inc., 2017. [Online]. Available: https://perma.cc/E7K5-9T8M
[16] F-Secure, “News from the lab archive,”F-Secure, 2009. [Online].
Available: https://perma.cc/A2DK-3JUJ
[17] M. Bowden, “The worm that nearly ate the Internet,”The New York
Times, Jun. 2019. [Online]. Available: https://perma.cc/WU7P-LBAD
[18] B. Nahorney, “The Downadup codex: A comprehensive guide
to the threat’s mechanics,”Symantec, 2009. [Online]. Available:
https://perma.cc/3ACC-U5R4
[19] G. Keizer, “Conficker cashes in, installs spam
bots and scareware,” Apr. 2009. [Online]. Avail-
able: https://www.computerworld.com/article/2524137/conficker-cashes-
in–installs-spam-bots-and-scareware.html
[20] M. Antonakakis, T. April, M. Bailey, M. Bernhard, E. Bursztein,
J. Cochran, Z. Durumeric, J. A. Halderman, L. Invernizzi,
M. Kallitsis, D. Kumar, C. Lever, Z. Ma, J. Mason,
D. Menscher, C. Seaman, N. Sullivan, K. Thomas, and
Y. Zhou, “Understanding the Mirai botnet,”USENIX Security
Symposium (USENIX Security), 2017. [Online]. Available:
https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-
antonakakis.pdf
[21] C. C. Centre, “Description of available datasets,” 2020. [Online].
Available: https://www.cambridgecybercrime.uk/datasets.html
[22] Cybersecurity and Infrastructure Security Agency, “BrickerBot
permanent denial-of-service attack,” 2017. [Online]. Available:
https://www.us-cert.gov/ics/alerts/ICS-ALERT-17-102-01A
[23] Radware, “BrickerBot results in PDoS (Permanent Denial of Service)
Attacks,” 2017. [Online]. Available: https://perma.cc/3MTJ-7GWL
[24] C. Cimpanu, “BrickerBot author retires claiming to have bricked over 10
million IoT devices,” 2017. [Online]. Available: https://perma.cc/6WUV-
99VG
[25] Symantec, “Equation: Advanced cyberespionage group has all the
tricks in the book, and more,”Symantec, 2015. [Online]. Available:
https://perma.cc/S9MF-6BK5
[26] E. Nakashima and C. Timberg, “NSA officials worried about the day
its potent hacking tool would get loose. Then it did.” 2017. [Online].
Available: https://perma.cc/V8D9-GCHS
[27] Symantec, “What you need to know about the WannaCry ransomware,”
Symantec, 2017. [Online]. Available: https://perma.cc/J6HD-HFYR
[28] ——, “Petya ransomware outbreak: Here’s what you need to know,”
Symantec, 2017. [Online]. Available: https://perma.cc/7JP5-9D6D
[29] Kaspersky, “New Petya / NotPetya / ExPetr ransomware outbreak,”
Kaspersky, 2017. [Online]. Available: https://perma.cc/BM7P-P2R9
[30] GReA T, “Schroedinger’s Pet(ya),”Kaspersky, 2017. [Online]. Available:
https://perma.cc/U6HH-HDZJ
[31] Cybersecurity and Infrastructure Security Agency, “Malware Initial
Findings Report (MIFR) - 10130295,” Cybersecurity and Infrastructure
Security Agency (CISA), Tech. Rep., 2017. [Online]. Available:
https://perma.cc/QV8W-QAKM
[32] B. Collier, D. R. Thomas, R. Clayton, and A. Hutchings, “Booting the
booters: Evaluating the effects of police interventions in the market
for denial-of-service attacks,”Internet Measurement Conference (IMC),
2019.
[33] D. R. Thomas, R. Clayton, and A. R. Beresford, “1000 days of UDP
amplification DDoS attacks,”APWG Symposium on Electronic Crime
Research (eCrime), 2017.
[34] U.S. Department of Justice, “Former operator of illegal booter services
pleads guilty to conspiracy to commit computer damage and abuse,”
Feb. 2019. [Online]. Available: https://perma.cc/HC5G-KYL4
[35] B. Krebs, “DDoS-for-hire service webstresser dismantled,” 2018.
[Online]. Available: https://perma.cc/586G-TKGG
[36] S. Pastrana and G. Suarez-Tangil, “A first look at the crypto-
mining malware ecosystem: A decade of unrestricted wealth,”
Internet Measurement Conference (IMC), 2019. [Online]. Available:
https://dl.acm.org/authorize?N695072
[37] D. Formby, S. Durbha, and R. Beyah, “Out of control: Ransomware for
industrial control systems,”RSA conference, 2017. [Online]. Available:
https://perma.cc/XD8V-LP5M
[38] R. Anderson,Security Engineering. New Y ork: John Wiley & Sons,
2008.
[39] B. Krebs, “Mirai botnet authors avoid jail time,” 2018. [Online].
Available: https://perma.cc/ECB4-T8FC
[40] A. Senpai, “[FREE] World’s largest net: Mirai botnet, client, echo
loader, CNC source code release,” Sep. 2016. [Online]. Available:
https://perma.cc/SV6Z-LX92
[41] O. Gasser, Q. Scheitle, B. Rudolph, C. Denis, N. Schricke, and G. Carle,
“The amplification threat posed by publicly reachable BACnet devices,”
Journal of Cyber Security and Mobility, vol. 6, no. 1, 2017.
[42] L. Rist, J. V estergaard, D. Haslinger, A. Pasquale, and J. Smith,
“CONPOT ICS/SCADA honeypot,” 2019. [Online]. Available:
http://conpot.org/
[43] J. Zhang, A. R. Beresford, and I. Sheret, “SENSORID: Sensor calibra-
tion fingerprinting for smartphones,”IEEE Symposium on Security and
Privacy (SP), 2019.
[44] G. Guo, J. Zhuge, M. Yang, G. Zhou, and Y . Wu, “A survey of industrial
control system devices on the Internet,”International Conference on
Internet of Things, Embedded Systems and Communications (IINTEC),
Dec. 2018.
[45] Siemens, “Network Security,” Tech. Rep., 2019.
[46] Tridium, “Niagara 4 hardening guide,” Tech. Rep., 2019.
[47] R. Automation, “Industrial Security: Protecting networks and facilities
against a fast-changing threat landscape,” Tech. Rep., 2016.
[48] A. Adams and M. A. Sasse, “Users are not the enemy,”Communications
of the ACM, vol. 42, no. 12, 1999.
[49] C. Herley, “More is not the answer,”IEEE Symposium on Security and
Privacy (SP), vol. 12, no. 1, 2014.
[50] ——, “So long, and no thanks for the externalities: The rational rejection
of security advice by users,”Workshop on New Security Paradigms
(NSPW), 2009.
[51] T. Moore and R. Anderson, “Economics and internet security: A
survey of recent analytical, empirical and behavioral research,”
Harvard University, vol. TR-03-11, 2011. [Online]. Available:
https://perma.cc/AH7R-XRYT
[52] “TRISIS malware: Analysis of safety system targeted malware,”Dragos
Inc., 2017. [Online]. Available: https://perma.cc/K9EM-CABV
[53] Hydro, “Cyber-attack on Hydro,” 2019. [Online]. Available:
https://perma.cc/Z4NV-W9WP
[54] A. Vlad, S. Obermeier, and D.-Y . Y u, “ICS threat analysis using a large-
scale honeynet,”International Symposium for ICS & SCADA Cyber
Security Research, 2015.
[55] A. Belqruch and A. Maach, “SCADA security using SSH honeypot,”In-
ternational Conference on Networking, Information Systems & Security,
2019.
[56] B. Radvanovsky, “Project RUGGEDTRAX SCADA/ICS analysis,”
Infracritical Technical Report, 2015. [Online]. Available:
https://perma.cc/7AN4-KR8K
[57] P . Ferretti, M. Pogliani, and S. Zanero, “Characterizing background
noise in ICS traffic through a set of low interaction honeypots,”ACM
Workshop on Cyber-Physical Systems Security & Privacy (CPS-SPC),
2019.
[58] M. Dodson, M. Vingaard, and A. R. Beresford, “Using global honeypot
networks to detect targeted ICS attacks,”12th International Conference
on Cyber Conflict (CyCon), 2020.
[59] S. Pastrana, D. R. Thomas, A. Hutchings, and R. Clayton, “CrimeBB:
Enabling cybercrime research on underground forums at scale,”Confer-
ence on the World Wide Web (WWW), 2018.
