How Attackers Target OT: From Process Understanding to SCIL Scripts
Disclaimer: The opinions stated here are my own, not the views of my employer.
OT security isn’t just about firewalls and patches. The most dangerous threats come from attackers who understand how things work — the flow of electricity, the control of machinery. In this blog, we are going to consider a real world attack blogged by Mandiant — Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology, to understand how process knowledge becomes a weapon in the hands of adversaries. If you haven’t read this blog, I would highly recommend it to everyone (defenders, penetration testers, red teamers etc.).
Who is Sandworm? A state-sponsored Russian hacking group known for sophisticated cyberattacks, including those targeting critical infrastructure.
Attacker’s Process Comprehension
To successfully manipulate the victim’s OT environment, the attacker needs deep knowledge in the following areas:
1. Substation Operations:
- Equipment Hierarchy: Understanding the types of substation equipment (circuit breakers, transformers, etc.), their roles, and how they’re interconnected.
- Control Logic: How the substation is monitored and controlled. What commands or sequences of commands would cause a breaker to open?
- Communication Protocols: The specific protocols used (IEC-60870–5–101 or IEC-60870–5–104)and their command structures.
2. MicroSCADA System:
- Architecture: The layout of the MicroSCADA system, including the management interface, RTUs, and communication paths.
- Vulnerabilities: Exploitable weaknesses in the EOL MicroSCADA version, particularly how the SCIL-API could be leveraged.
- SCIL Language: The syntax and capabilities of the SCIL programming language for executing commands within the MicroSCADA environment.
The table below outlines the key elements an attacker would consider inorder to understand and manipulate to execute a SCIL-based attack on a substation. It breaks down the process variables, SCIL commands, and parameters involved, while highlighting the attacker’s mindset of translating process knowledge into disruptive code.
Prerequisites for SCIL Script Development
Assuming the attacker has already gained access to the OT network and the MicroSCADA management interface, here’s what they’d need to write a malicious SCIL script:
1. Process Knowledge: The attacker must translate their understanding of substation operations into specific SCIL commands.Example: If the attacker wants to open a circuit breaker, they need to identify the correct SCIL command (or sequence) that sends the “open” signal to the relevant RTU.
2. SCIL Language Expertise:
- Syntax Proficiency: Familiarity with SCIL’s command structure, variables, and expressions.
- API Understanding: Know how to interact with the SCIL-API to call the functions required for manipulating the substation equipment.
3. Development & Test Environment (Ideally):
MicroSCADA Instance: A separate, isolated MicroSCADA setup (non-production) mirroring the victim’s environment for developing and testing the script. Caution: Live testing against a production substation would be incredibly reckless and dangerous.
Developing the Script
The script itself would likely involve:
- Device Identification: Determining the correct addresses or identifiers of the specific substation devices to be targeted.
- SCIL Command(s): The core instruction to open circuit breakers, formatted according to the SCIL language and relevant protocol.
- Execution Trigger: How the script will be executed (by scilc.exe in this case). It would need to interact with the SCIL-API to issue the commands.
Important Considerations
- Attacker Goals: The script’s complexity depends on the desired impact. Causing a simple outage might be a few SCIL lines, while coordinated disruption across multiple substations would require more intricate logic.
- Evasion: An attacker might obfuscate the script to hinder detection and analysis.
Attack Script Complexity
The sophistication of the SCIL script depends on several factors:
- Single vs. Coordinated: Targeting a single breaker is relatively simple, while a coordinated attack across multiple substations requires more complex logic and timing within the script.
- Cascading Effects: The attacker might need to consider the downstream impact of opening certain breakers. The script could include conditional statements or adjustments for other equipment based on the substation’s configuration.
- Time-Based Logic: If the attack aims to coincide with other events (like the missile strikes), the SCIL script might include timers or triggers based on external events.
The Challenge of ‘Real’ SCIL
It’s important to keep in mind that the provided examples are highly simplified. Real SCIL code likely involves:
- Variable Declarations: Defining variables to store sensor readings, breaker states, etc.
- Data Manipulation: Potentially some calculations or conversions if values need to be adjusted before commands are sent.
- Loops & Conditionals: Complex logic for decision-making or repetitive actions.
- Error Handling: Possibly incorporating safety checks or error handling to prevent unintended consequences.
Key Takeaways
- Deep Specialization: Executing this attack requires a combination of OT process knowledge, SCIL programming skills, and an understanding of substation control protocols.
- Threat to Other Systems: While this attack targeted MicroSCADA, attackers could adapt similar techniques to other SCADA systems with command-based control interfaces.
- Defense Requires Matching Expertise: Defenders need to match the attacker’s understanding of these systems, protocols, and languages to effectively monitor and detect anomalies.
References