While the number of threats to operational technology (OT) have significantly increased since the discovery of Stuxnet – driven by factors such as the growing convergence with information technology (IT) networks and the increasing availability of OT information, technology, software, and reference materials – we have observed only a small number of real-world OT-focused attacks. The limited sample size of well-documented OT attacks and lack of analysis from a macro level perspective represents a challenge for defenders and security leaders trying to make informed security decisions and risk assessments.
To help address this problem, FireEye Intelligence developed the OT Cyber Security Incident Ontology (OT-CSIO) to aid with communication with executives, and provide guidance for assessing risks. We highlight that the OT-CSIO focuses on high-level analysis and is not meant to provide in-depth insights into the nuances of each incident.
Our methodology evaluates four categories, which are targeting, impact, sophistication, and affected equipment architecture based on the Purdue Model (Table 7). Unlike other methodologies, such as MITRE's ATT&CK Matrix, FireEye Intelligence's OT-CSIO evaluates only the full aggregated attack lifecycle and the ultimate impacts. It does not describe the tactics, techniques, and procedures (TTPs) implemented at each step of the incident. Table 1 describes the four categories. Detailed information about each class is provided in Appendix 1.
Table 1: Categories for FireEye Intelligence's OT-CSIO
In Table 2 we list nine real-world incidents impacting OT systems categorized according to our ontology. We highlight that the ontology only reflects the ultimate impact of an incident, and it does not account for every step throughout the attack lifecycle. As a note, we cite public sources where possible, but reporting on some incidents is available to FireEye Threat Intelligence customers only.
Incident | Target | Sophistication | Impact | Impacted Equipment |
(2000) | ICS-targeted | Medium | Disruption | Zone 3 |
(2011) | ICS-targeted |
High | Destruction | Zones 1-2 |
(2012) | ICS-targeted |
Low | Destruction | Zone 4-5 |
(2015) | ICS-targeted | Medium | Disruption, Destruction | Zone 2 |
(2016) | ICS-targeted | High | Disruption | Zones 0-3 |
(2017) | Non-targeted | Low | Disruption | Zone 2-3 |
TEMP.Isotope Reconnaissance Campaign (2017) | ICS-targeted | Low | Data Theft | Zones 2-4 |
(2017) | ICS-targeted | High | Disruption (likely building destructive capability) | Zone Safety, 1-5 |
Cryptomining Malware on European Water Utility (2018) | Non-targeted | Low | Degradation | Zone 2/3 |
Financially Motivated Threat Actor Accesses HMI While Searching for POS Systems (2019) | Non-targeted | Low | Compromise | Zone 2/3 |
Portable Executable File Infecting Malware Impacting Windows-based OT assets (2019) | Non-targeted | Low | Degradation | Zone 2-3 |
Table 2: Categorized samples using the OT-CSIO
Risk management for OT cyber security is currently a big challenge given the difficulty of assessing and communicating the implications of high-impact, low-frequency events. Additionally, multiple risk assessment methodologies rely on background information to determine case scenarios. However, the quality of this type of analysis depends on the background information that is applied to develop the models or identify attack vectors. Taking this into consideration, the following matrix provides a baseline of incidents that can be used to learn about past cases and facilitate strategic analysis about future case scenarios for attacks that remain unseen, but feasible.
Table 3: The FireEye OT-CSIO Matrix
As Table 3 illustrates, we have only identified examples for a limited set of OT cyber security incident types. Additionally, some cases are very unlikely to occur. For example, medium- and high-sophistication non-targeted incidents remain unseen, even if feasible. Similarly, medium- and high-sophistication data compromises on OT may remain undetected. While this type of activity may be common, data compromises are often just a component of the attack lifecycle, rather than an end goal.
The OT-CSIO Matrix presents multiple benefits for the assessment of OT threats from a macro level perspective given that it categorizes different types of incidents and invites further analysis on cases that have not yet been documented but may still represent a risk to organizations. We provide some examples on how to use this ontology:
FireEye Intelligence's OT-CSIO seeks to compile complex incidents into practical diagrams that facilitate communication and analysis. Categorizing these events is useful for visualizing the full threat landscape, gaining knowledge about previously documented incidents, and considering alternative scenarios that have not yet been seen in the wild. Given that the field of OT cyber security is still developing, and the number of well-documented incidents is still low, categorization represents an opportunity to grasp tendencies and ultimately identify security gaps.
Target
This category comprises cyber incidents that target industrial control systems (ICS) and non-targeted incidents that collaterally or coincidentally impact ICS, such as ransomware.
Table 4: Target category
Sophistication
Sophistication refers to the technical and operational sophistication of attacks. There are three levels of sophistication, which are determined by the analyst based on the following criteria.
Table 5: Sophistication category
Impact
The ontology reflects impact on the process or systems, not the resulting environmental impacts. There are five classes in this category, including data compromise, data theft, degradation, disruption, and destruction.
Table 6: Impact category
Impacted Equipment
This category is divided based on FireEye Intelligence's adaptation of the Purdue Model. For the purpose of this ontology, we add an additional zone for safety systems.
Table 7: Impacted equipment
Click to Open Code Editor