The term hacker in our modern day lexicon often conjures up images of teens wearing hooded-sweatshirts and pounding away at a keyboard in some dark and dingy basement as they work to steal personal data or write the next strain of malware that brings a corporation to its proverbial knees. Despite this popular misconception, the reality is many of the most successful cyber criminals, employed by nation-states or organized crime syndicates, work a typical 9-to-5 shift in locales around the globe and their schemes are quite varied.
Beyond harvesting credit card numbers or holding computer systems hostage for ransom, many of these malicious actors are searching for vulnerabilities in a wide range of connected devices as potential entry points to launch damaging physical attacks against not only commercial enterprises, but government agencies and critical infrastructure operators. The most prominent example of this to date has been the use of the Stuxnet virus that crippled Iran’s uranium enrichment program by taking it over and damaging a large number of gas centrifuges.
William Malik, Vice President of Infrastructure Strategies at cybersecurity firm Trend Micro, who gave a presentation on protecting against cyber-physical attacks this week during the virtual ISC West event, said the biggest challenge today in protecting industry control systems, similar to those compromised in the Stuxnet attack, is the large number of existing legacy systems that leverage proprietary technology.
“Many of these industry protocols are so proprietary they are as obscure and as simple as Morse code and that means they don’t do encryption, it means they don’t do any authentication, it means there is no message integrity or digital signature capability,” said Malik, who has 46 years of experience in the IT industry. “It is just very, very raw. It is the old concept of if you want it on, you flip the switch, and if you want it off, you flip the switch down. The electronic signals are no more sophisticated than that.”
Among the threats facing these type of system architectures include: shadow OT (operational technology) – equipment not known or part of the operating environment; insecure authentication; insecure protocols; unpatched devices; and, insider threats, which could be intentional or unintentional in cases where someone unknowingly plugs a compromised device, such as a USB drive, into the network.
Much like shadow IT in which employees use apps and other devices that are not authorized by the IT department to improve their efficiency, shadow OT can be pieces of equipment that are used by workers for similar reasons unbeknownst to corporate. For example, Malik said there was a U.S. hospital where a nurse got the idea to use a cheap pad, about $60, that could be placed in patient beds to determine when there was movement detected as a way to improve care. After they proved effective in one ward of the hospital, the devices were deployed throughout the facility. However, they had never cleared this with the CIO and they now had patient data being transmitted in the open. That posed a big security risk.
“None of these devices were approved and, in fact, they used Bluetooth and cellular connectivity to get the information from the patient bed to the monitoring station. There was no authentication, there was no encryption,” Malik explained. “When questioned about this the nurse said, ‘look, if we were to get hospital beds that are fully FDA approved with this level of sensing (technology), it would cost about $8,000 apiece and for a 2,000 bed hospital, that is a $16 million capital investment.’ That would never be approved. People are smart, they will use technology to solve problems and sometimes they don’t even know they’re violating policy.”
Modernization Leads to More Vulnerabilities
One of the ways that organizations have decided to update these outdated communication methodologies, according to Malik, is to use protocol converters that take these old modalities and put them on a modern TCP/IP network. The problem with that is that the converters themselves are oftentimes primitive, designed to be cheap and do not have the processing power to do any kind of authentication.
“We used to call dumb terminals ‘non-programable devices’ but the reality is these things are quite smart, they’re fully functioning computers, it’s just that the amount of horsepower and storage and bandwidth available does not allow them to be used efficiently to do any of the security functions you would expect from a firewall per se in a typical IT environment,” Malik said. “Wherever these things are, they will live 20, 30 or 40 years before they are replaced. They don’t wear out, they don’t break down and these devices are easy to hijack, they are easy to subvert and easy to takeover. So, these protocol gateways are a very significant vulnerability.”
Malik said that the information security theory behind these OT networks has historically been that anyone inside is trusted and anyone outside is not. Of course, Malik said this is a “fundamentally flawed” notion of a perimeter that has proven time and time again to not work.
Addressing the Problem
So, what can companies and individuals do to better protect their technology systems and data? Malik advises organizations to put sensors and controls everywhere feasibly possible, especially on human-machine interfaces (HMI)/consoles to see what kind traffic is coming to and from those as well as the kinds of messages that are flowing from the sensors over the proprietary networks to the supervisory devices.
“You want to be careful about what kind of information is allowed into and out of the network and remembering the power of wireless connectivity. This is a daunting task,” he said. “The principles for industrial controls systems are continuity of operations and preservation of the service. The concepts from information security of confidentiality, availability and integrity do not even factor in there because the availability that we talk about in IT is the availability of data. Their service availability that they speak of in industrial control systems is the underlying service – the water flowing through the pipe, the escalator continuing to run and the traffic lights functioning – even if their network backbone is down.”
Joel Griffin is the Editor-in-Chief of SecurityInfoWatch.com and a veteran security journalist. You can reach him at [email protected].
