New threats posed by closing the gap between IT and OT
The gap between office Information Technology (IT) and Operational Technology (OT) −everything that networks, controls and evaluates machines in industrial environments − has been closing for some time. Increasing numbers of industrial devices have one or more network interfaces which support the Internet Protocol and are connected to the company's network. Considering automation technology had long been virtually inaccessible other networks with proprietary protocols and media, the sudden willingness to communicate is causing problems. Devices have often been connected to the network without the usual IT security measures and this poses a dangerous vulnerability in the company network.
In the meantime, industry is starting to wake up to the new threats, not least as incidents such as Stuxnet (Iran, 2010), Industroyer (Ukraine, 2016) and Triton (Middle East, 2017) have shown how drastic the effects for operators can be if attackers seize physical infrastructure. Although during the incident in Ukraine part of the capital was left without electricity for an hour in winter, Triton was still discovered in time. It's important not to forget that the consequences could have been massive. Triton targets Schneider Electric's Triconex safety controllers. In this context, safety means "functional safety" −everything that prevents danger to life and limb or the physical level in general. The attackers behind Triton, probably a state-supported actor, tried to take over several Triconex devices so that they could control these devices at will.
Even though the ongoing attack was discovered, the shock ran deep. There is a serious difference in the threat level when safety valves no longer close and explosions lead to injuries, deaths and physically destroyed equipment, rather than just taking computers offline. Although there is currently no concrete threat indication from the BSI, the attack vector via Triconex and the proprietary TriStation protocol still appears to be exploitable. The German Federal Office for Information Security (BSI) has published a set of Snort rules with can help to detect attacks on Safety Instrumented Systems (SIS) from Schneider Electrics more quickly.
The BSI encourages that the Snort rules, which were developed in collaboration with the software manufacturer FireEye and the National Cybersecurity and Communications Integration Center (NCCIC) are implemented as an "additional layer of an in-depth defense strategy". The rules analyze network packets and trigger a warning when certain criteria are met. This happens when valid packets are sent to unauthorized machines or originate from unauthorized machines. A particularly high number of sent packets or high packet frequency also trigger the warning. Other suspicious activities are logged in order to detect possible traces of breaches as part of a Security Information and Event Management (SIEM) system.
The rules and further details on the network detection methodology are available for download in the "Tools" section of the BSI website. If you don't use Snort yet, you should at least think about a local installation. Snort is a free Network Intrusion Detection System (NIDS) and a Network Intrusion Prevention System (NIPS). It can be used for logging IP packets as well as for real-time analysis of data traffic in IP networks. The software is mainly used as an event-driven intrusion prevention solution to block attacks automatically.
Just two weeks ago, the BSI reported on hacker attacks on German energy suppliers in a press release. The attackers had managed to break into operator's network − fortunately to our knowledge no production and control systems were affected. Nevertheless: BSI President Schönbohm repeatedly emphasizes that Germany is "in the focus of cyber attacks more than ever".
It seems like it will take a serious incident once again before action is taken. Generally, both companies, regulators and expert bodies act when incidents hit the headlines. Better late than never, and so far everything has gone to plan. Let's hope that the next vulnerability in an industrial control system is also discovered before the attackers press the red button.