Social Engineering: A Threat to Operational Technology?

Social Engineering: A Threat to Operational Technology?

Picture this: it’s a chilly Friday afternoon in February. Somewhere in Indiana, a Principal ICS Systems Integrator is already frustrated with the late kickoff of a site acceptance test (SAT) stemming from delays at the factory. Let’s call him Tony. Tony got a $4 million procurement approved last year for a new distributed control system. The SAT started January 1, and he’s been waiting all week for an update from the vendor on rack room specs for a cabinet installation.

Tony’s phone rings around 3:00pm. “Finally,” he thinks to himself. He’s greeted by a confident woman who says she’s with the DCS vendor’s software engineering team. She introduces herself as Jennifer. There’s a dog barking in the background. Tony is disarmed. As an award-winning dog show enthusiast, he can’t help but ask what kind Jen has. “Oh, we just got a Brittany puppy! Thank God I have a hybrid schedule, potty training is going great!”

Where automation technologies and digital information technologies inadvertently expose cyber-physical processes to cyber risk, social engineering can alter the outcome of an attempt to impact control systems and industrial processes.

The Set Up

Tony eats the bait. “That’s a great breed! Is he or she a show dog? I do dog shows all over the country in my free time!” The dog Tony thought he heard wasn’t with Jen, of course, just your run of the mill YouTube dog show video. “We have been to a few shows, but haven’t decided yet,” she replies.

Jen pivots. She’s calling to follow up on an email she’s just sent, and that John Richards (Field Service Engineer on the project) mentioned she could reach him at this number. Tony checks and confirms that he’s received the message. Jen explains how she’s working on a software issue affecting version 22, which is what they have on record for Tony’s company using for the SAT of the new DCS. She informs Tony that they’ve just completed a firmware update and sent details to Tony in that email. Tony just has to follow the prompts in the email link for details on the update and how to install it with the software package his Lauer HMI came with.

Of course, the link is a malicious one, spoofing the manufacturer’s website and infecting Tony’s computer and network. If he does go through the update process, the code provided will corrupt his OPC Server. He had tweeted about the SAT, and a job posting for the company detailed the DCS vendor specs. His Facebook account is plastered with dog show photos, and his phone number is publicly available on LinkedIn.

The Impact

While nobody is calling to ask if your process is running only to tell you that you ought to go check on it, motivated criminals are always circumventing security controls to test their limits. The recent cybersecurity incident that unfolded at the MGM Casino in Las Vegas, Nevada as a result of a tailored attack and a very simple phone call demonstrates a potentially catastrophic scenario. The scenario above may seem unlikely, but it’s nowhere near impossible.

According to Dark Reading, “reports say that hackers found enough of an MGM's employee's data on LinkedIn to arm themselves with the right knowledge to call the help desk and impersonate the employee, convincing MGM's IT help desk to obtain that employee's sign-in credentials. Even though the risks of installing new systems without proper cybersecurity design and testing are not new, in combination with advancing social engineering techniques, they could be catastrophic.

SMS phishing, fake phone calls, impersonations and video phishing are increasingly sophisticated tactics deployed in well-thought out, multistep attacks targeting organizations. While reconnaissance of targets for social engineering attacks may take months, code development for a malware payload and spoofed assets may be developed simultaneously, culminating in a direct hit to the target organization in a matter of minutes.

Artificial intelligence is exacerbating this risk which ICS owners and operators are only beginning to analyze and measure. As Axios has reported, AI is deployed in social engineering to access and analyze dark web data, write emails, and copy and spoof voices for phone calls. They reported that between November 2021 and October 2022, 74% of data beaches involved a “human element via error, privilege misuse, social engineering or use of stole credentials.”

What Happens Next

Industrial process operators, technicians, and engineers may assume that their companies and processes are not subject to the same social engineering attacks that are associated with big data platforms like social media, for example. As demonstrated in the scenario above, we see groups relying on “publicly available tools and legitimate software in combination with malware available for purchase on underground forums.” Mandiant has detailed specific TTPs associated with groups like UNC3944 related to combined social engineering efforts and additional cyberattack tactics.

While social engineering and more common attack techniques continue to overlap, this trend is also occurring at a time when targeting business operations that tolerate little-to-no downtime, or those with just in time manufacturing business models, has proven to be lucrative. Ransomware and similar disruptive attacks have impacted dozens of successful businesses this year, including manufacturing, retail, healthcare, food and beverage, pharmaceutical, energy and water.

Consistent advice for social engineering would-be victims typically includes email contact, offer, and link awareness, multifactor authentication, looking for tempting or urgent offers, and updating antivirus and intrusion detection software. But beyond these basics, risk management professionals, chief information security officers, operations and maintenance leaders all need to review processes to identify weak components in their overall security posture, plans, and policy.

Where traditional defenses and segmentation practices might be subverted by social engineering tactics, additional checks and balances can make the difference between a successful attack and a thwarted attempt. Training employees on the social engineering lifecycle, when and how to report suspicious activity, and enforcing change management and approval processes. Most importantly, plant, factory, and process floor employees need to be made aware that their information is just as enticing to a potential adversary as any intellectual property or sensitive business information.

Acknowledgements to Stephanie Carruthers for her contributions to the storyline, social engineering expertise, and commitment to the industry.