The world's most capable, rugged and secure
industrial control system...
Introducing Bedrock OSA® Remote
- Intrinsically-secure PLC and RTU control
- 10 or 20 channels of universal I/O
- Free IEC 61131-3 engineering software
- -40ºC to +80ºC temperature range
- Rugged, all-metal case 5.4 in x 8.9 in x 2.3 in
U.S. Security Agencies Warn of Cyber Attack Threats to Unauthenticated PLCs and other OT
August 27, 2020 | Robert Bergman
The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have urged critical infrastructure facilities to take immediate action to secure their operational technology assets. Prompting the warning are the following recently observed hacking tactics, techniques, and procedures.
- Connecting to Internet Accessible PLCs requiring no authentication for initial access.
- Spearphishing to obtain initial access to the organization’s information technology (IT) network before pivoting to the OT network.
- Deployment of commodity ransomware to Encrypt Data for Impact on both networks.
- Utilizing Commonly Used Ports and Standard Application Layer Protocols to communicate with controllers and download modified control logic.
- Use of vendor engineering software and Program Downloads.
- Modifying Control Logic and Parameters on PLCs.
They see the result of such attacks as potentially having the following impacts:
- Loss of Availability on the OT network.
- Partial Loss of View by human operators.
- Loss of Productivity and Revenue.
- Adversary Manipulation of Control and disruption to physical processes.
Over recent months, cyber actors have demonstrated their continued willingness to conduct malicious cyber activity against critical infrastructure (CI) by exploiting internet-accessible operational technology (OT) assets. Due to the increase in adversary capabilities and activity, the criticality to U.S. national security and way of life, and the vulnerability of OT systems, civilian infrastructure makes attractive targets for foreign powers attempting to do harm to U.S. interests or retaliate for perceived U.S. aggression.
The Department of Defense views OT assets as critical to its mission and underpin essential National Security Systems (NSS) and services, as well as the Defense Industrial Base (DIB) and other critical infrastructure. It urges asset owners and operators of critical infrastructure to take immediate steps to secure their OT assets.
They describe the current status of OT vulnerability as a perfect storm, caused by the convergence of the following elements:
- Legacy OT assets that were not designed to defend against malicious cyber activities.
- Readily available information that identifies OT assets connected via the internet (e.g., Shodan, Kamerka).
- Easy access to unsecured assets.
- Use of common, open-source information about devices.
The NSA/CISA recommendations are extensive, and available here. They include developing a resilience and response plan, inventorying vulnerable assets and risks, implementing vigilant monitoring, and hardening networks.
And at the risk of over-evangelizing the need for control system security, we do note that the entire “hardening” recommendation of the alert amounts to managing access at the network level, which is fine, but there is little recognition of the importance of hardening at the device level. It caught the attention of ControlGlobal.com cyber security expert and columnist Joe Weiss as well, who in developing this month’s column, enlisted a squad of other industry experts to help him point out the dangers of overlooking the importance of the security at the control system level.
In a related story that will be of interest to those looking to keep costs in control, an Accenture survey of more than 4,000 executives in 24 industries cited “network security” as the security cost that has increased the most over the past three years. Read more about the Accenture study here.
If the kind of encryption and authentication applied to the network layer were applied properly at the control layer, the OT would not only be less expensive—because it would be included the cost of the control system—but it would also be far more secure.