A newly published standard specifies process requirements for the secure development of products used in industrial automation and control systems (IACS).

The new standard, ISA/IEC 62443-4-1-2018, is named Security for Industrial Automation and Control Systems Part 4-1: Product Security Development Life-Cycle Requirements. It also defines a secure development life cycle for developing and maintaining secure products used in an IACS. This life cycle includes security requirements definition, secure design, secure implementation (including coding guidelines), verification and validation, defect management, patch management and product end of life.

The new requirements can be applied to new or existing processes for developing, maintaining and retiring industrial control hardware, software or firmware for new or existing products. The requirements apply to the developer and maintainer of a product, but not to the system integrator or user of a product.

“Designing security into products from the beginning of the development cycle is critical because it can help eliminate vulnerabilities from products before they ever reach the field,” says Michael Medoff, ISA99 group leader, who headed the development of the new standard.

“We all know how difficult and expensive it can be to constantly have to patch software in the field,” adds Medoff. “The new standard gives us a real opportunity to break the cycle of frequent security patches and to produce products that are secure by design.”

Weak passwords kill security

No matter how well security is designed into an automation system, computer database or email system, weak passwords will nullify all that work.

In a recent report from the Department of Homeland Security (DHS), criminals have discovered a new way of getting around password-protected systems designed to lock an account after a half dozen password attempts. According to information from a recent FBI investigation, malicious cyber actors have been using a style of brute force attack known as “password spraying” against organizations in the US and abroad.

In February 2018, nine Iranian nationals who were associated with the Mabna Institute were indicted for computer intrusion offenses related to password spraying. These techniques, while characteristic of Mabna actors, are not limited to just this group.

What is a brute-force attack and password spraying?

In a traditional brute-force attack, the bad guy attempts to gain unauthorized access to a single account by guessing the password. This can quickly result in a targeted account getting locked out, as commonly used account lockout policies allow three to five bad attempts during a set period of time. For example, banks and most email accounts use this protection.

During a password-spray attack (aka the “low-and-slow” method), the malicious actor attempts a single password against many accounts before moving on to attempt a second password, and so on. This technique allows the bad guy to remain undetected by avoiding rapid or frequent account lockouts.

Password spray campaigns typically target single sign-on (SSO) and cloud-based applications using federated authentication protocols (where a single logon for one account allows access to other—often linked—and related accounts). An actor may target this specific protocol because federated authentication can help mask malicious traffic. Also, by targeting SSO applications, bad guys hope to maximize access to intellectual property during a successful compromise or attack.

Email applications are also a target, and successful break-ins promise rewards—a treasure trove of intellectual property and other sensitive data. In email break-ins, malicious actors would have the ability to use inbox synchronization to:

  • Obtain unauthorized access to the organization’s email directly from the cloud
  • Download user mail to locally stored email files
  • Identify the entire company’s email address list
  • Surreptitiously implement inbox rules for the forwarding of sent and received emails

Once into an email system, a hacker can have an almost invisible presence, siphoning off emails from people in the address book.

How can administrators tell if a spray attack has occurred?

A massive spike in attempted logons against the SSO Portal or web-based application is one indicator. Using automated tools, attackers attempt thousands of logons, in rapid succession, against multiple user accounts at a victim enterprise, originating from a single IP address and computer. Attacks have been seen to run for more than two hours.

Another indicator: employee logons from IP addresses resolving to locations inconsistent with their normal locations.

The typical victim and the damage

According to DHS, the vast majority of password spray victims share some of the following characteristics:

  • Use SSO or web-based applications with a federated authenticated method
  • Lack multifactor authentication (MFA)
  • Allow easy-to-guess passwords (e.g., “Winter2018” or “Password123”
  • Use inbox synchronization allowing email to be pulled from cloud environments to remote devices
  • Allow email forwarding to be set up at the user level
  • Limited logging setup creating difficulty during post-even investigations.

What can a successful attack do? Think Sony, for example. A successful network intrusion can have severe impacts, particularly if the compromise becomes public, and sensitive information is exposed. Possible impacts include:

  • Temporary or permanent loss of sensitive or proprietary information
  • Disruption to regular operations
  • Financial losses incurred to restore systems and files
  • Potential harm to an organization’s reputation.

DHS makes some suggestions to defer this style of attack. Administrators should enable MFA and review MFA settings to ensure coverage over all active, Internet-facing protocols. Password policies need to be reviewed, and all users should be following NIST guidelines and not using easy-to-guess passwords. Administrators should review IT helpdesk management related to initial passwords, password resets and lockouts. Many companies offer additional assistance and tools that can help detect and prevent password spray attacks.

The FBI encourages those who suspect intrusion to report information concerning suspicious or criminal activity to their local FBI field office or the FBI’s 24/7 Cyber Watch (CyWatch). Field office contacts can be identified at www.fbi.gov/contact-us/field. CyWatch can be contacted by phone at 855-292-3937 or by e-mail at CyWatch@ic.fbi.gov.

For more information:

Azure AD and ADFS best practices: Defending against password spray attacks, Microsoft blog.

ST04-002 – Choosing and Protecting Passwords , US CERT.

ST05-12 – Supplementing Passwords, US CERT.