Vulnerabilities / Threats

10:30 AM
Eddie Habibi
Eddie Habibi
Connect Directly
E-Mail vvv

Anatomy of an Attack on the Industrial IoT

How cyber vulnerabilities on sensors can lead to production outage and financial loss.

We like to think that cyberattacks are focused primarily on stealing credit card numbers and that attackers don't know much about the control systems that run critical infrastructure. Unfortunately, that's just wishful thinking. In 2017, we saw an increasing number of threat actors bypass existing network perimeter security controls to perform sophisticated reconnaissance of industrial process control networks (PCNs). They then moved beyond reconnaissance to infiltrate PCNs and disrupt production.

Here's how a knowledgeable outsider can shut down an industrial process using a published industrial control system (ICS) vulnerability in a way that is very difficult to detect.

Ambient gas detectors identify releases of small amounts of toxic flammable gases. It is common to locate many such detectors in a processing area, and to configure both alarms and automatic process shutdowns on multiple simultaneous detection signals.

In December 2015, ICS-CERT published advisory ICSA-15-309-02, which provided details on vulnerabilities affecting specific ambient gas detectors. According to the ICS-CERT advisory, "Successful exploitation of these vulnerabilities could allow a remote attacker to gain unauthenticated access to the device, potentially allowing configuration changes, as well as the initiation of calibration or test processes." The advisory noted that "an attacker with low skill would be able to exploit these vulnerabilities."

Now, let's examine industrial Internet of Things (IoT) devices and their vulnerabilities through the eyes of an attacker. The attacker has performed reconnaissance against an industrial facility, probing its cyber defenses. During her reconnaissance, she obtained access and visibility to a dozen gas detectors. Due to the Web server interface vulnerability identified in the ICS-CERT advisory, she can bypass the authentication process and make configuration changes to the device, such as altering detection ranges and alarm limits. This access enables her to generate alarms at will.

Armed with this access and knowledge, she decides to launch an attack aimed at shutting down production by tricking operators into taking drastic action for a condition that does not exist.

In the initial phase of her attack, she decides that she doesn't want to make all sensors alarm at once. Instead, she selects four or five sensors that seem associated by their names (West Side First Level, West Side Second Level), and initiates an alarm by lowering the alarm threshold.

The detectors generate false alarms that appear to an operator as a serious leak. However, the operator has no way of knowing the alarms are false. The operator responds to the situation in a variety of ways, such as lowering the production rate, lowering pressure, or even shutting down part of the process. Evacuation of operations and maintenance personnel in the affected area is ordered. Responders suit up and try to verify the sensor readings using hand-held gas detectors, but they find nothing. The physical process examination is thorough and time consuming. Since multiple gas detector alarms sounded simultaneously, operators take the situation seriously because they cannot attribute it to a single sensor failure.

In the meantime, the attacker covers her tracks, restoring the manipulated detectors to their initial values. By the time the investigator reviews the configuration of the detectors, there is nothing amiss. After an exhaustive yet futile leak search, the process is restarted, but with additional personnel stationed in the area with leak detectors, which is both expensive and disruptive to production.

The attacker is patient. Two weeks later, she strikes again, choosing different sensors. The attacker is smart enough to select sensors based on wind direction — easy to determine from — this time, on the south side. The response to this second incident may require a much more detailed plant inspection, involving hundreds of hours and a significant production outage looking for a leak that isn't there. The hours to investigate the false gas leak and the loss of production can result in a cost of hundreds of thousands of dollars per attack.

This attack underscores the importance of assessing all known ICS vulnerabilities and prioritizing them based on risk and consequences. Industrial teams must remediate or mitigate high-priority vulnerabilities as quickly as possible. For example, the ICS-CERT advisory I reference in the example recommends implementing a firmware upgrade to remediate the device vulnerability.

Before applying system updates, though, asset owners must consider potential impacts. ICSs are highly proprietary, complex systems, implemented with very specific hardware configurations and operating system versions. Due to precise configuration specifications for automation systems, software or configuration changes can cause malfunctions that negatively affect process reliability and safety. ICS upgrades or patches must receive thorough testing by both the system vendor and asset owners, or automation engineers prior to implementation. Due to concerns over uptime requirements, asset owners in plants must plan and schedule updates months in advance. ICS upgrades and patching are a major effort for plant staff.

New vulnerabilities appear daily. Effectively managing the ever-increasing number of vulnerabilities that can affect ICSs is critical to industrial cybersecurity. Most companies struggle to keep up with the myriad ICS alerts and advisories issued each month. In fact, far too often, ICS vulnerabilities are unseen or ignored, leaving many plants at risk.

Plant managers need to make sure that their facilities have vulnerability management programs in place for continuous assessment of ICSs. Current remediation and mitigation states must be tracked and managed systematically to obtain a clear understanding of industrial risk. The downside for companies that fail to recognize and address these serious risks is that they face potentially disastrous consequences that may negatively affect plant safety, reliability, and the company's bottom line.


Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Related Content:

Eddie Habibi is the founder and CEO of PAS Global. Eddie is a pioneer and a thought leader in the fields of industrial control systems (ICS) cybersecurity, Industrial IoT, data analytics, and operations management. In 2017, PAS was recognized in CRN's 15 coolest industrial ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Who Does What in Cybersecurity at the C-Level
Steve Zurier, Freelance Writer,  3/16/2018
The Case for Integrating Physical Security & Cybersecurity
Paul Kurtz, CEO & Cofounder, TruSTAR Technology,  3/20/2018
Cybercriminals Launder Up to $200B in Profit Per Year
Kelly Sheridan, Staff Editor, Dark Reading,  3/19/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.