Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Physical Security

3/24/2021
11:25 AM
50%
50%

How to Protect Our Critical Infrastructure From Attack

Just how worried should we be about a cyber or physical attack on national infrastructure? Chris Price reports on how the pandemic, the growth of remote working, and IoT are putting assets at risk.

On Feb. 2, the largest ever compilation of breached usernames and passwords was leaked online. Known as COMB, it contained 3.2 billion unique email/password pairs, including the credentials for the Oldsmar water plant in Florida.

Related Content:

Who Is Responsible for Protecting Physical Security Systems From Cyberattacks?

Special Report: Building an Effective Cybersecurity Incident Response Team

New From The Edge: Cartoon Caption Winner: In Hot Water

Three days later an unknown attacker entered Oldsmar's computer systems and attempted to manipulate the pH in the city's water to dangerously high acidic levels by increasing sodium hydroxide (lye) by 100 times. Although the attack was foiled and the lye levels returned to normal, the incident highlighted the ease with which cybercriminals are increasingly able to target critical national infrastructure (CNI).

In this particular case it was thought that the attacker managed to get into Oldsmar's systems via the plant's TeamViewer software which allows supervisors to access the system remotely. "As recently as August 2020, our analysts identified several high-risk vulnerabilities and exposures publicly associated with TeamViewer," claims Evan Kohlmann, chief innovation officer of threat intelligence platform Flashpoint. "This includes an example allowing a malicious website to launch TeamViewer with arbitrary parameters, capturing the victim's password hash for offline password cracking."

However, the problem isn't unique to TeamViewer. As far back as 2013 the Department of Homeland Security (DHS) confirmed that an Iranian hacker group known as "SOBH Cyber Jihad" accessed computer systems controlling the Bowman Avenue Dam in New York at least six times, accessing sensitive files containing usernames and passwords. Similarly, in 2015 and 2016 Ukraine suffered a series of attacks on its power grids believed to be the work of a Russia-sponsored advanced persistent threat group called Sandworm, which left 225,000 Ukrainians in sustained blackouts for several hours at a time.

Extremely Vulnerable
In July 2020, a CyberNews investigation highlighted just how easy it would be for an attacker to get into critical US infrastructure via unsecured industrial control systems (ICS). This, it claimed, could be done simply by attackers using search engines and tools dedicated to scanning all open ports and remotely taking control. Explains CyberNews Senior Researcher Edvardas Mikalauskas: "Our research has previously highlighted that many ICS panels in the US are critically unprotected and easily accessible to threat actors. The most vulnerable infrastructure appears to belong in the energy and water sector."

Security vs. Safety Dilemma
Indeed, in its recently published CNI Cyber Report: Risk and Resilience, Bridewell said there is a massive gap between the perceived threat of a cyberattack and the actual threat to CNI. While 78% of organizations are "confident" that their OT (operational technology) is protected from cyberthreats — and 28% very confident — it seems CNI is facing a "cyber siege." According to Bridewell's research of 250 UK IT and security decision-makers across five key CNI sectors (aviation, chemicals, energy, transport and water), 86% of organizations have detected cyberattacks on their OT/ICS environments in the last 12 months, with nearly a quarter (24%) experiencing between one and five successful attacks. Water and transport have been the sectors which have experienced the most successful attacks. Similarly, IBM reported a 2000% increase in cyber security incidents targeting OT in 2019, most of them involving Echobot IoT malware (download IBM's annual X-Force Threat Intelligence Index here).

For Terry Olaes, technical director, North America, of computer security company Skybox Security, the latest OT attacks signal a change in intent among cybercriminals, as well as raising questions about increasing critical infrastructure vulnerabilities. "Managing critical infrastructure comes with several challenges," he says. "It entails massive environments that can't experience downtime and where safety is often prioritized over security. As a result, vulnerability and remediation on OT devices only occurs around 'once or twice a year, leaving the back door wide open to nefarious attackers to our critical infrastructure."

Bridewell's Scott Nicholson agrees: "Within an industrial controls context consistency and availability of the service are key, whereas upgrading software is seen as risky. Patching systems and keeping them updated can be very complex for OT organizations," he adds.

A further problem is the demand for internet connectivity, which has been accelerated in part by the COVID-19 pandemic. Whereas traditionally many organizations within CNI sectors have managed Industrial Control Systems (ICS) and critical applications on their own closed private network, this is beginning to change. The rise of the Internet of Things (IoT) has brought the benefits of connectivity to the fore and there is a growing need to drive convergence between critical operational technology, IT networks and the internet for remote management. However, inevitably this simply increases the potential attack surface as well as bringing a wider range of threats.

"For many critical infrastructure facilities, COVID-19 forced an abrupt shift to employees working from home, meaning that security teams had to make production control networks accessible remotely to keep systems up and running," explains Andrea Carcano, co-founder of Nozomi Networks. "However, unfortunately remote access is often the easiest path for attackers to infiltrate a network."

