Weaponized cybersecurity attacks can destroy critical infrastructure systems that support daily life. This feature originally appeared in the Automation 2022 Volume 4: Cybersecurity & Connectivity Ebook.
Industrial control systems (ICS) have been of incredible value to industrial companies. The ability to control the production and manufacturing process of goods and services has been a major milestone in our modernized world. However, everything comes with risks. Malicious actors, attackers, and hackers are terms used to describe the individuals who try to intentionally cause harm through virtual and physical means to systems responsible for our modern lifestyles. These attacks can result in bad press and government fines. Moreover, they can cause serious harm or death to individuals or even whole communities by destroying water purification systems, disabling power plants and prolonging critical system outages.
Crossing cybersecurity boundaries Cybersecurity attacks, vulnerability exploits and digital espionage have crossed the boundaries into what was once considered off-limit targets. Hacking and cyber-attacks have always been considered a “dark art” primarily focused on taking small systems offline, stealing data, and holding information for ransom. But times have changed. Cybersecurity attacks have evolved and become weaponized with the capabilities of destroying critical infrastructure systems that support everyday life. An example of such a cyber weapon was the STUXNET worm that infected Siemens Industrial Systems.
Time and experience are required to understand how attackers gain access into networks and exploit vulnerabilities in the sources that generate them. There is no straightforward method that will provide 100 percent protection against cyber-attacks. Instead, the following list should be a small element of a broader toolkit used as part of the cybersecurity lifecycle.
1. Lack of employee training. ICS engineers often find themselves dealing with Industrial Internet of Things (IIoT) devices that need advanced configurations and third-party support. In many cases, engineers have limited access to the necessary resources for stable configurations. Instead, engineers with only a basic understanding of information technology (IT) systems take it upon themselves to manually configure devices and place them in their networks. Due to no formal training on networking, IT security policies, protocols, and cybersecurity, devices are often misconfigured and riddled with security holes and vulnerabilities.
2. Misconfigurations. Systems that have been misconfigured present major security vulnerabilities. For example, poorly configured security settings can limit different types of traffic on an interface but leave commonly used ports open for intruders to exploit
3. Insider threats. Insiders are often responsible for cybersecurity breaches, both inadvertently and deliberately. A disgruntled employee may “shoulder surf” lax employees and steal passwords as they are entered. This provides unwarranted access to systems and knowledge of plant workings that can lead to havoc.
4. Unnecessary user access. Granting unqualified users permission to access device commands and other programming features is a common vulnerability. Users who don’t fully understand company security policies, the complexity of how devices interact with each other, or the ramifications of how a misconfiguration can impact a network should not be allowed to configure or make changes to important systems or critical devices.
5..Asset disposal. Disposing of old equipment that used to be a part of a company network must be done carefully by sanitizing any traces of the network. Any data captured from expired assets can be used to provide reconnaissance of the network.
6. Third-party outsourcing. Contractors, vendors, and outside consultants provide guidance and subject matter expertise to manufacturers as well as other companies who require their assistance. Having outside personnel accessing critical systems from remote locations is a typical daily occurrence that often gets overlooked by busy admins and engineers. While the initial person they hired might be properly vetted, the contractor might then turn around and hand menial tasks to someone who is careless, hasn’t had the proper security clearance, or is not qualified to have accessibility to the network.
7. Legacy hardware/software. Legacy hardware and technologies operating inside of industrial systems is a common practice we still see today. Many companies who are operating legacy systems do not have the finical resources to make the necessary upgrades and instead choose to patch and replace components as needed. However, this type of operational model opens the door to security vulnerabilities that can easily be exploited by a seasoned hacker due to outdated systems having little to no manufacturing support in terms of cybersecurity, while patches and system updates are nonexistent.
8. Inadequate hardware. Companies often try to save money by purchasing inadequate hardware that’s not designed for a specific application. Purchasing cheaper products and “making them work” typically leads to misconfigurations, workarounds, and rogue programming, which opens the door to security gaps and vulnerability exploitation.
9. Hardware design flaws. Industrial control systems interact with a wide variety of devices that are designed with limited cybersecurity features. For example, power analyzers or liquid flow control sensors might be considered smart because they communicate with a centralized management system but can be susceptible to simple programming errors and software code that can easily be overwritten, making them ideal targets for malicious code execution.
10. No backups. Not having secure copies of local backup configurations for critical systems can lead to a wide range of vulnerabilities. Often is the case where a critical system or piece of equipment has failed and urgently needs to be replaced. When no working backups exist, complex configurations that must adhere to company security policies are misconfigured and present security gaps for intruders to exploit.
11. Software updates. Not having the latest version of software for a device can lead to security and vulnerability issues. When manufacturers release software updates, it’s typically to resolve known security and functionality issues and add functionality that can prevent future issues from occurring.
