By Cameron Camp
For years, attacks against physical industrial
plants have been either largely theoretical, or the sophisticated realm of
nation-states. While we have spent time looking precisely at this style of
attack in other posts, it seems a host of attack automation tools and
techniques are starting to hit the streets, as highlighted here at Black Hat.
For example, a few years ago, no one would have
suspected hacking the HVAC system would result in a major breach, but it did. This year, there are a variety of talks about
hacking physical infrastructure, with everything from wind farms, to building
automation, to a host of other industrial components.
It’s easy to understand, as physical infrastructure
hasn’t had the same focus on security as other, more traditional IT systems,
which have made the headlines for years by getting hacked. But they typically
have embedded full processors and operating systems, which are now baked into
tiny full-fledged systems that are cost effective. This means it’s easy to bolt
an operating system onto an industrial control system, building management
system, and other similar systems.
Far fewer vendors of physical plant management
systems have a clear-cut patch cycle than do vendors in the traditional IT
field. Even with those who do, it often requires non-standard techniques to do
the patching, including taking equipment offline, which does not endear the
operators to the process. For this reason, many systems stay unpatched for
years.
Many focus on security through obscurity, hoping
attackers won’t turn their attention to the stalwart equipment. Often, this
means they are running on very old operating systems where patches are no
longer widely available, further hindering efforts to maintain security.
Penetration testers of the future will have to
incorporate physical plant attacks into the repertoire, as these embedded devices
will represent networked assets, and typically will be granted some kind of
access to an internal management network.
Here at Black Hat, and later at Def Con, there will
be plenty of opportunity to network with others to find the latest tools and
techniques to help your infrastructure defense efforts. In many (or most)
cases, these tools are available for free or low cost, so they really shouldn’t
break the bank.
Meanwhile, training IT staff to recognize this
ever-widening attack surface – giving them the training to be able to analyze
potential vulnerabilities and address them should be a higher priority.
If you brought them to Black Hat, great, that will
be a big jump-start for your organization. If not, you may want to sit in on
some of the sessions and take the information back with you.
You might be very glad you did.