Hacked air conditioning and plummeting elevators?

Imagine that you are in an elevator in a high rise building when suddenly the elevator starts to plummet with no apparent stopping mechanism other than the concrete foundation below.  While this may sound like something from a Hollywood movie, consider the idea that a securely tethered, fully functional elevator is as vulnerable as it is smart.

Wired.com explored the possibilities for hacking an electricity grid via an air conditioning unit several years ago. To summarize, an electric company offered customers a discount to place a governor on an air conditioner. This allowed the electric company to adjust the air conditioner to maintain control to prevent power dips and surges during extreme demand. In doing so, the electric company introduced an Industrial Control System (ICS) into every residence that accepted the offer. 

However, as the Wired.com article explains, these ICS devices were not secured against unauthorized access, leaving them vulnerable to widespread attacks that could cause the problems they were trying to prevent. An attacker could control multiple devices, causing them to create a power dip, or a surge, by doing the opposite of what the electric company commanded.

There are many reasons why the cybersecurity of industrial control systems presents unique challenges. Unclear or overlapping responsibilities, technical issues, lack of security awareness on the part of the ICS operators, and insufficient ICS knowledge on the part of security experts are just some examples. Yet, most of these systems are vital for the business continuity and commercial success of their organizations; they should therefore be seen as critical infrastructure.

The range is huge, from data centre air conditioning, fire alarm systems, elevators, and electronic locking systems to refrigerator controls and connected coffee machines. These systems are usually outside the control of the cybersecurity officer, who may not even know which systems are on the network. As a result, the potential risk of a cyberattack targeting the data centre air conditioning system is not even considered even though it is accessible for remote maintenance.

Digital transformation encompasses various and complex use cases including heating, ventilation, and air conditioning (HVAC), electricity management, lighting control, video surveillance, access control systems, and elevator controls. On top of that, there are connected sensors and devices such as cameras, thermostats, and light sensors. Each of these systems promises considerable savings in operating and energy costs but also increases the attack surface for cyber threats and adds to the complexity of security management. Every system and individual device, and even each version and revision of every system or device, has its own specific and often unique cyber risks.

The Risks are Real

Cyber criminals have already compromised an enterprise network via an HVAC system in the successful cyberattack on U.S. retail chain Target. From the HVAC system, they moved laterally through the network to the retailer’s financial systems, where they stole more than 40 million credit card records.

This summer, Ripple20 rocked the IoT world. This is the name given to 19 vulnerabilities found in a TCP/IP software library, some of which are critical. As all network traffic is processed by the TCP/IP stack, any bugs in a TCP/IP library can lead to major vulnerabilities. The Ripple20 discovery endangers a huge range of appliances, including power sockets and medical devices but also ICS sensors. It was discovered and named by researchers of the Israeli security firm JSOF, who also determined that attackers could use the vulnerabilities to infiltrate and execute their own code (Remote Code Execution) or to exfiltrate critical data. 

Another attack vector cyber criminals can use to disrupt and compromise normal operations are insecure industrial protocols. Popular protocols in building automation and in manufacturing were not designed with security in mind and contain unique vulnerabilities. Savvy attackers know these vulnerabilities and exploit them, for example, to access and issue disruptive commands in the operation of controllers and other devices.

Cybersecurity for People, Processes, and Technologies

Protecting people, processes, and technologies under these conditions is a serious challenge. Solutions, such as installing updates, segmenting networks, or implementing antivirus software are often not possible for the following reasons:

  • Updates are not always available or may alter the behavior of the program it is intended to protect.
  • Layer 2 protocols and real-time demands make network segmentation impractical.
  • Implementing additional software could void warranties or introduce new problems.

These problems indicate that security can itself become a business risk, but at least this risk is quantifiable provided that all components and vulnerabilities are as comprehensively documented as the whole communications process. The best tool to collect this information is a passive software solution that does not impede the running of a facility or system. The collected data can then be used to develop an appropriate security strategy and to answer the following questions:

  • Which system can easily be updated to the latest versions?
  • Which systems need to be better protected?
  • Where should firewalls be positioned?
  • Which facilities need enhanced protection?

You cannot protect what you cannot monitor. The obvious (although tedious and time-consuming) method would be to collect all logging data and scan them for known malicious patterns and other anomalies. You could make things a little easier for yourself by using the same solution for this task as for the documentation of your plant. With 24/7 monitoring, you can make life a lot easier for your operators, your organisation, and your security team. This monitoring should deliver all the data you need, not just about any threats, unusual behavior patterns and alerts but also about new devices on the network. The monitoring system should also keep you up-to-date about new vulnerabilities and attack methods. Ideally, it should give you a framework for evaluating (and, if necessary, enhancing) your organisation’s cybersecurity posture.

The Worst Case Scenario: What To Do If You Discover an Attack in Progress?

This is obviously one of the key questions. What is the use of discovering an attack if you don’t know how to respond to it? Any intervention by a cybersecurity team might result in a compromised system, such as the data centre air conditioning going down. This usually means that the attack cannot be analysed and evaluated any more.

It is therefore vital to establish in advance who should be involved in the response to which kind of incident and to define clear incident response processes. You should also classify all your devices and determine which are business critical, which could disrupt operations and which are not absolutely necessary for routine operations. Based on this classification you can act faster and in a more targeted fashion when every second counts. Once you have succeeded in containing an attack, you need to decide how to restore your facility to its original state and which additional security measures you want to take to prevent similar incidents in the future.

When Backups Alone are Not Enough

Ransomware remains a significant threat, especially for critical infrastructure industries. Now, there are even “Ransomware as a Service” offerings for novice threat actors who want to get involved in this lucrative branch of cybercrime. The same is true for targeted attacks on operations technologies and ICS. Once in the network, malware often remains undetected for a significant amount of time without causing visible damage. That’s why operators should not rely solely on a good backup strategy but also use tools that document any changes, monitor the integrity of an environment and take care of configuration management. That way, you can for example avoid reverting to a backup that was created after your system was infected.

The UK’s National Cyber Security Centre also provides recommendations for hardening industrial components and processes against cyberattacks. There are many solutions on the market that could help you to implement, enforce, and evolve your security policies. Some easily implemented options include passive scanning tools, threat intelligence in DNS response policy zones, configuration change detection solutions, deep package inspection for industrial protocols, and a network access control solution.

Many of these approaches have already proven their value in commercial settings. It is also worth evaluating existing technologies for their suitability for process networks, especially with regards to improving transparency for cybersecurity.

To do all this effectively, however, information technology and operational technology teams would need to understand each other better. To promote this understanding, one member of each team could spend some time working in the other team or partner organisation to gain an in-depth, hands-on understanding of each other’s routine operations.

Security violations cannot be prevented altogether – there will always be external threats, malicious insider activities, and human error. This means that IT and OT teams have to cooperate closely to protect the critical systems in their facilities comprehensively and effectively.