12. Memory overload. Memory overload takes place when an attacker gains unauthorized access to a device. At this point, the attacker can execute simple code to input more data than the device can hold, overloading stored memory and causing the device to crash, reboot, or provide entry to low-level commands that can be reprogramed to point toward malicious code that can be executed later.
13. No download validation. Downloading software for applications and security patches can sometimes lead unsuspecting users to a look-alike website that offers what looks like legitimate software. Not having any mechanisms to validate software can lead to a wide range of security holes and vulnerabilities that can cripple a network.
14. Poor network design. Operational networks have become just as complicated and robust as their IT counterparts and often require segmented isolation for various functions and processes through virtual local area networks (LANs) or firewalls. Poor network designs don’t provide isolation needed for security, and instead are configured as one large network that provides an attacker access to everything inside the network.
15. Network assessments. Fully functional networks often are left alone and with minimal monitoring and system reporting tools operating in the background. It’s rare that admins take the extra step of assessing the network for security flaws, vulnerabilities, and operational readiness. These types of extra measures are needed to ensure that operational technology (OT) networks are fully protected and updated with the latest vulnerability patches, security updates, and optimal configurations.
16. Limited network visibility. Admins and engineers responsible of managing OT networks typically have monitoring tools that can track the availability of hardware devices and applications running on the network. However, in today’s complicated networks with multiple network segmentation and remote access capabilities, admins need to be more vigilant with the way they monitor traffic. Secondary firewalls monitor traffic at a packet level and ensure that no unknown data packets traverse the network or map out destinations and hardware signatures for later use as a planned attack on the network.
17. Lack of documentation. Not having updated documentation on your network, connected devices, security policies, and operational procedures can lead to a wide range of security vulnerabilities, such as incorrectly configured security features, unpatched software holes, incorrectly segmented networks, open access, and availability that should be secured.
18. Telecommuting. Over the past two years, there has been a significant increase in remote workers and telecommunication positions. In many cases, these employees need access to internal company resources for work purposes. Companies that do provide remote access capabilities to remote workers typically use a virtual private network (VPN) or other connection software to provide an additional layer of security. However, companies are finding out that these employees have basic to little security on their home networks and have security holes that can be easily compromised. Once a company computer or laptop connects to the local home network, it’s attacked and, through malicious code, can be taken over later. Once the machine is connected to the company network through a VPN, the attacker can gain access to the business’s resources.
19. Remote applications. Having remote applications for company resource access, tech support, and real-time monitoring and alerting can be extremely beneficial. However, these types of applications present a major security risk and vulnerabilities to their adherent nature. An attacker who can steal credentials for these types of applications can wreak havoc on an OT network. Be sure to enforce strict password policies and two-factor authentication to ensure that only granted users can access these types of applications on the network.
20. Phishing. Phishing and email scams have always been major sources of vulnerability exploits and malicious code execution. The process is simple and highly effective. Unsuspecting users download a file from what looks like a trusted source or click on a weblink. The process downloads a small malicious piece of code that can be used later to download a secondary piece of code or software and allows attackers access into systems.
21. Two-factor authentication workarounds. Two-factor authentication is an excellent way to reduce the likelihood that the wrong person gains access to information, but it can be defeated if a hacker takes control of the computer after the two-factor authentication has taken place. A remote industrial automation control system technician may log in from a home network, thinking that the information in transit is safe thanks to the VPN. But a virus or remote access trojan (RAT) that was accidentally installed earlier can be activated by the presence of the VPN, and access may be unknowingly granted by offering an innocuous message saying that the first login failed and to try again.
22. Unsecured data sockets. Using default or commonly known data sockets or communication ports for applications within an OT network presents huge vulnerabilities. Attackers are aware of the common port settings and write malicious code directly targeting these ports.
23. Unnecessary services. Running all default services on applications that are not needed can leave security gaps in the OT network. Find out what services are necessary to run the hardware and applications and shut off everything else.
24. Weak firewall rules. Firewalls are an intricate part of enterprise networks. However, in the case of OT networks, many firewalls are not configured as thoroughly and instead are configured with only basic parameters for functionality. In these types of scenarios, firewalls can be easily bypassed and the lightly secured network can be accessed.
25. Authentication bypass. Users often tire of logging into systems to make small changes, especially if long, complicated passwords are required for authentication. In many cases, users will disable authentication, unknowingly exposing their system to attackers.
Addressing most of these vulnerabilities requires a holistic approach that addresses every link in the chain. This includes people involved with those systems on every level, and not just the tools they utilize.
This feature originally appeared in the Automation 2022 Volume 4: Cybersecurity & Connectivity Ebook.
Henry Martel ([email protected]) is a field applications engineer at Antaira Technologies, a company that provides industrial networking solutions with advanced security feature sets to protect critical systems against would-be actors or malicious activity.
Check out our free e-newsletters to read more great articles..
©2020 Automation.com, a subsidiary of ISA