Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

11/27/2018
10:30 AM
JD Sherry
JD Sherry
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

8 Tips for Preventing Credential Theft Attacks on Critical Infrastructure

Stolen credentials for industrial control system workstations are fast becoming the modus operandi for ICS attacks by cybercriminals.

It's no secret that hacked critical infrastructure can have a detrimental safety impact, shut businesses down, and cost millions of dollars in lost revenue and brand damage. Unfortunately, attacks on critical infrastructure are showing no signs of abating. Think WannaCry, NotPetya, Black Energy, and now its malware successor, GreyEnergy.

The GreyEnergy malware family, reported last month by ESET researchers, is utilizing stolen credentials to target ICS workstations running supervisory control and data acquisition (SCADA) systems. To infect the systems, GreyEnergy is using traditional spearphishing attacks and compromising public-facing web servers. This allows the attackers to move laterally on the network, plant backdoors, and communicate with command and control servers. These attack behaviors are becoming more commonplace when examining critical infrastructure attacks.

On top of that, ICS systems are an easy target because it's widely known that most of them run on legacy, older infrastructure, so you cannot easily update the system or put an agent on the device. There's no room for system downtime when it comes to the power grid or a water plant, so patching vulnerabilities becomes extremely difficult. Also, with Internet of Things adoption on the rise, IT and OT (operational technology) networks are rapidly converging, making those once isolated systems even easier to threaten with damaging cyberattacks.

According to a new report by CyberX Labs, 53% of all critical infrastructure sites use ICS stations running on older, legacy Windows installations that no longer receive security updates, offering a wide-open playing field for nation-state attackers. The report also found 69% of all industrial sites allow passwords to be sent through the network in plain text — another major exposure gap.

One easy attack vector for nation-states looking to target critical infrastructure is credential theft. After all, it worked well for some of the largest and most costly data breaches to date, including the Equifax, Office of Personnel Management, and Yahoo hacks. Stolen usernames and passwords guarantee an attacker can get in and wreak havoc on these systems. The more access those administrator credentials offer, the more detrimental it is to the organization.

What can protectors of critical infrastructure and other companies do to minimize cyberattacks and, more specifically, credential theft, when this seems to be the attack vector of choice for cybercriminals? Here are eight tips:

  1. Make sure all of your employees leverage multifactor authentication (MFA) across their networks — including their personal social media accounts.
  2. Understand who has privileged and administrative access within your organization. Place MFA in front of every administrator account for every system.
  3. Password vaults are great but use caution as these are often difficult to roll out broadly. Also, as a point of caution, be aware that well-meaning and ill-intentioned system administrators can find ways around these, negating their intended security value.
  4. Train your employees on how to avoid phishing and spearphishing scams and ensure they know how to create strong passwords that are not being recycled. Increasingly, phishing scams are often used to compromise privileged users of ICS.
  5. Know who has remote access to your external workstations. Most attackers target administrators who are granted remote access from these workstations.
  6. Use agentless solutions that won't affect performance and availability for legacy SCADA systems.
  7. Ensure both IT and OT systems, industrial IoT devices, and networks are hardened from cyberattacks — regularly updating operating systems and utilizing strong encryption, endpoint security tools, vulnerability assessments, patch management, network, and behavioral traffic monitoring tools.
  8. If a device is compromised, isolate it immediately before undergoing incident response.
  9. Ensure regular compliance with NERC, FERC, ISA, and other ISO standards.

By utilizing these tips, security teams can slow down credential theft attacks on critical infrastructure and keep these important systems on lock down. 

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

JD Sherry is Chief Revenue Officer for Remediant, Inc. He has spent the last decade in executive senior leadership roles at Optiv Security, Cavirin and Trend Micro, and has successfully implemented large-scale public, private and hybrid clouds emphasizing ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
How Security Vendors Can Address the Cybersecurity Talent Shortage
Rob Rashotte, VP of Global Training and Technical Field Enablement at Fortinet,  5/24/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-7068
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7069
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have a type confusion vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7070
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7071
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.
CVE-2019-7072
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .