Tag Archives: ics

Rats on the West Side, bed bugs uptown

enisa20122013trends

The just-released 2013 ENISA (European Union Agency for Network and Information Security) Threat Landscape report  is consistent with Mick Jagger’s prescient 1978 prediction of the state of cybersecurity, captured here:

Don’t you know the crime rate
Is going up, up, up, up, up
To live in this town you must be
Tough, tough, tough, tough, tough

A number of known threats continue, attack tools are increasingly sophisticated,  more nation-states are becoming proficient with these tools, and the mobile ecosystem is a ripe new battlefield. On the upside, reporting and information sharing between organizations has increased and vendor turn around in response to new vulnerabilities is faster.

I can’t give it away on 7th avenue — cheap and plentiful devices

!n 1969 Jagger-Richards revisit uncertainty & remind us that we can't always get what we want

While known to be a factor for some time, a newcomer to the threat list is the Internet of Things (IoT).  IoT are networked devices that move, control, sense, surveil, video/audio, and otherwise collect and share information from and with the environment. Development tools and production for these networked devices and systems are cheap and billions more are expected in the next couple of years.  (There’s even a conference preparing a road map for a trillion sensors in the next several years.)

Low security is the rule rather than exception for these devices and large amounts of data are being generated. The ENISA report says, “smart environments are considered the ultimate target for cyber criminals.”  For example, preliminary work for phishing attacks can be augmented by gaining information about where a victim’s smart home is, picking up information leakage from their integrated media devices (Xbox One is doing more than just playing Halo), accessing what a user’s energy usage profile might be, etc. ENISA calls out the following top emerging threats in the Internet of Things space:

enisaiot Other threats identified include:

  • Differences in many different smart appliances lead to large variances in context and content of transmitted data, opening avenues for cybercriminals.
  • Devices built on embedded systems, some of which have not yet been widely deployed.  Some of these embedded cores (of many different types and manufacturers) will have unknown and unpublished functions and many will be difficult to maintain (keep patched). Look at the recent D-Link saga.
  • Many devices built on embedded systems do not communicate operational status to the user, eg “I am working,” “I am actively collecting data on your environment, “I am behaving erratically,” “I am off,” etc.
  • Increased data creation leads to increased data storage amounts, data concentration, and corresponding increased bandwidth requirements/loads. Even a little bit of analysis can result in a significant increase in resources. Remember the basic database join (or even simpler Cartesian product) ? — you start with three elements in one list (A,B,C), but want to relate them to data in another list (D,E,F), so you relate them in a third table and you have (AD,AE,AF,BD,BE,BF,CD,CE,CF).  If each element used say 1 MB of space, your initial storage and bandwidth requirement quadrupled from 6 MB (A + B + C + D + E + F) to 24 MB (A + B + C + D + E + F + AD + AE + AF + BD + BE + BF + CD + CE + CF).

For me, the other thing about Internet of Things (IoT) devices is that we often don’t really think of them as sensing, computing, analyzing, data collecting and transmitting devices.  Many seem innocuous and, often, we don’t even know they’re there.

Life’s just a cocktail party

Finally, assuming that these IoT devices have already been vetted by somebody else (like the store that we bought it from) is, unfortunately, flawed logic. Businesses large and small will be rushing to market with typically insecure devices and they won’t be taking the time to analyze all of the use cases of how their product could be misused. As consumers, we need to develop the skill of thinking, ‘how could this device be misused? ‘ Most of us aren’t used to thinking like that.  A family in Texas learned that the hard way a few months ago with their baby monitor. In general, if a device operates over the network and we can see it, then somebody else can see it.

Shadoobie.

[chart images from http://www.enisa.europa.eu/activities/risk-management/evolving-threat-environment/enisa-threat-landscape-2013-overview-of-current-and-emerging-cyber-threats]

Vulnerability found in Netgear home and small business router

netgearrouterA significant vulnerability has been found in the latest version (WNDR3700v4) of Netgear’s N600 Wireless Dual-Band Gigabit Router.  Per the researcher with Tactical Network Solutions that discovered the flaw, it is “trivially exploitable” and allows the attacker to disable authentication, open up a backdoor (telnet session), and then return the router to its original state so that the user never knows it was open.  According to PC World, other routers may be affected as well.

To mitigate the risk:

  • get the latest patch from Netgear (the Shodan database still shows at least 600 unpatched routers with the WNDR3700v4 hardware revision)
  • disable remote administration of the router (always)
  • use strong WPA2 pass phrases
  • don’t allow strangers on your network

Lots of dots

Per this article:  http://bit.ly/1gJA0yu at Tofino and Bob Radvanovsky:

  • over 1,000,000 ICS/SCADA devices connected to the Internet discovered so far
  • discovering approximately 5,000 new ICS/SCADA connected devices/day

Device types include, but not limited to:

  • manufacturing/production control systems
  • medical devices
  • traffic management systems
  • traffic light control/traffic cameras
  • HVAC & building management systems
  • security/access control to include video/audio surveillance
  • data radios

and to keep it interesting, also found these connected to the Internet:

  • off-road mining trucks
  • crematoriums

In many cases, a web interface is enabled with default credentials in place.

