A surge in IP-connected devices is cause for concern regarding the safety of smart properties and cities
Properties are becoming more automated than ever before. Things such as building automation systems (BAS), automated fire suppression systems, access control devices, CCTV, lighting, and more can be completely controlled through an IT network. These systems all fall into the realm of supervisory control and data acquisition (SCADA) technology, along with other traditional industrial control systems (ICS). Properties that include such systems are described as smart properties.
Inherent vulnerabilities in the IP-based communications of these systems provide an easy pathway for hackers to gain access and take control. In recent years, incidents involving ICS operators as well as smart property owners have occurred. The former has historically received more attention as these systems deal with potentially dangerous processes that have the ability to cause physical damage and even loss of life. In 2010, the Stuxnet malware was discovered, showing the first instance of hackers causing physical damage. More recently the HATMAN/TRISIS malware was discovered, which disables safety systems designed to shut down an automated system if the process it’s controlling becomes potentially dangerous. While these attacks focused on high profile targets, all properties and ICS systems face similar types of threats.
Smart properties, which use similar technology to traditional ICS operators, are just as (if not more) vulnerable to attacks. Building engineers are typically not experienced in traditional IT security, nor are they completely cognizant of security risks involving automated technology. While utility providers and manufacturers generally have robust access control security and IT teams who handle security operations, smart buildings rarely have such dedicated resources and personnel. The technology that is typically installed at a smart property is usually done by a third-party system integrator or an engineer from the SCADA vendor’s firm, providing limited awareness and knowledge of how the technology works to the property operator or manager. When problems arise in the network, outside assistance is usually required to troubleshoot.
A recent Symantec report reveals that ransomware saw a 12% increase in enterprise targets, suggesting hackers are shifting focus to higher-value targets. In total, ransomware costs businesses around $75 billion per year (Source: Datto) and the average cost of a ransomware attack was $133,000 (Source: Sophos). In 2019, ransomware attacks from phishing emails increased 109 percent since 2017 (Source: PhishMe[) and according to Webroot, 1.5 million new phishing sites are created every month.
Many of these attacks do not use 0-day, or previously unknown, exploits; instead hackers often recycle previously successfully malware code. Although owners send employees to training to help identify social engineering attempts and phishing emails, the criminals are continually updating their techniques and making it more difficult for personnel to identify what is legitimate and what is not.
In 2015, the Department of Homeland Security (DHS) came out with seven strategies for protecting ICS/SCADA environments :
- Implement application whitelisting – This strategy prevents malware from executing by defining what messages and applications a system can or cannot run. SCADA systems, which have a more static nature than typical enterprise systems, are ideal candidates for this type of protection.
- Ensure proper configuration/patch management – Hackers frequently target unpatched or outdated systems since known, effective exploits are readily available. Using a proper configuration/patch management program can help keep systems better updated, more secure, and prioritize updates for sensitive systems.
- Reduce attack surface area – Isolate SCADA systems from any untrusted network, especially the Internet. Turn off unused services and lock down unused ports. Only allow remote connectivity if there is a defined business requirement. Utilize one-way communication where possible with data diodes.
- Build a defendable environment – Limit breaches by implementing network segmentation and restrict or limit host-to-host communications.
- Manage authentication – Hackers are constantly looking for privileged accounts to compromise once inside a network. Administrators should implement multi-factor authentication (MFA) when possible and implement a strong password policy with expiration at least every 90 days.
- Implement secure remote access – Many systems include remote access capabilities, but these functions can also be exploited by attackers. DHS advises owners to restrict and disable remote access when not needed. For those systems that do require remote access, “monitoring only” access should be enforced by hardware, like data diodes, instead of relying on “read-only” software permissions.
- Monitor and respond – Organizations must be able to detect, and defend against, adversarial breaches through holistic monitoring of the network. An incident response plan should be in place that guides operators through containment, eradication, and system recovery.
While many organizations may achieve strategies 1-6 with traditional IT security technology and polices, the ability to monitor and defend against threats in real-time is a constant struggle. Attackers frequently use ‘living-off-the-land’ techniques that utilize normal administrative functions to perform network reconnaissance and exploit targets. These techniques usually include lateral spread movement, which is typically not caught by traditional endpoint detection strategies, making it difficult for organizations to contain and stop breaches. To fully monitor these types of behaviors, many operators implement a plethora of disparate tools that often don’t integrate. This often creates the dreaded “bloat stack” which is expensive, resource-intensive, and hard to manage.
In the last five years, passive analytic tools have emerged, offering asset inventory, anomaly detection, and traffic flow information for SCADA networks. These systems are great at giving visibility down to the controller level in an automated system, but they lack the ability to actively contain threats. While such technology helps to monitor, it does not help in the containment process when operators are trying to determine where the attack is coming from and how to stop it from spreading.
Using Blackpoint’s SNAP-Defense platform, our threat analysts can see attacks as they unfold in real-time across a live asset map. Once threats are detected, we can immediately contain them to prevent further spread across a network. By monitoring for specific hacker techniques, privilege escalation, remote execution, and other lateral spread movement, SNAP-Defense alerts our team to potentially nefarious behavior with actionable information that even entry-level analysts can understand. Additionally, clients have the option of installing a passive network tap to monitor devices that cannot have endpoint protection installed, like IoT and SCADA devices.
To learn more about our 24/7 Managed Detection and Response service, please visit
https://blackpointcyber.com/managed-detection-and-response/ or contact us at firstname.lastname@example.org.