- September 26, 2018
By Lisa Silverman, RunSafe Security
As more and more controllers, servers, remote terminals, monitoring equipment, and sensors are tied to the internet, the cyberattack surface has increased exponentially, making our critical infrastructure and manufacturing plants vulnerable to unprecedented threats.
By Lisa Silverman, Vice President of Marketing, RunSafe Security
Have you heard the one about the fish tank in the casino? A smart device in the lobby aquarium of a North American casino had been remotely monitoring temperature, salinity, and automatic feedings. That internet-connected instrument allowed hackers to exfiltrate 10 gigabytes of high roller data.
And are you familiar with Fazio Mechanical in Sharpsburg, Pennsylvania? They are an HVAC subcontractor to large retailers. The hackers who got away with information on 40 million payment cards accessed Target’s corporate network using malware and a connection through, you guessed it, Fazio.
What about the new form of malware, named Triton? That’s the one that shut down the operations of a Saudi Aramco facility that used Schneider Electric’s safety instrumented systems. Attackers gained remote access to an engineering workstation and then used the exploit to reprogram safety controls.
In the race for more efficient operations, industrial control systems (ICS) have become a mash-up with legacy hardware being integrated with software and smart devices. As more and more controllers, servers, remote terminals, monitoring equipment, and sensors are tied to the internet, the cyberattack surface has increased exponentially, making our critical infrastructure and manufacturing plants vulnerable to unprecedented threats.
We Have More To Fear Than Fear Itself
Since defense in depth security is not often present in today’s infrastructure, apps, devices, and systems are more directly vulnerable to malware, viruses, spyware, and zero-days. Attacks can come from the outside (nation-state actors/hackers), insider threats, and increasingly from a compromised supply chain. Apps are targeted by new types of file-less attacks that sidestep traditional network and endpoint detection. These include memory corruption attacks (buffer, stack, or heap), and return oriented programming and jump oriented (ROP/JOP) attacks. Buffer overflow attacks are the best- known driver of software vulnerabilities.
The ICS+IoT+OT environment of intertwined hardware, firmware, operating systems (OS), libraries, and apps built around low-cost processors presents some unique challenges:
- Adding software, services, and/or hardware agents may lead to performance issues, retooling and retesting, especially in real time environments where jitter could be an issue with non-deterministic execution
- Patching and updating may be infrequent, expensive, and/or unavailable, leading to a potentially indefinite vulnerability window
- Even simple apps leverage libraries and OS calls can add up to hundreds of thousands or even millions of lines of source code
- All vulnerabilities cannot simply be discovered using conventional static or dynamic analysis (SAST or DAST) tools, inspections, or profiling
- Re-engineering with secure libraries and best practices may be cost prohibitive, source for code and libraries may not be available, and changing compilers or OS impractical
- When deploying to tightly bundled environments including components from many suppliers, the supply chain itself may not be trusted, with potentially compromised hardware, firmware, OS, containers, or hypervisors
Several of these vulnerabilities extend to mobile devices, communications, and cloud environments, where software deployment and updating occurs via orchestration and automation tools. These vulnerabilities can also be found in virtualized environments, hypervisors, containers, and third-party hardware.
Traditional Defenses Can't Cope
Unfortunately, traditional cybersecurity measures aren’t built to prevent malware from propagating, because the most common defenses primarily rely on network and perimeter solutions. I’m talking about solutions like gateways, firewalls, intrusion prevention, and anti-virus agents. In other words, these tools focus on identifying symptoms rather than addressing the underlying causes. While established tools have worked for decades on known attack types, their effectiveness continues to diminish against motivated adversaries skilled in designing new types of exploits. Detection offers no protection in cases where the supply chain itself compromised, such as in file-less attacks like memory corruption exploits, stack and heap attacks, zero-day attacks or return oriented programming (ROP) chain attacks.
While detection monitoring is important, it isn’t an end-all solution, and it also requires time, investment and expertise to implement. Re-engineering code can also help enhance security, but to do so requires significant resources, and can trigger compliance risks, especially when the software stack can be hundreds of thousands or millions of lines long.
But Cyberhardening Works
Memory corruption attacks try to trick a software program into running attacker-provided code, instead of programmer-written code. For this to work, the attacker must find vulnerabilities in the software binary code that allow the injection of code and/or the redirection of execution.
One of the latest and most effective means to reduce risk is to cyberharden systems using Runtime Application Self-Protection (RASP) technology, which prevents exploits from spreading across multiple devices and networks. RASP hardens software binaries by using techniques such as binary stirring (also called randomization), control flow integrity and a priori optimization. The process insures that attackers can’t calculate in advance how to successfully execute their code. This can prevent an entire class of malware attacks related to buffer overflows.
RASP uses runtime instrumentation to detect and block attacks via information from inside the running software. It differs from perimeter-based protection like firewalls, which can only detect and block attacks by using network information without context. When a threat is detected, RASP prevents exploitation and execution. In other words, it denies malware the uniformity required to propagate.
Importantly, RASP is easy to implement and requires no new investment, software, services or hardware, and only a one-time transformation with limited overhead. It doesn’t require access to source code and isn’t dependent on complier or operating systems. There are no alerts to monitor, and RASP is remotely deployable as binary code that can be cyberhardened via API. It’s far superior to “rip and replace.”
Avoid the Dreaded Phone Call
If you need further motivation, note that SonicWall Capture Labs recorded a total of 5.99 billion malware attacks during the first half of 2018, a greater than 100% increase over the same period in 2017. Moving from traditional detection security defenses to cyberhardening binaries with RASP technology can reduce risk by stopping attacks before they can execute and spread. Doing so may well keep you from fielding a jaw-dropping phone call about malware in your systems, devices or supply chain that has been discovered – and has spread.
About the Author
Lisa Silverman is the vice president of marketing at RunSafe Security, a pioneer of cyberhardenng technology for industrial control systems and embedded systems and device.
Did you enjoy this great article?
Check out our free e-newsletters to read more great articles..Subscribe