Our new Biannual ICS Risk & Vulnerability Report is the most up-to-date look at CVEs disclosed in OT devices.
Check it out!
Feature Spotlight: Process Values
By Shlomit Alon | January 11, 2021
The temperature requirements for Pfizer’s newly released COVID-19 vaccine have, understandably, garnered significant public attention. The reason is that the vaccine must be kept extremely cold during its various manufacturing, storage, and distribution processes in order to preserve its efficacy. In the event that a temperature controller involved in any of these processes were to be compromised or otherwise malfunction, the impact could be detrimental for obvious reasons.
This example underscores the importance of closely monitoring the availability and integrity of critical industrial processes such as temperature control, among many others. At Claroty, we help our customers do this by giving them visibility into the value readings — including temperature, pressure, composition, velocity, and flow rate, to name a few — on the controllers, PLCs, RTUs, and field devices that underpin these types of processes. This feature, which is part of our Continuous Threat Detection (CTD) solution, is called Process Values.
At its core, Process Values is an investigation tool designed primarily for security operations center (SOC) analysts, OT engineers, and others responsible for detecting and/or repairing problems with the devices located at Purdue Model levels 0 and 1 of an industrial network. The tool enables users to track these devices’ real value readings and associated behaviors, as well as gain clear insight into whether those values and behaviors are normal.
Image 1: This diagram shows the standard architecture of an industrial network configured according to the Purdue Model. Claroty’s Process Values provides visibility into the value readings and behaviors of devices at levels 0 and 1.
This means users can easily pinpoint not only when a value on a device deviates from its standard range — but also when, for instance, a value is written to a device that typically does not execute write operations. Such values and behaviors can be early indicators of malicious activity or artifacts of recent attacks, so having immediate access to them is crucial.
Process Values provides this access by recording and storing all values and behaviors in real-time within Claroty CTD where users can leverage them to help detect, investigate, and remediate incidents. Here’s a hypothetical example to demonstrate how it works:
An attacker gains unauthorized remote access to a pharmaceutical manufacturing plant’s industrial network and connects a new device to that network. The device enables the attacker to take control of a human machine interface (HMI) connected to multiple of the plant’s temperature controllers. Each controller regulates the temperature of one batch of a vaccine until it is packaged. If a batch’s temperature falls below or exceeds a certain range before it is packaged, it will be rendered ineffective.
Seeking to sabotage as many batches of this vaccine as possible, the attacker sends a write command from the HMI to the first controller to write a much lower — and likely damaging — value to the controller, which then begins reducing the temperature toward this value and thus toward the compromise of this batch.
Meanwhile, the pharmaceutical company’s SOC analysts and OT engineers are already aware of, and actively investigating and responding to, the ongoing attack. Once the attacker connected the new device to the network and used it to send a write operation from the HMI to the temperature controller, Claroty CTD raised an alert. This alert showed the attacker’s newly connected device, as well as a policy violation indicating that a critical write operation had been performed on the controller.
Image 2: Portion of a CTD alert showing that a new device was detected on the network.
Image 3: Root Cause Analysis portion of the alert Portion showing the new device detected, as well as the HMI with which it was communicating.
Image 4: Asset communication portion of the alert showing the attacker-controlled HMI sending a write command to the temperate controller.
As part of their alert investigation, the SOC analysts zero-in on the temperature controller identified in the alert. Using Process Values, they were then able to determine that the values on the controller had been changed from its normal value of 0-3°C to a dangerous -121°C via a write operation shortly after the alert was triggered.
Image 5: Process Values view within CTD showing the standard values of the compromised temperature controller compared to the most recent value, which was written to the controller by the attacker.
Upon identifying this change to value on the controller, the SOC analysts immediately escalated the alert to the OT engineers for rapid response and remediation. The engineers then wrote a new — and normal — value to the temperature controller to preserve the integrity of the vaccine batch before it was compromised.
After the engineers neutralize the attack, the SOC analysts then use Process Values to further investigate the environment for previous events and monitor for new abnormal behaviours. This enables the analysts to better anticipate whether an expected value change happens or not, as well as to quickly take action if it doesn’t.
Image 6: Process Values showing the values and associated operations on the temperature controller over time.