THE INDUSTRIAL SECURITY INSTITUTE
OT / industrial / ICS cybersecurity concepts from the perspective of the world’s most secure industrial sites. Truly secure sites ask different questions, and so get different answers. Subscribe to never miss an episode

EPS. 12 – IIoT Pivot
Hacktivists unhappy with the environmental practices of an industrial site learn from the popular press that the site is starting to use new, state of the art, Industrial Internet of Things edge devices from a given vendor. The attackers search the media to find other users of the same components, at smaller and presumably less well defended sites. The hacktivists target these smaller sites with phishing email and gain a foothold on the IT and ICS networks of the most poorly defended of these IIoT client sites. The hacktivists gain access to IIoT equipment at these poorly defended sites and discover that the equipment is running an older version of Linux with many known vulnerabilities, because the poorly defended site has not updated the equipment firmware in some time. The attackers take over one of the IIoT devices. After looking at the software installed on the device, they conclude that the device is communicating through the Internet with a database in the cloud from a well-known database vendor. The attackers download Metasploit to the IIoT device and attack the connection to the cloud database with the most recently released exploits for that database vendor. They discover that the cloud vendor has not yet applied one of the security updates for the database and the attackers take over the database servers in the cloud vendor. In their study of the relational database and the software on the compromised edge devices, the hacktivists learn that the database has the means to order edge devices to execute arbitrary commands. This is a “support feature” that allows the central cloud site to update software, reconfigure the device, and otherwise manage complexity in the rapidly evolving code base for the cloud vendor’s IIoT edge devices. The hacktivists use this facility to send commands, standard attack tools and other software to the Linux operating system in the edge devices in the ICS networks the hacktivists regard as their legitimate, environmentally irresponsible targets. Inside those networks, the attackers use these tools and remote command facilities to carry out reconnaissance for a time and eventually erase hard drives or cause what other damage they can, triggering unplanned shutdowns. In short, hacktivists attacked a heavily defended client of cloud services by pivoting from a poorly defended client, through a poorly defended cloud.

THE TOP 20 CYBERATTACKS ON INDUSTRIAL CONTROL SYSTEMS
These Top 20 attacks have been selected to represent cyber threats to industrial sites across a wide range of circumstances, consequences and sophistication. No industrial operation is free of risk, and different industrial enterprises may legitimately have different “appetites” for certain types of risks. In this series we show how to use the Top 20 Cyberattacks to compare the strength of two security postures at a hypothetical water treatment plant: Defence in depth 2013 (software based security) vs. that same security posture plus a unidirectional security gateway device providing hardware enfonced security). We ask the question, does either defensive posture reliably defeat each attack? Over the course of 20 episodes we build a score card that can be used to easily communicate risk reduction benefits to business decision makers who are not familiar with cyber security.

ABOUT ANDERW GINTER
At Waterfall, Andrew leads a team of experts who work with the world’s most secure industrial sites. He is author of two books on industrial security, a co-author of the Industrial Internet Consortium’s Security Framework, and the co-host of the Industrial Security Podcast. Andrew spent 35 years designing SCADA system products for Hewlett Packard, IT/OT connectivity products for Agilent Technologies, and OT/ICS security products for Industrial Defender and Waterfall Security Solutions.