I believe 1,000,000 is only a fraction of Internet-connected embedded/ICS/SCADA devices and that the rate of growth of new connections is way faster than anything that we saw in the PC days.

 

Who’s looking at you kid? — ICS in the office

The “Internet of Things” is slowly creeping into small businesses and homes and is creating some new privacy and physical safety issues and risks.

powergrid3There has been a lot of media coverage regarding exposure of the national power grid to cyberattack.  This coverage is appropriate and the risk is real.  Many automated systems, aka industrial control systems or ICS, that control various aspects of electricity generation, transmission, and distribution were never intended to be controlled by Internet-connected systems.  In most cases the Internet simply did not exist when the systems were installed.  However, Internet-based control was added after the fact and the intersection (or collision) of two very different types of control systems — traditional industrial control and Internet-based control has created vulnerability and exposure to malicious intent.  The issue is exacerbated by the fact that power systems are a high value target — successful attack and compromise can have a very big effect.

There are also other control systems, besides those dealing with power, that are in many buildings and increasingly in homes and small offices.  These are HVAC (heating ventilation air conditioning) controls, lighting controls, security systems and others.  These also have various levels of exposure to cyber attack.  As an example, Google’s headquarters in Australia was recently compromised.

ICS showing up in home and office & unintended consequences

Some of these control systems that have traditionally been the domain of large buildings and complexes are making their way into homes and offices.

One example is IP-based (Internet controlled) consumer or small business security systems. These systems often provide:

  1. video monitoring over network/Internet
  2. audio monitoring over network/Internet
  3. sometimes 2-way audio over Internet where the person monitoring can send audio transmissions to the monitored area

babymonitorThese devices are inexpensive and easily obtained at Target, Best Buy, Radio Shack or even the local drug store.  They are also very vulnerable to misuse over the Internet.  There was a well-publicized case last month where an IP-based (Internet-controlled) baby monitor was being used by a family in Texas.  When the parents thought they heard a voice in the 2 year old child’s room, they heard a man’s voice saying horrible things to the child through the baby monitor (to include calling her by name).  Someone had ‘hacked’ into the system (‘hack’ is a strong word as it was almost trivial to gain video and audio access).

The parents thought that they were enhancing the child’s safety and well-being and had no idea that they were increasing risk to the child in other ways.

Assumed product sanction

There’s the rub.  When these products are purchased at our local or online stores, there is this assumption of some sort of sanctioning or trust of the product by the store.  Sort of like, “Target wouldn’t sell anything that would hurt me.  Best Buy knows what they are selling.” This is, of course, a bad assumption.

The Internet of Things — devices and sensors talking to each other as well as humans over the Internet — opens up an exciting array of possibilities. But simultaneously it opens up a new ecosystem for misuse, privacy abuse, and even physical safety issues.

When we bring Internet-controlled devices into our office or home environments, we need to do the mental math of how the product could be misused.  What would happen if it failed? What would happen if (when) an unplanned user accesses the system? Because we can be sure that someone else, that may not be well-aligned with our best interests, is doing that math.

photo credit: Argonne National Laboratory via photopin cc

Industrial Control System Attackers & Attackees

ics_attackers2

ICS attacks by business sector
(image ICS-CERT)

—  ICS-CERT  responds to over 200 Industrial Control System (ICS) incidents between October 2012 and May 2013.
— Highest percentage in energy sector — 53%
— Critical Manufacturing sector follows — 17%

 

 

ICS attacks by source country (image TrendMicro)

ICS attacks by source country
(image TrendMicro)

— TrendMicro research emulates Industrial Control System with honeypots
— Only takes 18 hours for first honey pot to be attacked
 — Over 28 days, 39 attacks from 14 countries
— Of 39 attacks, 12 were unique and considered ‘targeted’
— Attackers demonstrated experience & expertise with ModBus industrial control protocol

 

Hacking the Internet of Things

A research botnet was created to detect and compromise unprotected embedded control devices.  These embedded control devices can be found in industrial control systems, medical devices, home appliances, and similar.  A botnet is created when multiple devices are attacked, compromised (aka ‘owned’), and subsequently controlled by the attacker.  The botnet was named Carna Botnet after the Roman goddess of the protection of vital organs and health.

Carna botnet global distribution

Carna botnet global distribution

  • Unprotected embedded devices (tiny computers that typically control things) detected at rate of 1 every 5 minutes
  • Discovered millions of unprotected devices, eg no or trivial username & password.  
  • Carna Botnet now 1.2 million compromised devices
  • Of that 1.2 million, 420,000 have sufficient functionality & resources to continue to propagate the botnet
Distribution of hacked devices by country

Distribution of hacked devices by country

The initial report is here.  Presentation here.

As the world continues to control more and more with networked embedded devices, ie the Internet of Things, we can expect a global rapidly growing platform for malicious behavior that we will need to attend to.