Vulnerabilities / Threats

2/22/2018
10:30 AM
Eddie Habibi
Eddie Habibi
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Anatomy of an Attack on the Industrial IoT

How cyber vulnerabilities on sensors can lead to production outage and financial loss.

We like to think that cyberattacks are focused primarily on stealing credit card numbers and that attackers don't know much about the control systems that run critical infrastructure. Unfortunately, that's just wishful thinking. In 2017, we saw an increasing number of threat actors bypass existing network perimeter security controls to perform sophisticated reconnaissance of industrial process control networks (PCNs). They then moved beyond reconnaissance to infiltrate PCNs and disrupt production.

Here's how a knowledgeable outsider can shut down an industrial process using a published industrial control system (ICS) vulnerability in a way that is very difficult to detect.

Ambient gas detectors identify releases of small amounts of toxic flammable gases. It is common to locate many such detectors in a processing area, and to configure both alarms and automatic process shutdowns on multiple simultaneous detection signals.

In December 2015, ICS-CERT published advisory ICSA-15-309-02, which provided details on vulnerabilities affecting specific ambient gas detectors. According to the ICS-CERT advisory, "Successful exploitation of these vulnerabilities could allow a remote attacker to gain unauthenticated access to the device, potentially allowing configuration changes, as well as the initiation of calibration or test processes." The advisory noted that "an attacker with low skill would be able to exploit these vulnerabilities."

Now, let's examine industrial Internet of Things (IoT) devices and their vulnerabilities through the eyes of an attacker. The attacker has performed reconnaissance against an industrial facility, probing its cyber defenses. During her reconnaissance, she obtained access and visibility to a dozen gas detectors. Due to the Web server interface vulnerability identified in the ICS-CERT advisory, she can bypass the authentication process and make configuration changes to the device, such as altering detection ranges and alarm limits. This access enables her to generate alarms at will.

Armed with this access and knowledge, she decides to launch an attack aimed at shutting down production by tricking operators into taking drastic action for a condition that does not exist.

In the initial phase of her attack, she decides that she doesn't want to make all sensors alarm at once. Instead, she selects four or five sensors that seem associated by their names (West Side First Level, West Side Second Level), and initiates an alarm by lowering the alarm threshold.

The detectors generate false alarms that appear to an operator as a serious leak. However, the operator has no way of knowing the alarms are false. The operator responds to the situation in a variety of ways, such as lowering the production rate, lowering pressure, or even shutting down part of the process. Evacuation of operations and maintenance personnel in the affected area is ordered. Responders suit up and try to verify the sensor readings using hand-held gas detectors, but they find nothing. The physical process examination is thorough and time consuming. Since multiple gas detector alarms sounded simultaneously, operators take the situation seriously because they cannot attribute it to a single sensor failure.

In the meantime, the attacker covers her tracks, restoring the manipulated detectors to their initial values. By the time the investigator reviews the configuration of the detectors, there is nothing amiss. After an exhaustive yet futile leak search, the process is restarted, but with additional personnel stationed in the area with leak detectors, which is both expensive and disruptive to production.

The attacker is patient. Two weeks later, she strikes again, choosing different sensors. The attacker is smart enough to select sensors based on wind direction — easy to determine from weather.com — this time, on the south side. The response to this second incident may require a much more detailed plant inspection, involving hundreds of hours and a significant production outage looking for a leak that isn't there. The hours to investigate the false gas leak and the loss of production can result in a cost of hundreds of thousands of dollars per attack.

This attack underscores the importance of assessing all known ICS vulnerabilities and prioritizing them based on risk and consequences. Industrial teams must remediate or mitigate high-priority vulnerabilities as quickly as possible. For example, the ICS-CERT advisory I reference in the example recommends implementing a firmware upgrade to remediate the device vulnerability.

Before applying system updates, though, asset owners must consider potential impacts. ICSs are highly proprietary, complex systems, implemented with very specific hardware configurations and operating system versions. Due to precise configuration specifications for automation systems, software or configuration changes can cause malfunctions that negatively affect process reliability and safety. ICS upgrades or patches must receive thorough testing by both the system vendor and asset owners, or automation engineers prior to implementation. Due to concerns over uptime requirements, asset owners in plants must plan and schedule updates months in advance. ICS upgrades and patching are a major effort for plant staff.

New vulnerabilities appear daily. Effectively managing the ever-increasing number of vulnerabilities that can affect ICSs is critical to industrial cybersecurity. Most companies struggle to keep up with the myriad ICS alerts and advisories issued each month. In fact, far too often, ICS vulnerabilities are unseen or ignored, leaving many plants at risk.

Plant managers need to make sure that their facilities have vulnerability management programs in place for continuous assessment of ICSs. Current remediation and mitigation states must be tracked and managed systematically to obtain a clear understanding of industrial risk. The downside for companies that fail to recognize and address these serious risks is that they face potentially disastrous consequences that may negatively affect plant safety, reliability, and the company's bottom line.

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Related Content:

Eddie Habibi is the founder and CEO of PAS Global. Eddie is a pioneer and a thought leader in the fields of industrial control systems (ICS) cybersecurity, Industrial IoT, data analytics, and operations management. In 2017, PAS was recognized in CRN's 15 coolest industrial ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20161
PUBLISHED: 2018-12-15
A design flaw in the BlinkForHome (aka Blink For Home) Sync Module 2.10.4 and earlier allows attackers to disable cameras via Wi-Fi, because incident clips (triggered by the motion sensor) are not saved if the attacker's traffic (such as Dot11Deauth) successfully disconnects the Sync Module from the...
CVE-2018-20159
PUBLISHED: 2018-12-15
i-doit open 1.11.2 allows Remote Code Execution because ZIP archives are mishandled. It has an upload feature that allows an authenticated user with the administrator role to upload arbitrary files to the main website directory. Exploitation involves uploading a ".php" file within a "...
CVE-2018-20157
PUBLISHED: 2018-12-15
The data import functionality in OpenRefine through 3.1 allows an XML External Entity (XXE) attack through a crafted (zip) file, allowing attackers to read arbitrary files.
CVE-2018-20154
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated users to discover all subscriber e-mail addresses.
CVE-2018-20155
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated subscriber users to bypass intended access restrictions on changes to plugin settings.