Abstract
Cyber attacks against Industrial Control Systems are one of the major concerns for worldwide manufacturing companies. With the growth of emerging technologies, protecting large-scale Critical Infrastructures has become a considerable research topic in the past decade. Nowadays, software used to monitor Industrial Control Systems might be malicious and cause harm not only to physical processes but also to people working in industrial environments. To that end, integrating safety and security in Industrial Control Systems requires a well-developed understanding of malware-based cyber attacks.
In this paper, we present a comparative analysis framework of ICS Malware in a bi-layered approach: A cyber threat intelligence layer based on the ICS cyber kill chain and a hybrid analysis layer based on a static and dynamic analysis of ICS malware. We evaluated our proposed method by experimenting five well-known ICS malware: Stuxnet, Havex, BlackEnergy2, CrashOverride, and TRISIS. Our comparative analysis results show different and similar strategies used by each ICS malware to disrupt the ICS environment.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Malware in Modern ICS: Understanding Impact While Avoiding Hype. https://www.powermag.com/malware-in-modern-ics-understanding-impact-while-avoiding-hype/
Alcaraz, C.: Secure interconnection of IT-OT networks in industry 4.0. In: Gritzalis, D., Theocharidou, M., Stergiopoulos, G. (eds.) Critical Infrastructure Security and Resilience. ASTSA, pp. 201–217. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-00024-0_11
Alexander, O., Belisle, M., Steele, J.: Mitre ATT&Ck® for Industrial Control Systems: Design and Philosophy. The MITRE Corporation, Bedford (2020)
Alladi, T., Chamola, V., Zeadally, S.: Industrial control systems: cyberattack trends and countermeasures. Comput. Commun. 155, 1–8 (2020)
Ani, U.P.D., He, H.M., Tiwari, A.: Review of cybersecurity issues in industrial critical infrastructure: manufacturing in perspective. J. Cyber Secur. Technol. 1(1), 32–74 (2017). https://doi.org/10.1080/23742917.2016.1252211. https://www.tandfonline.com/doi/abs/10.1080/23742917.2016.1252211
Assante, M., Lee, R.: Information Security Reading Room The Industrial Control System Cyber Kill Chain. Sans Institute, pp. 1–22 (2015). www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf
Bremer, J.: Cuckoo Sandbox - open source automated malware analysis (2013). https://media.blackhat.com/us-13/US-13-Bremer-Mo-Malware-Mo-Problems-Cuckoo-Sandbox-WP.pdf
Byrum, S.: InfoSec Reading Room the Impact of the Sarbanes Oxley Act on IT (2003). https://www.sans.org/reading-room/whitepapers/casestudies/impact-sarbanes-oxley-act-security-1344
De Souza, M.E.: An alternative to the variation of the fine structure constant. Phys. Essays 24(4), 472–474 (2011)
Dragos: The ICS Landscape and Threat Activity Groups, pp. 11–45 (2020), https://dragos.com/wp-content/uploads/The-ICS-Threat-Landscape.pdf
Dragos Inc.: CRASHOVERRIDE: Analysis of the Threat to Electric Grid Operations. Technical report (2017). https://www.dragos.com/wp-content/uploads/CrashOverride-01.pdf
Dragos Inc.: TRISIS Malware-Analysis of Safety System Targeted Malware. Dragos, pp. 1–19 (2017). https://www.energy.senate.gov/public/index.cfm/files/serve?File_id=40B2ED59-D34E-47C3-B9E2-1E8D030C5748
Drias, Z., Serhrouchni, A., Vogel, O.: Analysis of cyber security for industrial control systems. In: 2015 International Conference on Cyber Security of Smart Cities, Industrial Control System and Communications, SSIC 2015 - Proceedings (2015). https://doi.org/10.1109/SSIC.2015.7245330. https://ieeexplore.ieee.org/abstract/document/7245330/
Fabro, M.: Control Systems Cyber Security: Defense-in- Depth Strategies Control. Idaho National Laboratory, USA, pp. 1–30, May 2007. https://www.osti.gov/biblio/923499
