For many years hackers have been content destroy companys’ office networks and demand ransom if those companies wanted control of their systems back in order to do business.
But that is not enough for the hackers. They want to shut down factories and due damage.
There have been a couple of barriers to hackers being successful in this venture, which is a good thing.
Unlike office computers which are built around a handful of chips (Intel, AMD, Arm, etc.), the computers that run factories are built around a much wide range of computers. In addition, every manufacturer runs its own operating system and sometimes different products from the same manufacturer run different operating systems, although some of the new hardware runs a version of Linux. Lastly, these so-called OT or operational-technology are often isolated from the corporate networks, at least in theory.
One of the first public OT attacks was done by a US/CIA and Israel joint venture – the Stuxnet attack against Irans’s uranium enrichment program (although neither country formally admitted to doing it, it is widely believed that it was them). Then there was an attack that Russia did against Ukraine, turning off the power in the middle of the Winter. Twice.
These attacks legitimized this form of attack in many people’s mind, particularly the hackers.
In 2017 the Triton family of malware was discovered by researchers.
Designed to be very low key in order to not set off any alarms, it attacks Triconex controllers made by Schneider Electric. These controllers are designed to be a “kill switch” to shut down the factory or refinery or whatever in case of a critical failure that causes the refinery to operate outside of its safety limits. This is only one family of malware that affects these networks; there are likely more.
Unless that is, you can fool the controllers into thinking they are operating within limits while at the same time making the devices operate unsafely. This is how Stuxnet destroyed the Iranian centrifuges and also how someone damaged a German steel plant.
FireEye released a report on how the early generations of Triton operated and remained under the radar. To date, Triton has only been deployed at a handful of facilities to make it more immune to detection and protection.
Since they were not trying to steal data from the IT network, they didn’t make copies of files or steal large amounts of data.
Mostly, they wandered through the network for years undetected, looking for the right workstation to attack and to better understand how the network operates.
They also worked hard to install multiple backdoors so that if they got detected and were kicked out, they could come back in again.
FireEye says that the attack lifecycle of a sophisticated attack is often measured in years.
All of this means that owners of control networks like factories need to step up their security game and not hope obscurity will protect them. Even the government admits that it is likely that many of our critical infrastructure systems have already been compromised.
We also need to understand that OT-style controls are used more and more in the office environment. Things like controlling TVs, projectors, heating and cooling, electronic signs, video conferencing systems, security cameras, etc.
Proper design would say that these devices need to be isolated, but often it is more convenient to connect them to the IT network. Since almost no one patches their TV, refrigerator or light bulbs and even fewer people know what normal behavior of these devices is in order to monitor these devices’ actions, these devices put the IT network at greater risk.
“We encourage ICS asset owners to leverage the detection rules and other information included in this report to hunt for related activity as we believe there is a good chance the threat actor was or is present in other target networks.”
AS WE BELIEVE THAT THERE IS A GOOD CHANCE THE TREAT ACTOR WAS OR IS PRESENT IN OTHER TARGET NETWORKS!!!
Well that is comforting.
Bottom line is that we need to up our game in securing these OT networks and devices.
As if we didn’t have enough work already.
Source: CSO Online.