We are surrounded by hackable devices.
Item: Did you know a TV remote can become a spying device by hijacking the infrared it uses to communicate with a set-top box?
Item: But who needs a remote when you can just yell at your TV? The FBI says that’s not safe either: Hackers can control a smart TV‘s camera and microphone to remotely record video and audio of whoever’s in the room, or use the unsecured TV to get into your router and then your PC.
Item: Even a humble coffee maker can be hijacked and turned into a ransom-demanding machine. So can other unsecured IoT devices.
These sound like sci-fi scenarios, but they’re not.
Vulnerable home office
So how do your TVs, remotes, and coffee machines relate to the industrial cloud, or to you at work? You might think that remote hacking of devices like these is a remote possibility — and anyway you’re working at home, like millions of others around the globe due to Covid-19, so there’s no way this could possibly affect your company’s enterprise network, or the operational technology (OT) network, or any industrial control systems (ICS).
But you would be wrong. Very wrong.
Because you need to access that OT network or those ICS remotely from your home office …
Oops. Yes. Your home office. The one with the potentially leaky third-party VPN (because IT hasn’t replaced it yet), and your eminently hackable Wi-Fi network, which may also have all kinds of unsecured IoT devices hanging off of it.
And the news gets worse. Of all the vulnerabilities in ICS revealed during the first half of this year, more than 70% can be exploited remotely, according to an August report by cybersecurity provider Claroty. Moreover, remote code execution is possible with nearly half of them.
Claroty analyzed a combination of vulnerabilities published in the National Vulnerability Database and ones mentioned in advisories issued by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). Sectors most impacted by ICS-CERT vulnerabilities were energy, critical manufacturing, and water and wastewater infrastructure.
Most of the 26 that were discovered by Claroty’s own research team were found in PLCs and engineering workstations. The workstations especially are desirable targets, since they’re connected to the factory floor, PLCs, and IT.
Attacks on ICS and OT have been on the rise for some time. In July, the situation became critical enough that the U.S. National Security Agency (NSA) and the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued a joint alert recommending immediate action to protect internet-connected OT and ICS systems against security breaches. Citing the recent cyberattack on Israel’s water systems, the agencies called for better protection of civilian infrastructure and OT assets critical to U.S. security and defense.
The number of attacks on computers in ICS in the oil and gas industry, as well as in building and automation systems, increased slightly during the first half of this year according to a September report from Kaspersky. The report concluded, “Threats are becoming more targeted and more focused, and as a result, more varied and complex.” The main sources are the internet, removable media, and email.
Computers used in building automation systems are potentially a hacker’s backdoor, since they’re often connected to corporate networks, the internet, corporate email, domain controllers, and video surveillance systems. Their attack surface is larger than ICS engineering workstations and similar to computers in the IT network.
AI-driven cyber security company Darktrace has found thousands of devices using various ICS protocols on systems — such as HVAC and elevators — that enterprises didn’t know were connected to their IT networks, Justin Fier, director of cyber intelligence and analytics for Darktrace, told EE Times. That means IT-OT systems aren’t properly segmented, creating security blind spots.
Darktrace attack timeline.jpg
Improper segmentation between IT and OT systems can lead to highly unusual connections to ICS protocols, as shown in this timeline of the main events of an industrial sabotage incident at a food-processing organization. Increased IT/OT convergence creates new blind spots on the network and sets up new pathways to disruption. (Source: Darktrace)
“With the pandemic, systems such as building control are being accessed remotely by engineers and other employees from their home offices,” said Fier. Yet their personal Wi-Fi networks may be vulnerable to hackers trying to get into the corporate network.
As many security experts will tell you, endpoint devices must be secure to reduce the entire network’s vulnerability to attacks. The rise of unmanaged shadow industrial IoT (IIoT) devices is one of the biggest threats to cloud-connected industrial network, as Fier noted. But so are shadow consumer IoT devices.
These are network-attached devices unknown to, and therefore invisible to, IT and security teams. Ordr, a provider of security products for enterprise IoT and unmanaged devices, has found more than 5 million unmanaged IoT and internet of medical things (IoMT) devices connected to customer networks, including healthcare, life sciences, retail, and manufacturing deployments.
These devices aren’t designed for security and are often bought by individuals or teams not subject to IT approval. Examples are network-accessible IP security cameras — regularly breached by hackers — and badge readers, both purchased by building maintenance staff.
According to Ordr’s 2020 Enterprise IoT Adoption & Risk Report, even consumer-grade shadow IoT devices such as Amazon Alexa and Echo virtual assistants were frequently discovered attached to networks. So were a Tesla and a Peloton exercise machine. In some healthcare companies, employees were running YouTube and Facebook applications on MRI and CT machines, which often use legacy, unsupported operating systems.
“We found a staggering number of vulnerabilities and risks concerning connected devices,” Ordr CEO Greg Murphy said in a statement.
One step in the right direction may be the IoT Cybersecurity Improvement Act, passed in September by the U.S. House of Representatives. The bill aims to improve IoT device security by requiring the National Institute of Standards and Technology (NIST) to develop recommendations for the secure development, identity management, patching, and configuration management of IoT products. If it’s signed into law, federal government agencies would only be able to buy IoT products compliant with those recommendations, and NIST would have to publish guidance on the coordinated vulnerability disclosure process.
Another is the launch in October of the Consumer Internet of Things Vulnerability Disclosure Platform by the IoT Security Foundation (IoTSF). Its goals are to “help consumer IoT manufacturers manage the process of vulnerability reporting, management and coordinated vulnerability disclosure, make it easier for security researchers and users to report vulnerabilities to IoT manufacturers, and improve consumer IoT security,” according to the website. Although vulnerability reporting is widely considered to be a basic requirement of IoT device security, it’s still a new idea for most consumer IoT device makers.
The third-party problem
Disgruntled or otherwise compromised employees may be less common threats than external nation-state or criminal attackers — but all it takes is one to spark a major security disaster:
But even if employees are well trained in security habits and network-attached devices are visible and secured, attackers can exploit other possible avenues.
The big jump in workforce identities — employees, contractors, suppliers, computers, devices, and applications — is part of the problem: their sheer number makes them, and their access privileges, difficult to manage. Yet they’re often the source of breaches.
In a May 2020 survey of IT security and identity decision-makers, the Identify Defined Security Alliance (IDSA) found that automation, DevOps, and the expansion of enterprise-connected devices have driven a dramatic growth in these identities. As many as 94% said they’d had an identity-related breach in the past; 99% said those breaches were preventable. But less than half have fully implemented key identity-defined practices recommended by the IDSA.
In particular, third-party suppliers and contractors can be an avenue of intrusion, either maliciously or accidentally. BlueVoyant’s global study of third-party cyber risk managementfound 80% of organizations had experienced a cybersecurity breach caused by vendor ecosystem vulnerabilities in the past 12 months, while less than a quarter monitor their entire supply chain, and nearly a third can’t determine whether a third-party vendor is a cyber risk. While the manufacturing sector had a lower third-party breach rate, it was still 57%.
As the Kaspersky report noted, the same building automation systems that may have shadow IoT attached are often owned or at least managed by third-party contractors. Even when they’re allowed access to a customer’s corporate network, that access may not be controlled by the customer’s IT security team. “Given that the decrease in mass attacks is offset by an increase in the number and complexity of targeted attacks where we see active utilization of various lateral movement tools, building automation systems might turn out to be even less secure than corporate systems within the same network,” the report states.
