Understanding Worm-Like Malware's Network Propagation to Control Networks presented at ICSCyberSecurityConference 2020

by Yihao Lim,

Summary : Since the convergence of information technology (IT) and operational technology (OT), OT networks have been affected by a small albeit growing number of indiscriminate, self-propagating malware, or worms, originating from the IT or corporate network. The worms can be catastrophic to OT environments, as many of them have been coupled with disruptive or destructive components that can impair industrial operations.While IT networks have relatively strong cyber security controls and detection capabilities, OT networks are comparably less mature and are expected to remain so for the near- to mid-future. Despite advances in OT-specific cyber security solutions, worm-like malware could easily spread to multiple hosts within an OT network upon initial infection. To limit the risk of worm-like malware reaching OT networks, defenders should be familiar with the major network propagation methods worms have leveraged for vertical movement or lateral movement between networks or security zones and prioritize defenses at relevant choke points.IT and OT networks are typically segmented via a firewall or demilitarized zone (DMZ), but effective segmentation also separates authentication domains and prevents trust relationships between them. Vertical movement can be considered the subset of propagation methods in the broader category of lateral movement that exploit weaknesses in this architecture.To analyze the methods, we selected a sample of six worms known or suggested to have propagated into OT networks. In practice, it is very difficult for outside entities to know whether malware spread laterally (e.g., horizontally) or vertically without knowing the network's structure and internal threat vectors.