It's no secret that hacked critical infrastructure can have a detrimental safety impact, shut businesses down, and cost millions of dollars in lost revenue and brand damage. Unfortunately, attacks on critical infrastructure are showing no signs of abating. Think WannaCry, NotPetya, Black Energy, and now its malware successor, GreyEnergy.
The GreyEnergy malware family, reported last month by ESET researchers, is utilizing stolen credentials to target ICS workstations running supervisory control and data acquisition (SCADA) systems. To infect the systems, GreyEnergy is using traditional spearphishing attacks and compromising public-facing web servers. This allows the attackers to move laterally on the network, plant backdoors, and communicate with command and control servers. These attack behaviors are becoming more commonplace when examining critical infrastructure attacks.
On top of that, ICS systems are an easy target because it's widely known that most of them run on legacy, older infrastructure, so you cannot easily update the system or put an agent on the device. There's no room for system downtime when it comes to the power grid or a water plant, so patching vulnerabilities becomes extremely difficult. Also, with Internet of Things adoption on the rise, IT and OT (operational technology) networks are rapidly converging, making those once isolated systems even easier to threaten with damaging cyberattacks.
According to a new report by CyberX Labs, 53% of all critical infrastructure sites use ICS stations running on older, legacy Windows installations that no longer receive security updates, offering a wide-open playing field for nation-state attackers. The report also found 69% of all industrial sites allow passwords to be sent through the network in plain text — another major exposure gap.
One easy attack vector for nation-states looking to target critical infrastructure is credential theft. After all, it worked well for some of the largest and most costly data breaches to date, including the Equifax, Office of Personnel Management, and Yahoo hacks. Stolen usernames and passwords guarantee an attacker can get in and wreak havoc on these systems. The more access those administrator credentials offer, the more detrimental it is to the organization.
What can protectors of critical infrastructure and other companies do to minimize cyberattacks and, more specifically, credential theft, when this seems to be the attack vector of choice for cybercriminals? Here are eight tips:
- Make sure all of your employees leverage multifactor authentication (MFA) across their networks — including their personal social media accounts.
- Understand who has privileged and administrative access within your organization. Place MFA in front of every administrator account for every system.
- Password vaults are great but use caution as these are often difficult to roll out broadly. Also, as a point of caution, be aware that well-meaning and ill-intentioned system administrators can find ways around these, negating their intended security value.
- Train your employees on how to avoid phishing and spearphishing scams and ensure they know how to create strong passwords that are not being recycled. Increasingly, phishing scams are often used to compromise privileged users of ICS.
- Know who has remote access to your external workstations. Most attackers target administrators who are granted remote access from these workstations.
- Use agentless solutions that won't affect performance and availability for legacy SCADA systems.
- Ensure both IT and OT systems, industrial IoT devices, and networks are hardened from cyberattacks — regularly updating operating systems and utilizing strong encryption, endpoint security tools, vulnerability assessments, patch management, network, and behavioral traffic monitoring tools.
- If a device is compromised, isolate it immediately before undergoing incident response.
- Ensure regular compliance with NERC, FERC, ISA, and other ISO standards.
By utilizing these tips, security teams can slow down credential theft attacks on critical infrastructure and keep these important systems on lock down.
Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.