Easy Prey

Many cybersecurity prognosticators have warned of the rapidly emerging threat from an expanded IoT space, and as you have probably noticed, it appears as though we are not only failing to improve our cybersecurity defenses, but recent data suggests we are falling even further behind while the bad guys are rapidly progressing in the other direction.

Everyone paying even the slightest bit of attention has heard that cybercrime is expected to hit $6 trillion by 2021 and cybersecurity spending will grow to $1 trillion by that same date. Gartner says that unfilled cybersecurity jobs will triple to 3.5 million by then and global ransomware costs are expected to increase by 15 times just in 2018 alone. At the same time, fewer new cybersecurity startups are being funded as venture investors are only interested in significant breakthroughs and differentiators and they are finding very few that look promising.

In addition, VC firms have increased investing in late-stage opportunities and are doubling down on a very few cybersecurity plays that have been around a while by aggressively participating in follow-on rounds in companies with the potential to lead their markets. These are the same technologies that did such a good job in combating WannaCry and NotPetya. This may be great for VCs and their LPs, but it does nothing for the increasing need to roll out advanced technology solutions that address machine-to-machine attack vectors and quantum-computing based malware.

In short, all of this is obviously not good news for the cybersecurity industry. But what may not appear so obvious is the apparent lack of concern about IoT vulnerabilities among the people who build these critical infrastructure SCADA devices upon which our energy, communication, military defense and transportation infrastructure depend or the supposed watchdog agencies who have responsibility for assuring their safety and security.

Losing a ton of financial records containing sensitive information on 145 million customers is apparently not that big a deal because if it was, every company on the planet would be rushing to arm themselves with the best and brightest cyber defense technologies and skilled management services they can get their hands on.

Since they’re not, one can only assume that the Equifax event was a one-off; an anomaly that likely won’t repeat anytime soon; sort of like a big earthquake. And IoT, with an acknowledged set of vulnerabilities, must fall into the category of concern that we noted in our last post – one that won’t get any budgetary attention until a big attack occurs.

We might not have to wait very long. Last Thursday, Schneider Electric SE announced that hackers had exploited a flaw in its Triconix technology and used it to halt operations at an undisclosed industrial facility. The Schneider system is widely used in nuclear facilities, oil and gas plants, mining, water treatment facilities and other plants to safely shut down industrial processes when hazardous conditions are detected. This particular attack exploited a previously unknown vulnerability in the Triconex firmware that allowed attackers to install a remote-access Trojan that would enable them to shut down an entire facility, regardless of conditions.

If that isn’t scary enough, a group of cybersecurity researchers just released findings from a 2017 study they conducted on 147 specific vulnerabilities in 34 mobile applications used in tandem with Supervisory Control and Data Acquisition (SCADA) systems, (aka, industrial IoT).

These vulnerabilities allow attackers to get into an industrial network infrastructure and disrupt a process or direct a SCADA operator to perform a harmful action on the system.

These guys tested those 34 mobile applications that they randomly selected from the google play store and found they were vulnerable to unauthorized physical access, communication channel compromise, man-in-the-middle attacks, and application compromises. This research reinforces the fact that mobile applications are increasingly riddled with vulnerabilities that could have fatal consequences on SCADA systems that operate industrial control systems. How?

Here’s how: An attacker would easily influence an industrial process or network infrastructure by sending data through a compromised mobile app that would be carried over to field segment devices in an industrial control system (ICS), suggesting to the operator that environmental circumstances exists when they do not and cause the operator to trigger alarms and/or bring the entire system to a halt.

No physical access to the smart phone, ICS application or the network is required.

This simple flaw should underscore the need for developers to bake security into products from the get-go but instead we see a pattern of failure that only worsens over time. Initial research conducted in 2015 found and published a total of 50 separate cybersecurity issues in 20 mobile applications that are used to control ICS software and hardware. After testing these issues 2 years later, instead of seeing an expected decrease of cybersecurity issues, they found an increase of almost 2 new vulnerabilities per application tested.

While this research should be alarming, it appears instead that these mobile applications which are commonly used for controlling mission critical industrial control systems continue to be created without any thought to security at all. And while the energy sector presents the highest value targets to attackers, there are few incentives for the energy administrators to make changes and the sheer size of the operator community makes cybersecurity a difficult challenge.

Generation, transmission, and distribution providers in the North American power sector, including municipal utilities and electric cooperatives constitute more than 3,200 separate and diverse entities. Just getting 3,200 entities to adopt best practices is probably impossible.

A report from the GAO (Government Accountability Office) in 2017 found that the Defense Department’s policies on Internet of Things devices are insufficient to guard against potential security risks and issued the warning that “IoT devices are designed and fielded with minimal security requirements and testing, and an ever-increasing complexity of networks could lead to widespread vulnerabilities in civilian infrastructures and U.S. government systems”.

The GAO went so far as to identify a series of risk points at which an IoT device could be compromised, from malware installation during a device’s construction to lack of software patches that make it vulnerable to attack, though they did not include these recently detected remote mobile triggers about which they claimed to be unaware.

So, none of this should come as a surprise to anyone in cybersecurity and even to the power company operators, but all of this is leading to the conclusion that until we are on the receiving end of a cybersecurity nuclear-strike equivalent, neither business nor government are ever going to take these threats seriously.

You can lead horses to water but getting them to drink is apparently something else entirely.