It took one aquarium thermometer to steal 10GB of data from a Las Vegas casino. The adapter, which lacked basic security policies, was simply not on the security staff’s priority list. It was, however, on the hackers’.
Cybercrime is becoming increasingly popular, profitable and easy to pull off. Hackers used to breach systems for bragging rights, protests or simply to show that a program has flaws. In fact, the first malicious worm was created by mistake. Gradually, the ease with which one could cause massive impact while remaining anonymous tempted cybercriminals to go further lengths and create tools to gain monetary profits, steal data and cause devastating damage. Ransomware was on all-high spikes in 2019. This year hackers have a new favorite: the Internet of Things.
Why do we need IoT?
The Internet of Things is about making everything “smart.” A lamp can turn on or off as you enter or exit your office or be controlled from your mobile phone. The temperature of your living room can be tracked and adjusted remotely. The cost of incorporating sensors and processors in different devices has significantly dropped, and industrial devices benefit exemplary from these upgrades.
Collecting data from the devices and connecting them to a computer network enables manufacturers to reduce costs, optimize their processes, gain greater visibility and analytics, shorten their time to market, improve safety and enable mass customization. That’s why Operations Technology devices are increasingly brought online, to make use of the new utilities. Experts say that’s also exactly where the problem lies.
An outdated infrastructure
“Operations Technology devices were not built for this hyper-connected world. We commonly see OT devices in play that are 25 to 40 years old facing today’s cybersecurity threats,” said Jeff Hussey, CEO of industrial IoT security firm Tempered Networks.
Operations Technology (or OT) is a totally different paradigm from Information Technology (or IT, which we are all familiar with). Whereas the latter always involves a computer, the former is not necessarily so. OT devices have a crucial part in our lives, as they control power grids, water plants, buildings, factories, hospitals, and even ships at sea. They have also remained disconnected from the internet and used only in closed circuits.
“These devices used to be safeguarded as they were physically isolated from other networks and staff. This isolation, also known as air gapped networks, offered a protective layer as hackers simply could not access those devices remotely,” Hussey explained. “With the convergence of OT and IT, that protection is gone.” And with that, some of the catastrophic bad practices are starting to surface.
The upgrade for less security
“There is a one-line command that you can write on a particular control system’s HMI, and that would grant you administrator privileges on the entire network,” said Mark Carrigan, COO and CRO of ICS cybersecurity providing PAS Global. “The vendor recently patched their devices because that command did not always work.”
These kinds of commands are perfectly normal in the OT industry. In fact, engineers rely on them to manage and operate their systems, and the vendor solved the problem so they could always get admin access. But as the malevolent IT world steps in, the rules change. “They can’t just go ahead and fix it, as people are currently relying on these commands. This is a problem by design,” Carrigan explained.
The same goes for default passwords. Ring made headlines when its device was compromised to harass three young girls. While Ring’s security was not directly breached, hackers had managed to guess the weak passwords and gain maleficent access.
“Password spraying” is a well-known attack pattern in the cybercrime world, yet the problem gets even worse when it comes to OT. “Engineers rely on these accounts and passwords to do their jobs,” reminded Mark. “You can’t just change it. You’ll break stuff.” The OT industry grew with these flaws built in. It requires significant change both on the hardware level as well as the employee training level to correct. And that is only half of the equation.
Lack of standards
As much as IT developers have lived in a wicked environment, their constant fights against cybercriminals have also helped them evolve. The IT world has gone great lengths in developing security practices and standards. In the OT world, however, every manufacturer has their own practices, and not all of them are industry’s best. “Only the likes of large companies like Microsoft, Apple and Samsung can afford to hire teams of dedicated experts devoted to security. For other companies, that is simply economically infeasible,” explained Joël Conus, VP of Kudelski Group’s IoT Security Labs. “IoT devices threaten to become one of the single largest attack surfaces for cyberattacks as they are projected to reach many billions of devices in the coming years.
“There are networks comprised of hundreds or thousands of these devices, each with their own OS and software and security gaps. IoT devices are often installed in uncontrolled environments, making them particularly vulnerable to attack. And once an IoT device is compromised, it can be a door into infiltrating the entire network.”
“We recently worked with an oil and gas facility that had two high-tech exercise bicycles on their network,” shared Eric Poynton, Lead Network Threat Hunter at Awake Security. “These two exercise bikes were sending unencrypted HTTP traffic to the internet and used a weak authentication method that exposes usernames and passwords. They were not segmented from corporate IT resources and thus presented the attacker with a network path to the organization’s critical assets. Not only were these bikes exfiltrating data out to the inzternet, they also appeared to be unpatched, leaving the facility wide open to attack.
“Devices like these often fly under the radar, as they don’t make the list of critical IoT devices. In this instance, the firm’s IT and security teams were completely unaware of these devices being on the network in the first place since existing security and configuration management tools were blind to unmanaged IoT devices.”
It's not just the devices that are missed – sometimes, the protocols are.
In recent years, more and more devices have shifted to HTTP/HTTPS for remote communication. Unfortunately, not everyone knows this. “In our research at SecurityScorecard, we have found a surprising amount of ICS IoT web applications that were exposed to the public internet,” said Alex Heid, chief R&D officer at SecurityScorecard. “Many of the web applications were not protected by any form of authentication - meaning there were no passwords in use. We discovered public, accessible, and password-less ICS web applications for chemical processing facilities, electrical power stations, and even a hydroelectric power plant.
“When we contacted the exposed entities, the common thread was they were surprised to know that the ICS web app was accessible to the public internet. The stories were similar; ‘a vendor installed the internet connection, another vendor configured the network, another vendor managed the network’ - in other words, the disconnected supply chains were not in communication and the ‘right hand’ did not know what the 'left hand' was doing. This scenario is more of the rule rather than the exception.”
The price of security
Security has traditionally been second priority. Device producers face competition, and when forced to offer competitive prices, security suffers – a feature that has not been high on the consumers’ priority list. We can only hope that this changes before significant damage is made.
Luckily, regulations are stepping in, because with the current security gaps in our infrastructure, hackers have either not learned about its flaws yet, or see no incentive in hacking it, or they already have and we just don’t know it yet.