Falliere, N., Murchu, L.O., Chien, E.: W32. Stuxnet Dossier, Symantec Security Response, Version 1.4, February 2011. Symantec Security Response 4 February, pp. 1–69 (2011), 20 September 2015
Geiger, M., Bauer, J., Masuch, M., Franke, J.: An analysis of black energy 3, Crashoverride, and Trisis, three malware approaches targeting operational technology systems. In: IEEE International Conference on Emerging Technologies and Factory Automation, ETFA 2020, September, pp. 1537–1543 (2020). https://doi.org/10.1109/ETFA46521.2020.9212128
Ginter, A.: The Top 20 Cyber Attacks Against Industrial Control Systems. Waterfall, stronger than firewalls, May, p. 3 (2018). https://waterfall-security.com/20-attacks/
Hemsley, K.E., Fisher, E.: History of Industrial Control System Cyber Incidents. INL/CON-18-44411-Revision-2, December, pp. 1–37 (2018). https://www.osti.gov/servlets/purl/1505628
Hutchins, E., Cloppert, M., Amin, R.: Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains. In: 6th International Conference on Information Warfare and Security, ICIW 2011, July 2005, pp. 113–125 (2011)
Kaspersky Lab: Threat Landscape for Industrial Automation Systems in H1 2020. ICS Cert, pp. 1–27 (2020). https://ics-cert.kaspersky.com/reports/2020/09/24/threat-landscape-for-industrial-automation-systems-h1-2020/#_Toc49782409
Lab, K.: Threat landscape for industrial automation systems in the second half of 2020. AO Kaspersky Lab, 1997–2017, pp. 1–12 (2021). https://ics-cert.kaspersky.com/wp-content/uploads/sites/6/2017/03/KL-ICS-CERT_H2-2016_report_FINAL_EN.pdf
Mekdad, Y., Bernieri, G., Conti, M., Fergougui, A.E.: A threat model method for ICS malware: the TRISIS case. In: Proceedings of the 18th ACM International Conference on Computing Frontiers, pp. 221–228 (2021)
Obregon, L.: Information security reading room secure architecture for industrial control systems. SANS Instit. InfoSec GIAC (GSEC) Gold Certification 1, 1–27 (2020)
Or-Meir, O., Nissim, N., Elovici, Y., Rokach, L.: Dynamic malware analysis in the modern era–a state of the art survey. ACM Comput. Surv. 52(5), 1–48 (2019). https://doi.org/10.1145/3329786
Rrushi, J., Farhangi, H., Howey, C., Carmichael, K., Dabell, J.: A Quantitative Evaluation of the Target Selection of Havex ICS Malware Plugin, December 2015. https://pdfs.semanticscholar.org/18df/43ef1690b0fae15a36f770001160aefbc6c5.pdf
Shrivastava, S.: Analysis Report BlackEnergy-Malware for Cyber-Physical Attacks Malware for Cyber-Physical Attacks, May 2016. http://itrust.sutd.edu.sg
Slowik, J.: Anatomy of an attack: Detecting and defeating Crashoverride. Virus Bulletin 2018 Montreal, June 2017, pp. 1–23 (2018). https://www.virusbulletin.com/uploads/pdf/magazine/2018/VB2018-Slowik.pdf
Slowik, J.: Evolution of ICS Attacks and the Prospects for Future Disruptive Events. Ph.D. thesis (2019). https://www.dragos.com/resource/evolution-of-ics-attacks-and-the-prospects-for-future-disruptive-events/
Williams, T.J.: The Purdue enterprise reference architecture. Comput. Ind. 24(2–3), 141–158 (1994). https://doi.org/10.1016/0166-3615(94)90017-5
Zetter, K.: Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon. Broadway Books, New York (2014)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 Springer Nature Switzerland AG
About this paper
Cite this paper
Mekdad, Y., Bernieri, G., Conti, M., El Fergougui, A. (2022). The Rise of ICS Malware: A Comparative Analysis. In: Katsikas, S., et al. Computer Security. ESORICS 2021 International Workshops. ESORICS 2021. Lecture Notes in Computer Science(), vol 13106. Springer, Cham. https://doi.org/10.1007/978-3-030-95484-0_29
Download citation
DOI: https://doi.org/10.1007/978-3-030-95484-0_29
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-95483-3
Online ISBN: 978-3-030-95484-0
eBook Packages: Computer ScienceComputer Science (R0)