Connected ICS and rogue malware condemns IoT to insecurity
Security specialist SentinelOne has published the results of its investigation into a new type of malware it discovered, and Kaspersky has also announced a pretty shocking survey of Industrial Control Systems (ICS) that paints a very bleak picture of the state of IoT security … again.
SentinelOne has named it Furtim’s Parent, as it thinks it is related to an older malware called Furtim. The company says that it has already infected a European utility, and believes it was released in May. SentinelOne adds that “it exhibits traits seen in previous nation-state Rootkits, and appears to have been designed by multiple developers with high-level skills and access to considerable resources.”
The company says that it believes it likely points to a nation-state sponsored initiative, potentially originating in Eastern Europe. An update to SentinelOne’s announcement notes that the attack does not explicitly target SCADA energy management systems, as many outlets are reporting.
It does note that the attack carefully targets network users, “which is then used either to introduce the payload, which could either work to extract data or insert the malware to potentially shut down an energy grid.” The exploit works on all versions of Windows, according to SentinelOne, and (unsurprisingly) has been designed to get around antivirus protection – and also disables the ability to install new AV software if an administrator detects the malware.
The malware uses a Windows exploit that was patched in May 2015, the CVE-2014-4113 and CVE-2015-1701 escalation of privileges bugs to be specific, which will likely not be a problem for Windows machines that are kept up to date. However, most industrial systems rely on air-gap protection and the assumption that malware won’t make it onto their controller machines, as the process of updating the machines is rarely undertaken due to the disruption caused by downtime and consequent malfunctions – as the machinery that the computers control is infamously finicky.
This brings us onto another security investigation that came to light this week, which shows how apparently insecure this assumption about air-gap security for IoT and Industrial IoT devices really is – from the Kasperksy Labs, published on its SecureList website.
The Kaspersky study found 188,019 host connections with ICS components on the internet, in 170 countries, with 92% of those hosts having some form of vulnerability. Kaspersky said that of those vulnerable hosts, 87% had medium-risk vulnerabilities, with 7% having critical vulnerabilities. Of the total 180,019 hosts, Kaspersky said 91.6% used weak internet connection protocols, typically unencrypted.
We found ourselves using the word staggering increasingly often, when describing these sorts of stories, which begs the question whether we should be surprised anymore – as this level of problem seems to be the status quo. Following the BlackEnergy attack on Ukranian power plants last year, widely thought to have been carried out by Russia, both states and corporations should be wary of what holes they have unwittingly left in their security protections. Stuxnet is the worst-case scenario.
“Our research shows that the larger the ICS infrastructure, the bigger the chance that it will have security holes,” noted Andrey Suvorov, Kaspersky’s Head of Critical Infrastructure Protection. “This is not the fault of a single software or hardware vendor. By its very nature, the ICS environment is a mix of different interconnected components, many of which are connected to the internet and contain security issues.”
Kaspersky believes that the number of vulnerabilities in ICS systems has increased around ten times in the past five years, rising from 19 recorded issues in 2010, to 189 in 2015. In addition, the most vulnerability-stricken systems were HMIs and SCADA.
One of the criticisms that is frequently leveled at the IoT is the question of why someone would want to connect that particular thing to the internet. Most people are asking that question based on the assumption that the value generated by connecting it would be outweighed by the cost of doing so.
However, almost everyone would agree that the connection is a valuable resource that they would like to harness. But most of the time, it’s not the cost of connecting it to the web that is the main barrier – it’s the potential vulnerability of enabling remote access, and the cost of having someone attack or offline the equipment.
In a world of perfect security, it would be a lot harder to make the argument in favor of air-gapping equipment like ICS or PLC, because the value of being able to harness the live data feeds is obvious, and the threat of attack non-existent.
But of course, we don’t live in such a world, and so it remains best-practice to avoid the problem of remote attacks by ensuring that attackers simply can’t access the tech remotely. Of course, those systems are often riddled with security vulnerabilities, that go unpatched because companies rely on the air-gap and the act of upgrading them is complicated – often requiring downtime and field-visits.
Therefore, there’s a distinction to be made between secure systems that are protected regular updates and best-practices, versus those that are secure because there’s an armed-guard protecting the decade-old machine running Windows XP. Relying solely on the air-gap is no protection against someone gaining physical access, or an employee accidentally bridging the air-gap by plugging in a USB stick they found in the parking lot.