The real possibility of extortion attacks on OT and IIoT infrastructure

null

Optimists tend to see the rise of the Industrial internet-of-things (IIoT), and its close relation Operational Technology (OT) as one of the most significant business trends of the early 21st century.

Analysing the concept, I can understand where the rosy glow comes from. Take the best parts of IoT – connecting a huge range of devices, sensors and equipment to the Internet - but add the sort of machine-to-machine (M2M) communication and automation needed for industrial processes and you’ve arrived at the next big industrial wave.

In Germany, Europe’s biggest industrial economy, the harnessing of IIoT to digital automation has developed far enough for it to routinely be described as a fourth industrial revolution, the so-called ‘Industrie 4.0’ (‘Manufacturing 4.0’) strategic initiative enthusiastically promoted by the German Government.

It’s an alluring prospect of more integrated supply chains, real-time feedback on processes, problems and inventory, where even the smallest elements of any industrial system would become inter-connected. Efficiency would be transformed, problems and failures reduced, in a world where systems might eventually look after themselves without the need for expensive human intervention and management. This IIoT is IoT done right for numerous industries on which the digital economy ultimately depends.

However, facing this, is a more pessimistic – some would argue more realistic – way of understanding the arrival of IIoT and OT as delivering a new set of digital vulnerabilities that in danger of being underestimated in the same way consumer IoT risks were in the early years.

You don’t have to be an outright pessimist to agree that the security sceptics have a point – the more devices, equipment, sensors and applications you connect to one another, the greater the inter-dependency and sensitivity to disruption. If the last 20 years of cybercrime’s rise has taught us one thing it’s surely that there are now just as many forces that might seek to disrupt IIoT and OT as benefit from it.

Because Industry 4.0 and IIoT is still emerging and a lot of technology and standards have yet to be finalised, working out how it might be vulnerable to cyberattack isn’t easy.

However, what we know we from recent cyberattacks aimed at manufacturing should give us cause for concern. According to Verizon’s most recent Data Breach Investigations Report (DBIR) which analysed figures from 2017, manufacturing suffered 42 known breaches and 389 cyber-incidents of various types, not far behind sectors such as healthcare, finance, and retail.  About 90 per cent of these originated with external hacking rather than an internal compromise or misconfiguration and, importantly, Verizon believes that 86 per cent were targeted attacks custom-designed to penetrate specific companies.

“Since, overall, the vast majority of attacks are opportunistic in nature, this finding underlines the point that criminals go after certain manufacturing entities with a very specific purpose in mind,” said the report.

These figures don’t tell us much about how vulnerable IIoT and OT might be to cyberattack, but they underline that the motive to target them is already well established for a range of reasons including geo-political advantage and financial gain.

How might attacks unfold?

All cyberattacks are founded on a combination of technical means – the weakness being exploited to penetrate a target network – and the motivation to do so regardless of the risks or costs. Looking at recent events, it’s clear that the obvious template for attacks is probably targeted cyber-extortion, which scores a maximum 10 on both scales.

A warning of how unpleasant this can be was delivered by what happened to the city of Atlanta in March 2018. Like every city in the developed world, Atlanta and its citizens depend on online services that make available simple applications such as parking, bill payment, court appearances, and a miscellany of local government bureaucracy.

Using a hacking-to-ransomware platform called SamSam, the attackers burrowed into the city’s network to encrypt and hold a suite of applications hostage. With the ransom demand for $51,000 (£39,000) apparently unmet, the attack eventually cost a reported $2.6 million to clean up. SamSam was blamed for other attacks during 2018, including the City of Newark, Colorado Department of Transportation, the University of Calgary, and perhaps most worrying of all from an industrial point of view, on the ports of Barcelona and San Diego.

The lesson is that if such a thing can befall a city or port the same thing can happen to any institution, organisation, or critical asset, including a factory, industrial process or supply chain in which even a few hours of downtime can be crippling. Size and importance no longer seem to be a protection indeed the opposite might now be true. If it’s valuable and vulnerable enough, then it’s a target an attacker will spend time going after.

It’s my view that IIoT systems are still often not well defended using anything that resembles a mature security model. There are simply too many ways in, the legacies of past security design mistakes. Industrial networks supporting IIoT are not likely to be built from scratch and will depend on an organisation’s established network security and protocols.

A fundamental problem is that by its nature, IIoT and OT increase the number of devices communicating using Internet protocols attackers can aim at. All an attacker has to do is find a weak point or protocol – Remote Desktop Protocol (RDP) was SamSam’s chosen method of entry - from which to build a deeper incursion into the target network. By the time a victim realises an attacker is inside the network it is probably already too late.

This should give anyone planning to implement IIoT and OT pause for thought. Building security on hope in this new and much more dangerous world is asking for trouble. It falls to the professionals tasked with defending Industry 4.0 to build their defences from the ground up if the next wave of industrial technology is to fulfil its promise.

Joerg Schuler, OT Security Portfolio Manager, Airbus CyberSecurity
Image Credit: Jefferrb / Pixabay