Topics:
Team82’s research is largely focused on the offensive capabilities of attackers seeking to exploit vulnerabilities in operational technology and internet of things devices, including connected medical equipment. All of this work informs defenders on how to best strategize vulnerability management programs, incident response, and their understanding of the tactics, techniques, and procedures favored by state actors and criminal entities.
In this episode of the Nexus podcast, Team82’s Noam Moshe discusses state actor targeting of OT, why it’s so challenging to develop ransomware for OT and industrial control systems, and the mitigation strategies available to defenders of cyber-physical systems, including the importance of collaboration and information sharing. Questions for this podcast were submitted from users through Claroty’s social media channels.
Threats to OT and IoT present different challenges to defenders. Neither state actors, nor criminals, have overtly targeted industrial equipment, instead opting for extortion attacks that are ransomware-based and profit motivated. There may be a shift, as Moshe notes in the podcast, where some APT groups such as the Russia-linked Sandworm operation are targeting utilities in Ukraine. This activity also coincides with kinetic fighting on the ground.
I think the main question to get asked about whether nation states will get into and are actually getting into OT is what is the cost of entering, and what is actually the achieved result,” Moshe points out, adding that attacks against OT could have public safety consequences if successful against electric utilities, water treatment, or other critical infrastructure. “With that also comes the cost of entry which in OT … sometimes you have to invest a lot of time and resources and money.”
Attackers targeting OT have many moving parts to understand, Moshe said. Programmable logic controllers (PLCs) are the heart of many operational processes, and those are often proprietary pieces of technology that are complex to obtain, research, and develop for. Attackers, Moshe said, must weigh the costly barrier to entry and find simpler means to gain a foothold on a targeted network and ultimately disrupt or shut down processes.
“Instead of actually understanding how everything happens and trying to find zero days to implement, they can sometimes just use an engineering workstation with no password or a default password and try to connect and cause some damage this way,” Moshe said. “So I do believe we're going to see an increase in attacks on the OT realm.”
Moshe also fielded questions about the ongoing trend of ransomware and extortion attacks, and why it may not be viable to target OT equipment directly versus crossover points between OT and the enterprise network, such as Windows-based engineering workstations or Human-Machine Interfaces (HMIs)
The conversation also delves into attacks against IoT and whether defenders should be on the hook for the endless security issues with connected devices, or whether manufacturers and vendors need to do a better job securing their products. Moshe meets them somewhere in the middle.
“I don't think it's only on the vendor. I think the main problem with the devices is lack of visibility,” Moshe said. He explains that IoT devices are not Windows devices for the most part, and largely go unmanaged. Asset owners and network operators have no idea these devices are on the network without a proper asset inventory, and cannot secure what they don’t have visility into.
“They are literally blind. And not only that, even the IoT box itself, be it a router, some kind of smart machine, sensor etc., they are also a black box meaning I don't know what's going on under the covers. I don't know what's running. I don't know what's communicating to what,” Moshe said, adding that all of this is a vendor or manufacturer capability.
“I buy it, I install it and then it's just running on its own. I don't know how to control it and what it does. I'm blind to it,” he said. “And I believe this is why we see a lot of risk introduced with IoT devices because it's basically like a huge blind spot for a lot of companies that do put the time, effort, and money into improving their posture and improving their security and making sure they are protected and not the internet exposed.”
Michael Mimoso is Director of Influencer Marketing at Claroty and Editorial Director of Nexus.
