2 Main vectors into OT
There are two main vectors where malware can enter into a secure production facility in an OT environment: through the network or through removable media and devices.
Attackers can enter an OT system by exploiting cyber assets through firewalls across routable networks. Proper OT network best practices like network segmentation, strong authentication, and multiple firewalled zones can go a long way to help prevent a cyber incident.
BlackEnergy malware, utilised in the first recorded targeted cyberattack on an electrical grid, compromised an electrical company via spear-phishing emails sent to users on the IT side of the networks.
From there, the threat actor was able to pivot into the critical OT network and used the SCADA system to open breakers in substations. This attack is reported to have resulted in more than 200,000 people losing power for six hours during the winter.
While the term “sneakernet” may be new or sound awkward, it refers to the fact that devices such as USB storage and floppy disks can be used to upload information and threats into critical OT networks and air-gapped systems just by the cyber attacker physically carrying them into the facility and connecting them to the applicable system.
USB devices continue to pose a challenge, especially as organisations increasingly rely on these portable storage devices to transfer patches, collect logs, and more. USB is often the only interface supported for keyboards and mice, so it cannot be disabled, which leaves spare USB ports enabled.
As a result, the risk exists of inserting foreign devices on the very machines we are trying to protect. Hackers have been known to plant infected USB drives in and around the facilities they are targeting. Employees will then sometimes find these compromised drives and plug them into a system because that is the only way to determine what is on one of them – even without any labels like “financial results” or “headcount changes.”
Stuxnet may be the most infamous example of malware being brought into an air-gapped facility by USB. This extremely specialised and sophisticated computer worm was uploaded into an air-gapped nuclear facility to alter the programmable logic controllers’ (PLCs) programming. The end result was that the centrifuges spun too quickly for far too long, ultimately causing physical damage to the equipment.
Now more than ever, production environments face cyber security threats from malicious USB devices capable of circumventing the air gap and other safeguards to disrupt operations from within. The “2021 Honeywell Industrial Cybersecurity USB Threat Report” found that 79% of threats detected from USB devices had the potential to cause disruptions in OT, including loss of view and loss of control.
The same report found that USB usage has increased 30%, while many of these USB threats (51%) tried to gain remote access into a protected air-gapped facility. Honeywell reviewed anonymised data in 2020 from its Global Analysis Research and Defense (GARD) engine, which analyses file-based content, validates each file, and detects malware threats being transferred via USB in or out of actual OT systems.
TRITON is the first recorded use of malware being designed to attack safety systems in a production facility. A safety instrumented system (SIS) is the last line of automated safety defense for industrial facilities, designed to prevent equipment failure and catastrophic incidents such as explosions or fire.
Attackers first penetrated the IT network before they moved to the OT network through systems accessible to both environments. Once in the OT network, the hackers then infected the engineering workstation for SIS with the TRITON malware. The end result of TRITON is that an SIS could be shut down and put people within a production facility at risk.
Physical devices can also lead to cyber incidents
It is not just content-based threats that we need to look out for. A mouse, cable, or other device can be weaponised against OT, too.
In 2019, malicious actors targeted a trusted person with access to a control network. This authorised user unknowingly swapped a real mouse for the weaponised mouse. Once connected to the critical network, someone else took control of the computer from a remote location and launched ransomware.
The power plant paid the ransom money; however, they did not get their files back and had to rebuild, affecting the facility for three months. It’s imperative that you know where your devices come from before using them.
3 steps to defeat cyber threats
Cyber threats are constantly evolving.
First, set a regular time to review your cyber security strategy, policies, and tools to stay on top of these threats. Second, USB usage threats are on the rise, so it is important to evaluate the risk to your OT operations and the effectiveness of your current safeguards for USB devices, ports, and their control.
Last but not least, a defense in-depth strategy is highly recommended. This strategy should layer OT cybersecurity tools and policies to give your organisation the best chance to stay safe from ever-evolving cyber threats.
This article first appeared on Dark Reading. Part of the Informa Network, Dark Reading is a trusted online community for cyber security professionals, including CISOs, cyber security researchers and technology specialists. Covering the latest threats, vulnerabilities and cyber attacks, Dark Reading supports community members in keeping up with the latest in the sector.