Adds Scott Nicholson: "Their networks need to be segmented from the internet as much as possible." This can be done using the Purdue model — a hierarchical structure for industrial communications which was first developed in the 1990s.

Impressive Physical Security Isn't Enough
According to Thycotic's Joseph Carson, physical security surrounding critical national infrastructure, such as power plants, is usually very impressive. Unfortunately, the same cannot be said of their cyber security. "You've got gates, armed guards, all these sensors and perimeter detection systems but when you look at the cyber security side of things it's really quite concerning", he says. "Not only is the use of remote desktop solutions a threat, but I've seen audio streaming software installed which implies operators are able to install their own software for listening to music while monitoring critical infrastructure."

Nor are the challenges simply going to go away. The growth of IoT — in particular the rise of Industry 4.0 with its increasing demand for drones and autonomous vehicles — means the potential for attack is only going to get greater. At the same time, the continued demand for remote working as a result of the pandemic, provides additional risk as the recent TeamViewer attack on the Florida water treatment facility showed. Indeed, the fight against COVID itself is even providing a target for cyber attackers.

Nozomi Networks' Andrea Carcano concludes: "We've continued to see threats to critical infrastructure rise over the last few years and we don't expect that trend to end anytime soon. Recent attacks on healthcare organizations and those in the fight against COVID are dramatic reminders that the systems we reply on are high value targets that are vulnerable and at constant risk of attack."

Five Steps to Help Protect Critical National Infrastructure From Attack

  • Secure remote access: This is often the easiest path for attackers to infiltrate a network. Managers need to secure remote access by using endpoint protection, good password hygiene and network firewalls.
  • Create inventory of assets: If you can't see all the devices on the network, then it's impossible to protect or segment the network for greater resilience. By maintaining a real-time inventory of all network assets, security teams can achieve accurate visibility into their devices, connections, communications, and protocols.
  • Identify and patch vulnerabilities: Industrial networks contain thousands of OT and IoT devices from a number of vendors. Unfortunately, most aren't designed for the level of security required for critical infrastructure environment. Tools that identify system vulnerabilities, using the National Vulnerability Database (NVD), can help determine which devices are at risk, prioritize and recommend firmware updates.
  • Monitor for anomalies: Automated network anomaly detection solutions leverage artificial intelligence to run anomaly detection against the actual parameters that are used to control the industrial process.
  • Integrate OT and IT networks: OT knows how to meet production targets and keep the plant running safely while IT can address networking and cybersecurity issues. Combining both can give greater resilience, reducing blind spots and security risks surrounding highly connected industrial control systems.

—Story by Chris Price 

This story first appeared on IFSEC Global, part of the Informa Network, and a leading provider of news, features, videos, and white papers for the security and fire industry. IFSEC Global covers developments in long-established physical technologies — like video surveillance, access control, intruder/fire alarms, and guarding — and emerging innovations in cybersecurity, drones, smart buildings, home automation, the Internet of Things, and more.

IFSEC Global, part of the Informa Network, is a leading provider of news, features, videos and white papers for the security and fire industry. IFSEC Global covers developments in long-established physical technologies – like video surveillance, access control, ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Visit the Web's Most Authoritative Resource on Physical Security

To get the latest news and analysis on threats, vulnerabilities, and best practices for enterprise physical security, please visit IFSEC Global. IFSEC Global offers expert insight on critical issues and challenges in physical security, and hosts one of the world's most widely-attended conferences for physical security professionals.

Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-20733
PUBLISHED: 2021-06-22
Improper authorization in handler for custom URL scheme vulnerability in ????????? (asken diet) for Android versions from v.3.0.0 to v.4.2.x allows a remote attacker to lead a user to access an arbitrary website via the vulnerable App.
CVE-2021-20734
PUBLISHED: 2021-06-22
Cross-site scripting vulnerability in Welcart e-Commerce versions prior to 2.2.4 allows remote attackers to inject arbitrary script or HTML via unspecified vectors.
CVE-2021-20735
PUBLISHED: 2021-06-22
Cross-site scripting vulnerability in ETUNA EC-CUBE plugins (Delivery slip number plugin (3.0 series) 1.0.10 and earlier, Delivery slip number csv bulk registration plugin (3.0 series) 1.0.8 and earlier, and Delivery slip number mail plugin (3.0 series) 1.0.8 and earlier) allows remote attackers to ...
CVE-2021-20736
PUBLISHED: 2021-06-22
NoSQL injection vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to obtain and/or alter the information stored in the database via unspecified vectors.
CVE-2021-20737
PUBLISHED: 2021-06-22
Improper authentication vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to view the unauthorized pages without access privileges via unspecified vectors.