The rise of ransomware
As organizations that depend on OT increasingly deploy IoT devices and let remote workers access OT networks, cyberthreats have escalated. Nozomi Networks’ July “OT/IoT Threat Report“ looked at the most active OT and IoT threats during the first half of 2020. It found that ransomware attacks are demanding bigger ransoms and are targeting larger and more critical organizations. In particular, attackers are now using OT-aware ransomware, such as SNAKE/EKANS and MegaCortex, indicating that ICS may be increasingly targeted by non-state threat actors.
This year, FireEye’s Mandiant service has seen at least seven ransomware families that incorporate some ability to disrupt OT, according to a recent company blog.
Ransomware attacks constitute a quarter of all cyber incidents handled by IBM’s X-Force incident response team so far this year, and 6% of them used the ICS-targeting SNAKE/EKANS, the company reported in a September blog. The most targeted sectors are manufacturing, professional services, and government organizations, all with a low tolerance for downtime.
Darktrace’s Fier told EE Times that the goal of ransomware has changed. “Ransomware attacks are now less about encrypting data for money and more about holding an entire organization or assembly line hostage,” he said. “I think we’ll start seeing what I call DNS or quality-of-service attacks on the horizon, where attackers hold business operations ransom instead of just encrypting files.” For example, one customer’s smart refrigeration system had such insecure protocols that Darktrace could demonstrate a Stuxnet-type attack, dropping temperatures a few degrees to make food spoil.
Unforeseen financial consequences
While recovering from a cyberattack can be costly and take lots of time, major follow-on consequences can cost even more and take more time to recover from. A cyberattack such as ransomware, especially one that causes downtime or shutdowns, can have reverberations throughout the infrastructure of a manufacturing or oil and gas company for months afterward. These can include extended downtime and equipment repair or replacement in addition to testing and recertification, as well as widespread profit loss from inability to fill contracts, or even a complete shutdown of operations.
Recent examples of manufacturing shutdowns include the cyberattack on Honda in June that made it stop production globally for a few days, likely caused by EKANS/SNAKE ransomware. In September, Israel’s Tower Semiconductor had to halt some manufacturing operations after a cyberattack.
Ron Brash, director of cyber security insights for OT/ICS cybersecurity company Verve Industrial Protection, uses the analogy of oil pipeline shutdowns to demonstrate these follow-on consequences. Although most oil pipeline shutdowns aren’t caused by cybersecurity incidents, and in many cases recovering from a cyberattack can be faster than from a pipeline shutdown, both can have similar financial consequences that extend far beyond system recovery costs.
During forest fires in Canada a couple of years ago, oil pipelines threatened by the fires were shut down. This made the product harden in the pipeline, Brash told EE Times. “Dilutant had to be run through the pipeline for several months to break down the product such that the pipeline could then be used for its primary purpose,” said Brash. “But oil can have less desirable properties, and those can damage the protective layers inside the pipeline, degrading the infrastructure. That meant the pipeline had to be repaired and reinspected, and undergo safety or other approvals. All those steps effectively created a cascade of additional time and costs beyond the costs caused by the revenue lost during a normal outage or less damaging incident.”
Other costs could include the inability to satisfy contracts while manufacturing is halted, forcing a company to buy product on the open market and sell at a loss. An inability to restart operations or get recertified because of specific location and regional development conditions, or from sheer overall costs, could cause the permanent shutdown of some or all operations.
Many packaged goods manufacturers are vulnerable to disruption because of just-in-time manufacturing practices that keep low inventories of materials and warehoused product, said Brash. “These organizations often believe in the ‘old school’ definition of resilience, which is basically redundancy- — multiple versions of the same thing.” Yet a second or third line alone isn’t enough if an attacker has user IDs and access codes for both lines, and IT and OT are connected.
“It’s not connectivity that’s at fault; it’s largely due to how it’s engineered,” said Brash. “We need to engineer the risks out of it, and we’ve forgotten how to do this in the race for convenience. I can understand why; it could be fear of disruption, or not having enough knowledge in-house.
“But you can do things that improve the situation gradually, such as starting with the cybersecurity hygiene basics, and you can do things such as having a layered defense.”