News of data breaches, phishing attacks, ransomware, and other malicious cyber activity shows no sign of abating. Putting a positive spin on it, though, there's a lot we can learn from recently publicized attacks on critical infrastructure about preventative steps to take in protecting vital systems.
Cyber criminals are highly motivated, creative, and nimble. While the people securing the world's core infrastructure may share these first two attributes, adapting quickly is much more difficult. Working with legacy technology, unwieldy bureaucracy, and financial limitations while aiming to secure infrastructure that has a massive scope, it's challenging to be fleet of foot in preparing for and preventing frightening attacks.
Critical infrastructure is a target for several types of bad actors: state-sponsored hackers, hacktivists, and cyber terrorists. These attacks might aim to demonstrate power, exact revenge, spread fear, or seek financial gain.
Consider the rise of cryptojacking, which uses mining malware to hijack computers to mine cryptocurrency. In a constant quest for more devices, processing power, and electricity, attackers have ventured into the new environment of industrial control systems (ICS).
In February, critical infrastructure security firm Radiflow announced its discovery of mining malware in a water utility's operational technology network (which does monitoring and control). The European instance is thought to be "the first known instance of mining malware being used against an industrial control system."
In another example, perhaps one of the best-known cyberattacks on a utility is seen in Ukraine. A Kiev power grid was hit with malware, alternately known as Crash Override or Industroyer, which caused a blackout affecting around 250,000 households (in freezing December no less). The malicious code built to disrupt physical systems followed on the heels of Stuxnet, first used by the US and Israel to shut down Iranian centrifuges in 2009.
In a recent ICS attack, a national state-sponsored malware known as Triton attacked industrial hardware in the Middle East. The December 2017 infection, which used a zero-day exploit, spread due to human error as a critical Tricon key switch was left in "program mode." A flawed payload script defanged Triton before it could cause dramatic damage, but the fact remains that industrial systems are becoming increasingly tempting targets.
Any impairment of critical infrastructure system strength could have dire consequences. Learning from these incidents can help better monitor, detect, prevent, and protect.
No one wants bragging rights that theirs is the "first known" or "best known" of some sort of cyber attack. One way to prevent your business from being associated with that kind of press? Don't be complacent — limit Internet access points with silos.
In the cryptojacking example, the utility's internal network was exploited through an opening provided by some restricted access to the internet for remote monitoring. The utility wasn't targeted, Radiflow's CEO Ilan Barda told Wired. "The attackers were just trying to look for unused processing power that they could use for their benefit."
Keeping the critical infrastructure efficient and effective is challenging enough. Yet finding the time to consistently audit and always be improving security is critical too. Attackers will be looking for misconfigurations or flaws that offer access — it's up to you to find those entry points first.
In targeting the Ukrainian power grid, the attackers didn't even need to look for protocol vulnerabilities; "all they needed was to teach the malware ‘to speak' [decades-old] protocols" not designed with security in mind.
The Triton attack vector would not have been able to spread through the Middle Eastern network without the help of human error. Designed to act as a remote access Trojan (RAT), Triton needed programming control to perform actions on the infected network. This example underlines the importance of educating employees to always be vigilant and raising awareness of potential threats.
This should include making your people aware of the importance of physical measures too — even locking cabinets and supporting the security intentions of access control doors can make a difference.
The Industrial Internet of Things market is expected to reach $151 billion by 2020. — IDC
Industrial control systems too often run out-of-date software on legacy platforms. Concerns that new operating systems or software updates might destabilize crucial infrastructure can inhibit the best practice of always updating. Still, the cyber criminal only needs to find one small opening to exploit before wreaking havoc on the ICS.
RedTeam Security specializes in testing and strengthening defenses of industrial control systems. Our experts know best practices and think like hackers and system engineers to test security control effectiveness and offer advice for remediation. Set up a consultation to speak with one of our team members, or request a customized proposal for your organization now!