For years, attacks against physical industrial plants have been either largely theoretical, or the sophisticated realm of nation-states. While we have spent time looking precisely at this style of attack in other posts, it seems a host of attack automation tools and techniques are starting to hit the streets, as highlighted here at Black Hat.
For example, a few years ago, no one would have suspected hacking the HVAC system would result in a major breach, but it did. This year, there are a variety of talks about hacking physical infrastructure, with everything from wind farms, to building automation, to a host of other industrial components.
It’s easy to understand, as physical infrastructure hasn’t had the same focus on security as other, more traditional IT systems, which have made the headlines for years by getting hacked. But they typically have embedded full processors and operating systems, which are now baked into tiny full-fledged systems that are cost effective. This means it’s easy to bolt an operating system onto an industrial control system, building management system, and other similar systems.
Far fewer vendors of physical plant management systems have a clear-cut patch cycle than do vendors in the traditional IT field. Even with those who do, it often requires non-standard techniques to do the patching, including taking equipment offline, which does not endear the operators to the process. For this reason, many systems stay unpatched for years.
Many focus on security through obscurity, hoping attackers won’t turn their attention to the stalwart equipment. Often, this means they are running on very old operating systems where patches are no longer widely available, further hindering efforts to maintain security.
Penetration testers of the future will have to incorporate physical plant attacks into the repertoire, as these embedded devices will represent networked assets, and typically will be granted some kind of access to an internal management network.
Here at Black Hat, and later at Def Con, there will be plenty of opportunity to network with others to find the latest tools and techniques to help your infrastructure defense efforts. In many (or most) cases, these tools are available for free or low cost, so they really shouldn’t break the bank.
Meanwhile, training IT staff to recognize this ever-widening attack surface – giving them the training to be able to analyze potential vulnerabilities and address them should be a higher priority.
If you brought them to Black Hat, great, that will be a big jump-start for your organization. If not, you may want to sit in on some of the sessions and take the information back with you.
You might be very glad you did.