Why Hackers Attack ICS Products and How to Stop Them

Why Hackers Attack ICS Products and How to Stop Them
Why Hackers Attack ICS Products and How to Stop Them

The number of vulnerabilities identified in Industrial Control System (ICS) products in 2020 increased by 25% from 2019 and 33% from 2018, according to a Claroty report. Hackers can use around 70% of these flaws to access systems remotely. The global instability and increase in remote work caused by the pandemic have played a role in raising the salience of ICS cybersecurity issues. In particular, phishing attacks and spam campaigns are becoming more common.

Hack the Capital 4.0

On May 4, 2021, ICS Village hosted the online event Hack the Capital 4.0 Hack the Capitol 2021 to inform a variety of audiences regarding some of the most important cybersecurity challenges we are facing today. Presenter Sharon Brizinov, vulnerability research team lead at Claroty, provided a detailed explanation of the ICS cyber-kill-chain, reasons hackers try to access ICS systems, and how to stop them. Brizinov and his team identify vulnerabilities in ICS systems and report them to companies so they can ameliorate the issues before a hacker exploits them. “We are trying to imitate how hackers think so we can beat them at their own game,” he said.

Most cyber attacks are opportunistic, Brizinov explained. “Attackers obtain a huge database full of emails and passwords then attempt to apply the information in a variety of settings. If even 1% out of one million accounts produces success, it’s an easy game for hackers. What’s most dangerous and critical about this? These hackers can use the emails and passwords to gain remote access.”

Why hackers would attack your ICS system?

Brizinov noted that hackers usually try to access ICS systems for either political or financial reasons. Generally, politically-driven hacking attempts are related to cyber warfare between two nation states. “Perhaps they want to infiltrate a specific factory to steal secrets or implant cybersecurity warfare like malware, for example,” he said. Hackers who want to make money could exploit an ICS vulnerability in an automotive factory then demand ransom in return for its removal.

Other specific motivations for hacking an ICS system might include influencing a manufacturing process, obtaining sensitive data, reading a secret recipe, or modifying a PLC configuration.

How hackers attack your ICS system

First, it’s important to understand that different levels of hackers exist. Script kiddies, Brizinov explained, only know how to use tools that other people have developed, and they are even more likely than the average hacker to act opportunistically. Nation-state sponsored hackers, on the other hand, run sophisticated cyber attacks, and operations and are often backed by significant infrastructure. Whatever type of hacker is involved, hacking incidents can have frightening consequences.

Last year, a hacker attempted to poison the water supply of Oldsmar, Fla. The first sign of trouble occurred when an employee at the water treatment plant noticed the cursor on his computer screen appeared to be moving of its own accord, according to a Wired report. However, the employee was initially unconcerned because the team frequently employed remote-access software TeamViewer to share screens. But later in the day, he noticed the phenomenon again and saw the remote threat actor’s attempt to increase the sodium hydroxide in the water. Thankfully, the attempt was not successful.

“A lot of OT networks are connected through a remote access solution, and many people do not understand how critical and insecure remote access tools can be,” Brizinov said. “If an attacker gets the username and password, that person can immediately infiltrate the OT network. This is a very dangerous reality that people need to consider.”

Brizinov described the ICS cyber kill chain using the following sequence of events: reconnaissance, weaponization, delivery, exploitation, installation, command & control, and actions/objectives (see graphic).

To combat remote hacking, Brizinov recommends vigilance. “Pay close attention to how remote access is utilized in your factory. Who has the credentials? Is there two-factor authentication?”

What you can do to stop threat actors

ICS system administrators and operators are not helpless against these hackers. Brizinov provided several practical steps anyone can take today to protect an ICS system from cyber attacks.

  1. Apply proper two-factor authentication: Rather than using a simple, one-step access system that just involves typing a username and a password, add two-factor authentication, a second line of defense. Sometimes, people employ SMS or text message two-factor authentication, but that is not the best option. Texting was invented many years ago, so this method tends to be less secure. “There have been lots of attacks that involve intercepting and spoofing text messages,” Brizinov noted. Instead, administrators should use authenticator apps that generate codes for two-factor authentication. These apps were invented more recently and with security in mind. “It’s very difficult for hackers to break through this security method,” he said.

  2. Don’t reuse passwords: Though you might think the email address you had in college has nothing to do with your current role, and it would be fine for you to reuse the password because it’s easy for you to remember, reusing passwords is actually very dangerous. “Most of us were registered to one database or another that was leaked at some point,” Brizinov said. “This isn’t our fault, but if we reuse those passwords, we risk creating a vulnerability that a hacker who has seen those databases can exploit.” Alternatively, people should employ password managers that will randomly generate a password.

  3. Employ network segmentation: Another strategy is network segmentation. “Even if the hacker somehow got to a specific location in the network, if the network is segmented correctly, the threat actor should not be able to access the other segments,” Brizinov said.

  4. Have an expert check your system for vulnerabilities: Recently, Brizinov and his team found a critical vulnerability in the remote access solution of secure remote maintenance company Secomea. Because Claroty’s team, rather than a hacker, discovered the vulnerabilities in the system, Secomea was able to fix the issues rather than dealing with a ransomware attack or something similar.

As a closing thought, Brizinov reiterated his most crucial advice: “Be vigilant. Don’t trust emails and passwords [as the only method of defense.] If you see something, say something.”

About The Author

Melissa is the content editor at Automation.com.

Did you enjoy this great article?

Check out our free e-newsletters to read more great articles..