Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

11/27/2018
10:30 AM
JD Sherry
JD Sherry
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

8 Tips for Preventing Credential Theft Attacks on Critical Infrastructure

Stolen credentials for industrial control system workstations are fast becoming the modus operandi for ICS attacks by cybercriminals.

It's no secret that hacked critical infrastructure can have a detrimental safety impact, shut businesses down, and cost millions of dollars in lost revenue and brand damage. Unfortunately, attacks on critical infrastructure are showing no signs of abating. Think WannaCry, NotPetya, Black Energy, and now its malware successor, GreyEnergy.

The GreyEnergy malware family, reported last month by ESET researchers, is utilizing stolen credentials to target ICS workstations running supervisory control and data acquisition (SCADA) systems. To infect the systems, GreyEnergy is using traditional spearphishing attacks and compromising public-facing web servers. This allows the attackers to move laterally on the network, plant backdoors, and communicate with command and control servers. These attack behaviors are becoming more commonplace when examining critical infrastructure attacks.

On top of that, ICS systems are an easy target because it's widely known that most of them run on legacy, older infrastructure, so you cannot easily update the system or put an agent on the device. There's no room for system downtime when it comes to the power grid or a water plant, so patching vulnerabilities becomes extremely difficult. Also, with Internet of Things adoption on the rise, IT and OT (operational technology) networks are rapidly converging, making those once isolated systems even easier to threaten with damaging cyberattacks.

According to a new report by CyberX Labs, 53% of all critical infrastructure sites use ICS stations running on older, legacy Windows installations that no longer receive security updates, offering a wide-open playing field for nation-state attackers. The report also found 69% of all industrial sites allow passwords to be sent through the network in plain text — another major exposure gap.

One easy attack vector for nation-states looking to target critical infrastructure is credential theft. After all, it worked well for some of the largest and most costly data breaches to date, including the Equifax, Office of Personnel Management, and Yahoo hacks. Stolen usernames and passwords guarantee an attacker can get in and wreak havoc on these systems. The more access those administrator credentials offer, the more detrimental it is to the organization.

What can protectors of critical infrastructure and other companies do to minimize cyberattacks and, more specifically, credential theft, when this seems to be the attack vector of choice for cybercriminals? Here are eight tips:

  1. Make sure all of your employees leverage multifactor authentication (MFA) across their networks — including their personal social media accounts.
  2. Understand who has privileged and administrative access within your organization. Place MFA in front of every administrator account for every system.
  3. Password vaults are great but use caution as these are often difficult to roll out broadly. Also, as a point of caution, be aware that well-meaning and ill-intentioned system administrators can find ways around these, negating their intended security value.
  4. Train your employees on how to avoid phishing and spearphishing scams and ensure they know how to create strong passwords that are not being recycled. Increasingly, phishing scams are often used to compromise privileged users of ICS.
  5. Know who has remote access to your external workstations. Most attackers target administrators who are granted remote access from these workstations.
  6. Use agentless solutions that won't affect performance and availability for legacy SCADA systems.
  7. Ensure both IT and OT systems, industrial IoT devices, and networks are hardened from cyberattacks — regularly updating operating systems and utilizing strong encryption, endpoint security tools, vulnerability assessments, patch management, network, and behavioral traffic monitoring tools.
  8. If a device is compromised, isolate it immediately before undergoing incident response.
  9. Ensure regular compliance with NERC, FERC, ISA, and other ISO standards.

By utilizing these tips, security teams can slow down credential theft attacks on critical infrastructure and keep these important systems on lock down. 

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

JD Sherry is Chief Revenue Officer for Remediant, Inc. He has spent the last decade in executive senior leadership roles at Optiv Security, Cavirin and Trend Micro, and has successfully implemented large-scale public, private and hybrid clouds emphasizing ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Take me to your BISO 
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32053
PUBLISHED: 2021-05-10
JPA Server in HAPI FHIR before 5.4.0 allows a user to deny service (e.g., disable access to the database after the attack stops) via history requests. This occurs because of a SELECT COUNT statement that requires a full index scan, with an accompanying large amount of server resources if there are m...
CVE-2020-18102
PUBLISHED: 2021-05-10
Cross Site Scripting (XSS) in Hotels_Server v1.0 allows remote attackers to execute arbitrary code by injecting crafted commands the data fields in the component "/controller/publishHotel.php".
CVE-2020-27232
PUBLISHED: 2021-05-10
An exploitable SQL injection vulnerability exists in ‘manageServiceStocks.jsp’ page of OpenClinic GA 5.173.3. A specially crafted HTTP request can lead to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.
CVE-2020-28600
PUBLISHED: 2021-05-10
An out-of-bounds write vulnerability exists in the import_stl.cc:import_stl() functionality of Openscad openscad-2020.12-RC2. A specially crafted STL file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability.
CVE-2021-21430
PUBLISHED: 2021-05-10
OpenAPI Generator allows generation of API client libraries (SDK generation), server stubs, documentation and configuration automatically given an OpenAPI Spec. Using `File.createTempFile` in JDK will result in creating and using insecure temporary files that can leave application and system data vu...