Three Cybersecurity Lessons We Can Learn (or Re-Learn) from the History of ICS Attacks


Written by: Matt Hubbard, Director, Market Intelligence, Armis.

From the time engineers started building industrial control systems (ICS), bad actors have looked for and found ways into them. While the motivations for ICS attacks are timeless—espionage, sabotage, ransom, and even revenge—ICS cyber security threats have evolved to adapt to new technologies and security practices.

The history of attacks is an interesting topic, especially as you wrestle with how to secure new technologies and stay ahead of threats. A document like the U.S. Department of Energy’s 2018 history of ICS attacks gives security, IT, and operational technology (OT) teams plenty of examples to study, with a timeline stretching from 1903 through the 21st century. I’ve picked out three incidents to show how industries have learned to deal with ICS cyber attacks over the decades and what we still need to keep in mind when securing ICS devices, data, and systems.

Lesson 1: Your ICS is only as secure as your most vulnerable third-party provider

In 2014, attackers repurposed Havex malware, a remote access trojan (RAT) that initially targeted the energy industry, to go after ICS manufacturers and their customers. The known targets included ICS software manufacturers and at least one industrial camera vendor.

In addition to sending RAT code through spam and exploit kits, the retooled Havex malware went a step further. It infected the software downloads that ICS/SCADA manufacturers made available to their customers “in an attempt to infect the computers where the software is installed.”

The security researchers who discovered the campaign noted that the content of the malicious code suggested that beyond data theft and espionage, the attackers may have been planning remote ICS hardware takeovers. Although it was novel at the time, remote takeovers where attackers tamper with critical infrastructure systems are a rising concern.

ICS security lessons learned: Your ICS is only as secure as your least-secure vendor, so you need to have ongoing discussions about how security affects your relationship. Also, monitor device traffic continuously to quickly detect and respond to data exfiltration.

Lesson 2: Identify and monitor every device in your environment

One of the most extensive and damaging ICS attacks on record was the December 2015 shutdown of the electrical grid in and around Kyiv, Ukraine that left more than 225,000 people without power. In a detailed analysis of the incident, Booz Allen Hamilton identified 17 steps the attackers took to infiltrate ICS systems, disrupt industrial processes, and destroy data.

Among those steps were:

  • Perimeter device scanning and identification as part of infrastructure reconnaissance
  • RAT malware delivery through phishing emails targeting Microsoft Office users at electricity distributors
  • RAT installation and execution to establish communication between attackers and target networks
  • Credential harvesting, internal network snooping, and new network target identification
  • ICS network control access
  • Malicious firmware creation
  • Electrical outage scheduling
  • Outage execution, including breaker tripping and cutoff of field device connections
  • Call center DoS attack and power cutoff to telephone communication and data servers
  • Destruction of critical system data

The Booz Allen Hamilton report, like many cybersecurity analyses, concluded that the grid attack was state-sponsored, most likely by Russia.

Today, state-sponsored cyberattacks are on the rise; attackers hit more than 20 U.S. targets in Q1 2020 alone, so the lessons of the Ukraine attack merit careful study.

ICS security lessons learned: Develop a clear, complete picture of your environment, including assets, networks, devices, and expected patterns of communication so you can understand your risk profile. Continuous monitoring for activity and threat detection are critical to spotting malicious internal activity early. Also, maintain and update segmentation and firewalls to limit intruder damage.

Lesson 3: Real-time patches, updates, and alerts are table stakes for ICS cybersecurity

When a wave of SamSam ransomware attacks swept across the U.S. in 2018, the media focused on the cities whose data and services were disrupted. But these attacks also targeted critical infrastructure, including the Port of San Diego, in a foreshadowing of the ongoing attacks on shipping and port organizations in 2021.

SamSam, like the Ukraine attack, appears to have been state-sponsored with the goal of disrupting critical operations. CISA described the mode of attack as a combination of remote desktop protocol exploitation to enter and persist in target networks, via stolen credentials or brute-force attacks, followed by privilege escalation and malware execution. The attackers used relatively simple means, such as attachments in phishing emails, to “infect victims with minimal detection.”

ICS security lessons learned: Deploy OS and application patches and updates for all devices in the environment as close to real-time as it is practical. Especially for RDP systems and virtual machines. Endpoint identification, assessment, and monitoring are also critical (automation can help). Also, as with the grid-attack example above, real-time environment activity monitoring and alerts must be a priority.

Choose an ICS security solution thats built to pass the tests of time

Every year, ICS cybersecurity threats grow increasingly sophisticated. Be prepared for whatever new attack methods evolve with a comprehensive device security solution that identifies every device in your environment. One that includes vendor and remote devices, monitors those devices for vulnerabilities and risks, alerts your team to threats, and finally automates and streamlines integrated device management.

For more information on Armis please visit