Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

2/22/2018
10:30 AM
Eddie Habibi
Eddie Habibi
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Anatomy of an Attack on the Industrial IoT

How cyber vulnerabilities on sensors can lead to production outage and financial loss.

We like to think that cyberattacks are focused primarily on stealing credit card numbers and that attackers don't know much about the control systems that run critical infrastructure. Unfortunately, that's just wishful thinking. In 2017, we saw an increasing number of threat actors bypass existing network perimeter security controls to perform sophisticated reconnaissance of industrial process control networks (PCNs). They then moved beyond reconnaissance to infiltrate PCNs and disrupt production.

Here's how a knowledgeable outsider can shut down an industrial process using a published industrial control system (ICS) vulnerability in a way that is very difficult to detect.

Ambient gas detectors identify releases of small amounts of toxic flammable gases. It is common to locate many such detectors in a processing area, and to configure both alarms and automatic process shutdowns on multiple simultaneous detection signals.

In December 2015, ICS-CERT published advisory ICSA-15-309-02, which provided details on vulnerabilities affecting specific ambient gas detectors. According to the ICS-CERT advisory, "Successful exploitation of these vulnerabilities could allow a remote attacker to gain unauthenticated access to the device, potentially allowing configuration changes, as well as the initiation of calibration or test processes." The advisory noted that "an attacker with low skill would be able to exploit these vulnerabilities."

Now, let's examine industrial Internet of Things (IoT) devices and their vulnerabilities through the eyes of an attacker. The attacker has performed reconnaissance against an industrial facility, probing its cyber defenses. During her reconnaissance, she obtained access and visibility to a dozen gas detectors. Due to the Web server interface vulnerability identified in the ICS-CERT advisory, she can bypass the authentication process and make configuration changes to the device, such as altering detection ranges and alarm limits. This access enables her to generate alarms at will.

Armed with this access and knowledge, she decides to launch an attack aimed at shutting down production by tricking operators into taking drastic action for a condition that does not exist.

In the initial phase of her attack, she decides that she doesn't want to make all sensors alarm at once. Instead, she selects four or five sensors that seem associated by their names (West Side First Level, West Side Second Level), and initiates an alarm by lowering the alarm threshold.

The detectors generate false alarms that appear to an operator as a serious leak. However, the operator has no way of knowing the alarms are false. The operator responds to the situation in a variety of ways, such as lowering the production rate, lowering pressure, or even shutting down part of the process. Evacuation of operations and maintenance personnel in the affected area is ordered. Responders suit up and try to verify the sensor readings using hand-held gas detectors, but they find nothing. The physical process examination is thorough and time consuming. Since multiple gas detector alarms sounded simultaneously, operators take the situation seriously because they cannot attribute it to a single sensor failure.

In the meantime, the attacker covers her tracks, restoring the manipulated detectors to their initial values. By the time the investigator reviews the configuration of the detectors, there is nothing amiss. After an exhaustive yet futile leak search, the process is restarted, but with additional personnel stationed in the area with leak detectors, which is both expensive and disruptive to production.

The attacker is patient. Two weeks later, she strikes again, choosing different sensors. The attacker is smart enough to select sensors based on wind direction — easy to determine from weather.com — this time, on the south side. The response to this second incident may require a much more detailed plant inspection, involving hundreds of hours and a significant production outage looking for a leak that isn't there. The hours to investigate the false gas leak and the loss of production can result in a cost of hundreds of thousands of dollars per attack.

This attack underscores the importance of assessing all known ICS vulnerabilities and prioritizing them based on risk and consequences. Industrial teams must remediate or mitigate high-priority vulnerabilities as quickly as possible. For example, the ICS-CERT advisory I reference in the example recommends implementing a firmware upgrade to remediate the device vulnerability.

Before applying system updates, though, asset owners must consider potential impacts. ICSs are highly proprietary, complex systems, implemented with very specific hardware configurations and operating system versions. Due to precise configuration specifications for automation systems, software or configuration changes can cause malfunctions that negatively affect process reliability and safety. ICS upgrades or patches must receive thorough testing by both the system vendor and asset owners, or automation engineers prior to implementation. Due to concerns over uptime requirements, asset owners in plants must plan and schedule updates months in advance. ICS upgrades and patching are a major effort for plant staff.

New vulnerabilities appear daily. Effectively managing the ever-increasing number of vulnerabilities that can affect ICSs is critical to industrial cybersecurity. Most companies struggle to keep up with the myriad ICS alerts and advisories issued each month. In fact, far too often, ICS vulnerabilities are unseen or ignored, leaving many plants at risk.

Plant managers need to make sure that their facilities have vulnerability management programs in place for continuous assessment of ICSs. Current remediation and mitigation states must be tracked and managed systematically to obtain a clear understanding of industrial risk. The downside for companies that fail to recognize and address these serious risks is that they face potentially disastrous consequences that may negatively affect plant safety, reliability, and the company's bottom line.

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Related Content:

Eddie Habibi is the founder and CEO of PAS Global. Eddie is a pioneer and a thought leader in the fields of industrial control systems (ICS) cybersecurity, Industrial IoT, data analytics, and operations management. In 2017, PAS was recognized in CRN's 15 coolest industrial ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.