Of late, several companies have taken hits on their worldwide IT and Web based systems. Perhaps the most recent, Canon, suffered a global ransomware attack, taking down many Canon websites and systems—also with a threat of making their private business data public. But can these IT/enterprise attacks threaten and/or damage OT systems? And what can they do to food and beverage products? Make them unsafe by altering a critical kill step or omitting preservatives? What else?
I asked Barak Pereleman, VP of OT Security at Tenable, what attack vectors may pose danger to OT-based systems.
Tenable provides vulnerability management services to manufacturers around the world. It helps users manage risk with IT and cloud-based systems, and with the recent purchase of Indegy, allows OT users gain complete visibility, security and control of OT networks.
FE: Assuming that non-state hackers (e.g., criminals or kids attempting to make a cash haul), have the ability to come up with a destructive virus that attacks PLCs and DCSs, are they interested in taking down a system (e.g., critical process or power grid) for the “I can do this” self-satisfaction, or are they looking for a pile of money via extortion—that is “pay me for protection against the bad guys,” which are the same entity?
Barak Perelman: Two of the more prominent motivating factors are financial gain and the weaponization of an attack. Financial gain is the typical motivation of ransomware attacks. Cybercriminals go where the money is. There are, unfortunately, many instances where it is simply cheaper and less disruptive to pay the bad actor than to avoid payment and suffer the consequences. So the payouts are big and increasingly likely. The weaponization of attacks is also increasing in frequency and scope. It is attractive because it doesn’t require many resources, but can cause as much or more damage and disruption as conventional military tactics.
FE: Is ransomware still the most effective method for securing a pile of money from a company? Are they now threatening to destroy OT (process control data)? Or is stealing business/banking information the easier approach?
Perelman: Ransomware is increasingly popular because it is easy to do, hard to trace and in many cases relatively “safe” for the attacker to carry out. There have been a number of instances where cyber insurance companies advise the victim organization to pay the ransom because it is actually cheaper and less disruptive than non-payment. This is something that needs to change, because incentivizing attackers by paying out large sums of untraceable cash makes it an easy and lucrative method to achieve large paydays with little chance of getting caught.
I cannot emphasize enough that financial/banking information theft this day and age is orders of magnitude harder than breaching an OT network and handling it as your own.
FE: Is email still the most used way to penetrate a system today? I certainly get enough stuff that most likely leads to viruses and the like. Since Stuxnet, I assume that everyone knows about memory sticks.
Perelman: Email is still indeed the leading attack vector on the IT side of the house that can migrate to industrial OT networks, particularly if the environment is converged. Another method often employed by attackers is taking over a third party website and infecting it, causing malware to download on the devices of anyone who visits a seemingly trustworthy website. This was best described in the FBI & DHS report, “Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors,” a couple of years back. I would be happy to claim otherwise but, amazingly, USBs lying around are still an issue today; although, awareness is indeed much better compared to a decade ago.
FE: Are non-state hackers actually familiar with PLC/DCS coding that they could reprogram or shutdown critical systems? Are they familiar with specific apps that they could reprogram a PLC or DCS?
Perelman: The knowledge of hacking in industrial environments is not as pervasive as IT cybercrime. However, anyone with fairly entry-level technical skill—definitely someone writing malware—can easily learn to write code that deletes PLC code in one day. Give them another week and they'll know how to change the threshold level of an active ingredient in a drug.
FE: In food and beverage, theft of intellectual property and business information (e.g., client lists, recipes, etc.) is probably more lucrative than shutting part of a processing or bottling system, right?
Perelman: Recipes and intellectual property are largely protected with trademarking. So, even if they got out, there are protections in place. The alarming part of a food and beverage attack is the far reaching ramifications in changing the formulation of goods or the methodology in the manufacturing process. Just one minor change to a process can disrupt the supply and taint products, causing untold harm to the business and consumers. Many “mainstream” attacks are inconvenient, and some even have significant consequences. Society can do without a lot of things, but when it comes to food and beverages, even a small attack can have dire consequences. [Food and beverage] is simply something we cannot live without.
FE: Are non-state hackers entering OT and/or process control systems wirelessly—either through nearby Wi-Fi or through a cellular connection where they may have stolen logons, etc.?
Perelman: We are seeing an uptick of rogue actors accessing OT environments in a variety of ways. Not surprisingly and most typically they are performing reconnaissance and finding the “weak link” in the system to find their way in. We are seeing more attacks that start on the IT side and move to the OT side. This is often seen in converged IT/OT systems where the level of security is not where it needs to be. Increasingly, however, these same attacks are occurring in systems that are “air-gapped.” As history has proven, the unfortunate reality is that even the most secure air-gapped environments may experience “accidental convergence,” a situation where information accidentally flows across the air gap.
Over the years, additional attack vectors in air-gapped environments have been discovered, including FM frequency signals from a computer to a mobile phone; thermal communication channels between air-gapped computers; the exploitation of cellular frequencies; and near-field communication (NFC) channels. Even LED light pulses among OT equipment have exposed critical systems to malicious activity. Organizations that don’t have specific initiatives for IT and OT convergence are among the most at risk because no additional security is implemented beyond air gapping. Securing operations requires more than building a digital moat around the OT infrastructure. Even under the most favorable of circumstances, this isolation is nearly impossible to maintain. The introduction of one seemingly harmless variable into a sterile environment can permanently destroy the most stringently enforced air gap.
FE: How has the hacking landscape changed since COVID-19? In the last year? The last five years?
Perelman: COVID 19 has changed the operating environment for infrastructure and manufacturing organizations. Wherever possible, many employees have been directed to work from home and utilize laptops, tablets, smartphones and conference bridge services. But working from home is not always an option, especially when it comes to OT. The following are a couple of new risk factors the OT community need to stay vigilant against:
- Erroneous changes: This can include less experienced team members making erroneous changes to the system without the direct oversight of managers due to quarantine.
- Delayed response: Due to short staffing, or the need to divert employees to other tasks, security personnel may be negatively impacted in their ability to react to alarms in a timely fashion
- Opportunistic attacks: Nefarious activity will likely increase during this period as bad actors look to exploit the procedural disruptions and overstretched skeleton crews associated with non-standard business operations.
Taking an honest look at these vulnerabilities and gaps is the first step to understanding which security measures need to be in place to keep critical operations running smoothly and safely.
For more information, visit Tenable.
About Barak Perelman
Barak Perelman serves as VP of OT Security at Tenable. Previously, he was co-founder and CEO of industrial cybersecurity company Indegy, before it was acquired by Tenable. Perelman is a graduate of Israel's elite Talpiot military academy and brings over 15 years of hands-on experience in cybersecurity strategies and protection of critical infrastructures. Before founding Indegy, he led large-scale cyber security projects in the IDF and received commendations for his service achievements.