Editor’s note: The IoT and the industrial IoT (IIoT) provide the capability for all stakeholders in the electronics supply chain to seamlessly connect and share critical data. Visibility from the moment a component begins production through its end-of-life is possible through these leading-edge applications. But there are also real dangers to the networks that link supply chain partners. AspenCore’s Special Reports team takes a look at the state of the IIoT–and its vulnerabilities.
What are the worst-case possibilities if your company gets hacked? Imagine these scenarios:
- The world’s largest pure-play semiconductor company shuts down some of its fabs after a WannaCry malware variant spreads through the production network.
- After being fired, an engineer who still has access to a water and sewage company’s SCADA system opens up the valves so that the system dumps sewage everywhere.
- Hackers take control of production management software and then the industrial control system at a steel mill, causing massive physical damage.
- Unknown attackers change process parameters in the recipe for a food and beverage product by altering process controller code, increasing the quantity of salt to three times what it should be. The change goes undetected until customers complain.
- Hackers take control of an entire network of wind turbines at a U.S. wind farm using a Raspberry-Pi-based card with a cellular module for remote access to programmable automation controllers.
- Competitors of an electronics company rewrite the code on the robots used in its manufacturing process, which begins introducing subtle defects that reduce yields and cause product recalls.
The first four have already happened, and the first one happened to Taiwan Semiconductor Manufacturing Co. (TSMC) only last month.
The wind farm hack was an experiment to show just how easy it was to do. The manufacturing robot hack hasn’t happened yet — as far as we know — but the ease of intruders gaining control of industrial robot systems has been demonstrated by several industry groups.
The hacking of the IIoT
What do these all have in common? The systems that got hacked and/or compromised were industrial control systems (ICS), a central part of operational technology (OT) networks that form, along with IT networks, the industrial internet of things (IIoT).
As more and more devices get connected to IIoT networks, many of the increasingly sophisticated cyberthreats originally directed at IT environments are now entering OT environments, including ICS.
These threats pose very different and potentially larger, more hazardous risks as they migrate to OT environments. Targets may include critical infrastructure such as power grids, dams, oil rigs, chemical processing plants, manufacturing plant equipment, and production lines.
Although the typical image of a cyberattacker is an outside hacker (usually wearing a hoodie), note that not all of the attackers in the list above were outsiders: Some of these events were inside jobs, which many companies see as their greatest threat.
Potential internal attackers could include disgruntled ex-employees who may still have access to the control system, said Chris Sistrunk, principal consultant for industrial control systems at FireEye’s Mandiant cybersecurity service.
Sistrunk told us about the Australian water and sewage company’s attack and, more recently, a Louisiana case wherein an engineer who was let go still had remote access from home and shut down a paper mill.
Although a production shutdown could be very costly, it’s not the biggest concern that could result from your IIoT being hacked, said Joe Slowik, adversary hunter for industrial cybersecurity firm Dragos. “Not counting the money lost by a day or so of a shutdown — at least with that, you know what happened, and things [might be] stopped before something more pernicious could take root.”
Slowik told us about the possibility of hackers attacking production robots and affecting quality control, which could be much worse. “This causes a dramatic increase in your defect rate in a way that’s hard to troubleshoot. So then your production doesn’t meet standards and you suffer a reputation loss among your customers and vendors.”
Other attacks have been executed by presumably trustworthy third parties. For example, a fake official pretending to do a fire inspection could easily introduce a piece of malware to enable an attack by inserting a USB stick into a computer attached to an internal network, including those located at a remote facility and connected to the internet.
Another example of third-party breaches is one event among the additional Russian hacks of U.S. power grids and other critical infrastructure revealed in March this year by the U.S. Department of Homeland Security (DHS). Attackers got access via spear-phishing emails sent to equipment maintenance staff, who have legitimate remote access, to steal their login credentials, said Phil Neray, vice president of industrial cybersecurity for OT cybersecurity firm CyberX.
Even with some of the best physical security in place, that’s not enough to protect physical assets in a cyberattack, said Andrea Carcano, chief product officer and co-founder of Nozomi Networks, who told us about the food and beverage product hack. That company still doesn’t know if the change to its process code was introduced by external malware or someone inside the plant.
“So you may have physical protection, but changing process parameters could cause a much more dangerous effect than too much salt,” said Carcano. “If altered program code inside a process controller changes the way a product is created, without cybersecurity protection, you won’t know why or even that it’s happened. All of the pharmaceutical and chemical manufacturing companies are concerned about this possibility of changing the recipes and the processes.”
Data breaches & cyberattacks now No. 1 concern
In factories and other industrial settings, the IIoT is often heralded as the answer to many challenges. The connectivity assists in productivity, efficiency, and profitability. For utilities, it also helps manage demand. In public infrastructure, it assists governments to deliver better services more effectively and economically, including public safety.
- But the IIoT and microprocessors are emerging battlegrounds for cyberattacks, according to the global 2018 SonicWall Cyber Threat Report. Both areas are also often overlooked and unsecured.
- In 2017, there were 9.32 billion malware attacks and more than 12,500 new common vulnerabilities and exposures worldwide. Data breaches and cyberattacks overall are seen by executives as the No. 1 business, operations, and financial risk, to the extent that Lloyd’s of London considers them a greater threat than catastrophic natural disasters, says the report.
- That perception is echoed in the 2018 World Economic Forum Global Risks Report (Cyberattacks are the risk of greatest concern to business leaders in advanced economies) as well as the 2018 21st CEO Report from PricewaterhouseCoopers (PwC) (North American executives said that cyberthreats are the chief threat).
- In just the last couple of years, a perfect storm of conditions and trends has led to a huge jump in the number of cybersecurity events targeting the OT side of the IIoT. We detail the elements of that perfect storm in a companion article in this special report, “What Makes IIoT Systems So Vulnerable to Cyberattacks?.” This jump includes discoveries of vulnerabilities in industrial control or related hardware and software, cyberattack incidents, and actual breaches.
- As defined by the Verizon 2018 Data Breach Investigation Report, in cybersecurity-speak, an incident is commonly understood as “a security event that compromises the integrity, confidentiality, or availability of an information asset” (Translation: The barn door is open, but the cows haven’t left), while a breach is “an incident that results in the confirmed disclosure, not just potential exposure, of data to an unauthorized party” (Translation: The cows have now gotten out). This report identified more than 53,000 overall cybersecurity incidents and 2,216 breaches around the world in multiple industries during the previous 12 months.
2007 to 2017: ICS cyberevents increase
“Attacks on control systems have been occurring since the late 1990s, but they didn’t become mainstream until 2010, when Stuxnet malware was discovered and reported on: That changed everything,” said Mandiant’s Sistrunk. FireEye’s Mandiant cybersecurity service discovered the TRITON/TRISIS malware designed to attack ICS-connected safety instrumented systems (SIS). “After that, we started seeing a lot of interest in security for control systems. At that time, security features were not being built into industrial control system equipment.”
The increase in ICS-related events can be appreciated by looking at a sampling of events in 2018 contrasted with a sampling of those between 2007 and 2014.
Between 2007 and 2014, the first three malware types targeting ICS were developed: the Stuxnet worm, the Havex/Backdoor.Oldrea remote access Trojan (RAT), and the SCADA-targeting version of BlackEnergy. In December 2016, cyberattackers began ratcheting up their efforts against industrial systems with release of the fourth, the Industroyer/Crashoverride malware framework that shut down large parts of the Ukraine energy grid.
During 2017, both industrial and more broadly targeted cyberattacks escalated. While the WannaCry and NotPetya ransomware attacks were capturing world attention by revealing Windows vulnerabilities, DHS warnings to manufacturers and infrastructure owners about ICS vulnerabilities jumped.
In October 2017, those warnings became reality when DHS and the FBI issued a joint technical alert stating that attacks were now targeting the ICS of U.S. manufacturers and the previously known energy, nuclear, and water organizations. The alert also revealed that all of those attacks comprised an ongoing, long-term campaign by unnamed actors targeting small and low-security networks as vectors for gaining access to larger, high-value networks in the energy sector.
Last December, a new type of malware targeting industrial processes struck an unnamed foreign critical infrastructure facility. The TRITON/TRISIS malware framework was the first designed to attack an industrial plant’s safety systems connected to ICS, making this a watershed event. It also targeted a specific hardware model.
2018: ICS cyberevents escalate
This year, security events have multiplied as a result of:
- the Meltdown and Spectre microprocessor vulnerabilities that started out the year
- the DHS/FBI identification of Russia as the source of the years-long attack on U.S. critical infrastructure and manufacturing
- hacks of oil pipeline EDI systems, causing their temporary shutdown
- vulnerabilities detected in multiple types of industrial hardware and software, including some PLCs, security cameras, routers, bridges/access points, and network management software
- a revised version of TRITON/TRISIS that now attacks many more brands of safety system hardware and has breached U.S. firms
- revelations that the China-based “Thrip” group has infiltrated satellite communication, telecom, geospatial imaging, and defense organizations in the U.S. and Southeast Asia
Cyberthreat activity within the industrial environment is definitely increasing, said Dragos’ Slowik. His firm extensively analyzed the TRITON/TRISIS attack and identified the malware’s inventors.
“Is that because we’re looking harder or is this truly a new trend?” he said. “My answer is that it’s both greater awareness and greater capability to do the analysis versus five years ago, when it was difficult or not even sensible to say, ‘This is definitely a malware event.’
“That said, the threat landscape for both commodity non-targeted and professional targeted instances seems to be increasing. By ‘commodity,’ we mean criminal, often publicly available infections such as repurposed WannaCry, and by ‘professional,’ we mean a dedicated, almost exclusively state-sponsored activity without a primary motivation for monetizing events.”
- According to the Pwnie Express 2018 Internet of Evil Things report, 85% of security professionals believe that cybersecurity threats will lead to an attack on major critical infrastructure over the next five years, and that opinion was echoed by many of the cybersecurity experts to whom we spoke in preparing this special report.
- The annual Kaspersky Lab survey of global OT/ICS cybersecurity practitioners at industrial organizations, The State of Industrial Cybersecurity 2018, found that more than half view the increased risks associated with connectivity and integrating IoT ecosystems, in addition to the management of these risks, as a major OT/ICS cybersecurity-related challenge.
- That report also cited new challenges from a growing percentage of organizations that are deploying both IIoT systems and cloud solutions for SCADA systems. More than three-quarters of respondents believe that their company will likely be the target of a cybersecurity incident affecting their industrial control networks.
It’s not only industry executives and cybersecurity professionals who are concerned about cyberattacks and vulnerabilities.
More than half of critical infrastructure operators in the energy, utilities, and manufacturing sectors said that they weren’t confident that either their own organizations or other infrastructure companies are protected from security threats to their OT environments, according to a poll released this spring by industrial cybersecurity firm Indegy.
Protection often lacking for ICS/OT networks
As has been noted in previous studies of ICS/OT cybersecurity readiness, both awareness of and budgets for ICS/OT security have been increasing, yet protection levels are low.
- According to a study conducted last year by CyberX, the Global ICS and IIoT Risk Report, one-third of OT networks with ICS-controlled processes are exposed to the public internet. Of more concern is how few are protected against that exposure. More than half use easily hackable plain-text passwords in control networks, and half lack anti-virus protection. More than 75% run obsolete Windows systems like XP and 2000 unsupported with security patches, while 82% run well-known remote access management protocols, making it easier to access and manipulate network equipment. Twenty percent have wireless access points, which can be compromised in multiple ways.
- Last year, information security researcher Jason Staggs from the University of Tulsa, Oklahoma, demonstrated how he could take control of entire networks of wind turbines at U.S. wind farms using just a Raspberry-Pi-based card with a cellular or Wi-Fi module for remote access to programmable automation controllers. Staggs and his colleagues would have been able to cause significant damage or loss if they’d been real attackers.
- In a report in Wired on his research, Staggs reportedly said, “They don’t take into consideration that someone can just pick a lock and plug in a Raspberry Pi.” The turbines that his team broke into were protected only by easily picked standard five-pin locks or by padlocks that took seconds to remove with a pair of bolt cutters.
But regardless of how cyberattackers get into an insufficiently protected OT network, once they’re in, they can move around the network and compromise or control industrial devices relatively easily. The types of cyberattacks that can be made, and the types of effects that threat actors are after, vary widely.
Example scenario of the potential consequences of a wind farm ransomware attack, as demonstrated by information security researcher Jason Staggs at a talk given at Black Hat USA 2017.
Kinds of threats
In the ICS/OT environment, cyberthreats are potentially larger and much more damaging than threats made to the IT environment. They can include:
- ransomware demands backed by shutdown threats
- altering production process code that can change industrial robot safety levels, affect product contents and manufacturing yields, or even cause massive damage, as in the steel mill attack
- industrial espionage
Several cybsecurity experts pointed out the importance of possibly unintentional effects of attacks originating either inside or outside the company. In giving examples of commodity non-targeted versus professional targeted instances, Dragos’ Slowik identified the recent TSMC fab shutdowns as an opportunistic, non-targeted event.
“It looks like it was caused ultimately by the WannaCry virus, yet after all that time, [the virus] was still effective in spreading by hitting production,” he said.
“WannaCry is a ‘dumb weapon’ in that it spreads indiscriminately through infected networks based on what network nodes are vulnerable to the Windows MS17-010 vulnerability. So while the exploit is fairly sophisticated, its implementation is not. Thus, in cases such as TSMC, a relatively unsophisticated, untargeted threat can rapidly spread, causing an impact in the victim environment without any intention on the part of the original author. It’s very possible that such an event was not even foreseen by the MS17-010 author, given the difficulty of monetizing ICS intrusions — at least without attracting significant law enforcement attention.”
— Ann R. Thryft is the industrial control & automation designline editor at EETimes. Additional reporting by Nitin Dahad, a European correspondent for EE Times.