[60] A. Hutchings and S. Pastrana, “Understanding eWhoring,”IEEE Euro-
pean Symposium on Security and Privacy (SP), 2019.
[61] “The ICS landscape and threat activity groups,”Dragos Inc., 2019.
[Online]. Available: https://perma.cc/RFL4-HWD8
[62] A. Nochvay, “Security research: CODESYS runtime, a PLC control
framework,” Kaspersky ICS CERT, Tech. Rep., 2019. [Online].
Available: https://perma.cc/325P-N7A V
[63] Cybersecurity and Infrastructure Security Agency, “3S CoDeSys
vulnerabilities,” 2013. [Online]. Available: https://perma.cc/F8W4-7H75
[64] D. McFarlane, S. Ratchev, A. Thorne, A. K. Parlikad, L. de Silva,
B. Schönfuß, G. Hawkridge, G. Terrazas, and Y . Tlegenov, “Digital
manufacturing on a shoestring: Low cost digital solutions for SMEs,”
International Workshop on Service Orientation in Holonic and Multi-
Agent Manufacturing, 2019.
[65] M. Wollschlaeger, T. Sauter, and J. Jasperneite, “The future of industrial
communication: Automation networks in the era of the internet of things
and Industry 4.0,”IEEE Industrial Electronics Magazine, 2017.
[66] Microsoft, “Azure Sphere,” 2020. [Online]. Available:
https://azure.microsoft.com/en-us/services/azure-sphere/
[67] Huawei, “IoT: Driving verticals to digitization,” 2019. [Online].
Available: https://www.huawei.com/minisite/iot/en/
[68] E. Protalinski, “Android passes 2.5 billion monthly active devices,”
May 2019. [Online]. Available: https://perma.cc/2D3D-S7KN
[69] Gartner, “PCs installed base worldwide 2013-2019,” 2019. [Online].
Available: https://perma.cc/CSV6-5VF5
[70] J. Clover, “Apple Now Has 1.3 Billion Active Devices Worldwide,”
2018. [Online]. Available: https://perma.cc/X599-Q3N8
[71] Gartner, “Global connected IoT devices by type 2017 and 2018,” 2019.
[Online]. Available: https://perma.cc/6SW2-4LH9
[72] R. Spenneberg, M. Brüggemann, and H. Schwartke, “PLC-Blaster:
A worm living solely in the PLC,”Black Hat Asia, 2016. [Online].
Available: https://perma.cc/XWU5-TZ7L
[73] J. Klick, S. Lau, D. Marzin, J.-O. Malchow, and V . Roth, “Internet-
facing PLCs – a new back orifice,”Blackhat USA, 2015. [Online].
Available: https://perma.cc/XK4N-UPV4
[74] J. Slay and M. Miller, “Lessons learned from the Maroochy water
breach,”International Conference on Critical Infrastructure Protection,
vol. 253, 2007.
[75] M. D. Abrams and J. Weiss, “Malicious control system cyber security
attack case study – Maroochy water services, Australia,” 2008. [Online].
Available: https://perma.cc/CTX9-A673
[76] U.S. Department of Justice, “Former systems administrator sentenced
to prison for hacking into industrial facility computer system,” Feb.
2017. [Online]. Available: https://perma.cc/PWP7-SPKA
[77] Federal Bureau of Investigation, “Attacks on Arkansas power grid,”
Federal Bureau of Investigation (FBI), 2015. [Online]. Available:
https://perma.cc/DNU6-EM65
[78] L. Frost, N. Tajitsu, E. Auchard, G. Guillaume, and C. Pitas,
“Renault-Nissan resumes nearly all production after cyber attack,”
Reuters, 2017. [Online]. Available: https://perma.cc/Y2J7-8PXU
[79] Z. Durumeric, E. Wustrow, and J. A. Halderman, “Zmap: Fast
Internet-wide scanning and its security applications,”USENIX
Security Symposium (USENIX Security), 2013. [Online]. Available:
https://zmap.io/paper.pdf
[80] DNS-OARC, “OARC’s DNS don’t-probe list,” 2020. [Online].
Available: https://www.dns-oarc.net/oarc/services/dontprobe