If industry cybersecurity frameworks are to inform and secure the critical infrastructure writ large, here at Black Hat there a lot of people punching holes in them, and in simple ways.
It would be one thing if some of the most critical systems had basic protections in place, like encrypted traffic and non-standard passwords, but as the talk on hacking wind farms points out – many or most don’t.
Networks shouldn’t be subject to compromise by MiTM (Man in The Middle) attacks via Rapsberry Pi 3 boxes spoofing ARP requests and sending write instructions to halt wind generators suddenly. But they are, and it could happen.
What’s needed to pull this off? Some very simple tools (released here at the show) and some rudimentary physical access.
Once you gain access, you can send commands via a SOAP interface, but also pivot and move laterally between industrial control boxes and continue the nastiness.
Sure, the speaker said his team had worked with manufacturers to plug the holes, but it was surprising how many didn’t seem to listen. Luckily some did, and he worked with them to help keep us all safe.
In our research, there have been surprising gaps in the digital defenses at critical infrastructure providers, and we attempt to educate and assist, but if the default protocols and hardware have default credentials and the operators use old, unsupported or unpatched operating systems, it’s an uphill battle.
When will it change? If enlightened IT staff at critical infrastructure providers can build bridges, they can educate the senior engineers who know how to run the plant, but often know precious little about how packets and networks work.
This is a generational issue, as the folks who are very good at running power plants that have basically operated year in and year out for decades, have spent their careers perfecting the craft without any “need” for packet networks, and so find little value. As they near retirement and are replaced with a generation raised on networks, some of the education will transfer, but that will still take years.
Meanwhile, frameworks intended to secure critical infrastructure, or offer guidance for operators to make it happen, are being rolled out to the industry as a hopeful first step (of many) that will help secure the whole ecosystem.
But since many pieces in the larger ecosystem are interdependent, especially in the event of a cascading failure mode, it can’t come soon enough.
In the recent years, there has been an escalation on the attempts to gain access to these network-connected systems, which paints sort of a heat map of how interested a potential adversary may be, and they are indeed interested. Now, it will be up to the plant operators to embrace the transition to a more IT-aware environment they find themselves thrust into. Whether or not that will be smooth remains to be seen. But change must come, so that simple network-based attacks showcased here at Black Hat won’t be effective at taking down vast swaths of the critical infrastructure that we all use and (mostly) take for granted.