Employing CIARA Attack Vector Simulations to Measure the Risk of the Cyber Av3ngers Attack on Unitronics PLCs in Pennsylvania

Overview

An Iranian group, Cyber Av3ngers, hacked into Water Authority infrastructure in Aliquippa, a town 18 miles northwest of Pittsburgh. The group took partial control of a system that regulates water pressure and could have caused damage to the water supply. Fortunately, the affected water pressure system, which uses Unitronics computing devices, was quickly disabled after an alarm notified workers of the threat. Damage was averted.

The attack group was able to determine that the Unitronic PLCs were connected to the Internet over Port 20256. Using a Brute Force attack (T1110), they were able to compromise the PLCs.

We used our CIARA Risk Assessment Platform to measure the risk involved in this attack. We then applied mitigation measures to see how effective they were, again, as measured by CIARA. 

Radiflow CIARA Risk Assessment Platform

CIARA is a highly accurate and efficient OT/ICS risk assessment platform. It continuously ingests data from threat intelligence and CVE databases as it monitors asset and network changes in the production system.

Radiflow CIARA’s Virtual Breach & Attack Simulation (VBAS) engine makes use of Machine Learning and other AI techniques to help it simulate hundreds of commonly-used security controls against relevant known threats, factored against common OT risk scenarios such as loss of availability, loss of control, damage to property, etc. We employed VBAS to quantify and compare the risk involved in this attack before and after taking specific mitigation measures.

CIARA Simulation: Before Mitigation

We used the CIARA VBAS to help us determine the risk levels of the actual attack.

For the purpose of this study, we constructed a network with a Unitronics PLC that is accessible through the internet over Port 20256 (just like the actual attack vector) and launched an attack simulating the behavior of Cyber Av3ngers. 

Figure 1: CIARA inventory showing the source device (internet Server) and Unitronics PLC

The simulation settings included the Internet server as the source asset, the Unitronics PLC as the target, and the Simulated APT we called ‘Cyber Avengers’ (AKA Cyber Av3ngers). 

CIARA determined the overall site risk score to be 75% and the score of the specific attack to be 83%.  The overall score of 75% represents the success rate of cyber-attacks of accumulated APTs techniques and tactics. The specific attack score rate of 83% represents the success rate of the Cyber Av3ngers attack. 

In addition to scores, the CIARA dashboard also provided us with the most impactful techniques used, most-related assets, and CVEs (see Figure 2).

Figure 2: Simulation results dashboard

In the details of the attack simulation, we can view the possible routes and techniques that were identified by CIARA as potential threats. We can see that CIARA identified the following techniques on the link between the server and PLC, all colored red to denote “unmitigated”.

• T0812 Default credentials
• T1078 Valid accounts
• T1110 Brute force

Figure 3: Attack simulation details

CIARA Simulation: After Mitigation

Next, we proceeded to learn how CIARA would measure mitigations against this attack. 

The CIARA risk assessment engine employs IEC 62443 security requirements. Applying ML algorithms and AI capabilities in its risk calculations and breach attack simulations, CIARA allows users to assess threat exposure and the effectiveness of a security requirement to mitigate an attack technique.

After mitigating some of the risks and informing CIARA of available countermeasures in the ‘Water Pressure Management’ zone where the PLC resides, we had CIARA VBAS perform a second simulation.

The controls implemented on the ‘Water Pressure Management’ zone (based on IEC 62443) were mainly in:

• FR 1 – Authentication Control 
• FR 7 – Resource Availability 

After implementing the mitigations, CIARA revealed that the overall risk score was reduced to 67% and the attack vector score fell to 41%.  

Figure 4: simulation results dashboard with mitigations

Diving deeper into the attack simulation detailed view, we can see that the risk score of each of the routes was reduced and the techniques that may be used are now colored green, indicating that they are now sufficiently mitigated.

Figure 5: Attack simulation detail after implementing mitigations

Conclusion

CIARA is a powerful risk assessment platform that automatically stays up to date with relevant changes in the industrial environment. Companies can employ CIARA to accurately determine current risk levels and to measure the effects of actual and proposed mitigations relative to compliance standards and industry best practices.