Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

2/22/2018
10:30 AM
Eddie Habibi
Eddie Habibi
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Anatomy of an Attack on the Industrial IoT

How cyber vulnerabilities on sensors can lead to production outage and financial loss.

We like to think that cyberattacks are focused primarily on stealing credit card numbers and that attackers don't know much about the control systems that run critical infrastructure. Unfortunately, that's just wishful thinking. In 2017, we saw an increasing number of threat actors bypass existing network perimeter security controls to perform sophisticated reconnaissance of industrial process control networks (PCNs). They then moved beyond reconnaissance to infiltrate PCNs and disrupt production.

Here's how a knowledgeable outsider can shut down an industrial process using a published industrial control system (ICS) vulnerability in a way that is very difficult to detect.

Ambient gas detectors identify releases of small amounts of toxic flammable gases. It is common to locate many such detectors in a processing area, and to configure both alarms and automatic process shutdowns on multiple simultaneous detection signals.

In December 2015, ICS-CERT published advisory ICSA-15-309-02, which provided details on vulnerabilities affecting specific ambient gas detectors. According to the ICS-CERT advisory, "Successful exploitation of these vulnerabilities could allow a remote attacker to gain unauthenticated access to the device, potentially allowing configuration changes, as well as the initiation of calibration or test processes." The advisory noted that "an attacker with low skill would be able to exploit these vulnerabilities."

Now, let's examine industrial Internet of Things (IoT) devices and their vulnerabilities through the eyes of an attacker. The attacker has performed reconnaissance against an industrial facility, probing its cyber defenses. During her reconnaissance, she obtained access and visibility to a dozen gas detectors. Due to the Web server interface vulnerability identified in the ICS-CERT advisory, she can bypass the authentication process and make configuration changes to the device, such as altering detection ranges and alarm limits. This access enables her to generate alarms at will.

Armed with this access and knowledge, she decides to launch an attack aimed at shutting down production by tricking operators into taking drastic action for a condition that does not exist.

In the initial phase of her attack, she decides that she doesn't want to make all sensors alarm at once. Instead, she selects four or five sensors that seem associated by their names (West Side First Level, West Side Second Level), and initiates an alarm by lowering the alarm threshold.

The detectors generate false alarms that appear to an operator as a serious leak. However, the operator has no way of knowing the alarms are false. The operator responds to the situation in a variety of ways, such as lowering the production rate, lowering pressure, or even shutting down part of the process. Evacuation of operations and maintenance personnel in the affected area is ordered. Responders suit up and try to verify the sensor readings using hand-held gas detectors, but they find nothing. The physical process examination is thorough and time consuming. Since multiple gas detector alarms sounded simultaneously, operators take the situation seriously because they cannot attribute it to a single sensor failure.

In the meantime, the attacker covers her tracks, restoring the manipulated detectors to their initial values. By the time the investigator reviews the configuration of the detectors, there is nothing amiss. After an exhaustive yet futile leak search, the process is restarted, but with additional personnel stationed in the area with leak detectors, which is both expensive and disruptive to production.

The attacker is patient. Two weeks later, she strikes again, choosing different sensors. The attacker is smart enough to select sensors based on wind direction — easy to determine from weather.com — this time, on the south side. The response to this second incident may require a much more detailed plant inspection, involving hundreds of hours and a significant production outage looking for a leak that isn't there. The hours to investigate the false gas leak and the loss of production can result in a cost of hundreds of thousands of dollars per attack.

This attack underscores the importance of assessing all known ICS vulnerabilities and prioritizing them based on risk and consequences. Industrial teams must remediate or mitigate high-priority vulnerabilities as quickly as possible. For example, the ICS-CERT advisory I reference in the example recommends implementing a firmware upgrade to remediate the device vulnerability.

Before applying system updates, though, asset owners must consider potential impacts. ICSs are highly proprietary, complex systems, implemented with very specific hardware configurations and operating system versions. Due to precise configuration specifications for automation systems, software or configuration changes can cause malfunctions that negatively affect process reliability and safety. ICS upgrades or patches must receive thorough testing by both the system vendor and asset owners, or automation engineers prior to implementation. Due to concerns over uptime requirements, asset owners in plants must plan and schedule updates months in advance. ICS upgrades and patching are a major effort for plant staff.

New vulnerabilities appear daily. Effectively managing the ever-increasing number of vulnerabilities that can affect ICSs is critical to industrial cybersecurity. Most companies struggle to keep up with the myriad ICS alerts and advisories issued each month. In fact, far too often, ICS vulnerabilities are unseen or ignored, leaving many plants at risk.

Plant managers need to make sure that their facilities have vulnerability management programs in place for continuous assessment of ICSs. Current remediation and mitigation states must be tracked and managed systematically to obtain a clear understanding of industrial risk. The downside for companies that fail to recognize and address these serious risks is that they face potentially disastrous consequences that may negatively affect plant safety, reliability, and the company's bottom line.

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Related Content:

Eddie Habibi is the founder and CEO of PAS Global. Eddie is a pioneer and a thought leader in the fields of industrial control systems (ICS) cybersecurity, Industrial IoT, data analytics, and operations management. In 2017, PAS was recognized in CRN's 15 coolest industrial ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Microsoft Patches Wormable RCE Vulns in Remote Desktop Services
Kelly Sheridan, Staff Editor, Dark Reading,  8/13/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15150
PUBLISHED: 2019-08-19
In the OAuth2 Client extension before 0.4 for MediaWiki, a CSRF vulnerability exists due to the OAuth2 state parameter not being checked in the callback function.
CVE-2017-18550
PUBLISHED: 2019-08-19
An issue was discovered in drivers/scsi/aacraid/commctrl.c in the Linux kernel before 4.13. There is potential exposure of kernel stack memory because aac_get_hba_info does not initialize the hbainfo structure.
CVE-2017-18551
PUBLISHED: 2019-08-19
An issue was discovered in drivers/i2c/i2c-core-smbus.c in the Linux kernel before 4.14.15. There is an out of bounds write in the function i2c_smbus_xfer_emulated.
CVE-2017-18552
PUBLISHED: 2019-08-19
An issue was discovered in net/rds/af_rds.c in the Linux kernel before 4.11. There is an out of bounds write and read in the function rds_recv_track_latency.
CVE-2018-20976
PUBLISHED: 2019-08-19
An issue was discovered in fs/xfs/xfs_super.c in the Linux kernel before 4.18. A use after free exists, related to xfs_fs_fill_super failure.