By Cameron Camp
If industry frameworks are to inform and secure the
critical infrastructure writ large, here at Black Hat there a lot of people
punching holes in them, and in simple ways.
It would be one thing if some of the most critical
systems have basic protections in place, like encrypted traffic and
non-standard passwords, but as the talk on hacking wind farms points out – many
or most don’t.
Networks shouldn’t be compromised by MiTM (Man in
The Middle) by Rapsberry Pi 3 boxes spoofing ARP requests and sending write instructions
to halt wind generators suddenly. But they do, and they can.
What’s needed to pull this off? Some very simple
tools (released here at the show) and some rudimentary physical access.
Once you gain access, you can send commands via a
SOAP interface, but also pivot and move laterally between industrial control
boxes and continue the nastiness.
Sure, the speaker said his team had worked with
manufacturers to plug the holes, but it was surprising how many didn’t seem to
listen. Luckily some did, and he worked with them to help keep us all safe.
In our research, there have been surprising gaps in
the digital defenses at critical infrastructure providers, and we attempt to
educate and assist, but if the default protocols and hardware have default
credentials and the operators use old, unsupported or unpatched operating
systems, it’s an uphill battle.
When will it change? If enlightened IT staff at
critical infrastructure providers can build bridges, they can educate the
senior engineers who know how to run the plant, but often know precious little
about how packets and networks work.
This is a generational issue, as the folks who are
very good at running power plants that have basically operated year in and year
out for decades, have spent their careers perfecting the craft without any
“need” for packet networks, and so find little value. As they near retirement
and are replaced with a generation raised on networks, some of the education
will transfer, but that will still take years.
Meanwhile, frameworks intended to secure critical
infrastructure, or offer guidance for operators to make it happen, are being
rolled out to the industry as a hopeful first step (of many) that will help
secure the whole ecosystem.
But since many pieces in the larger ecosystem are
interdependent, especially in the event of a cascading failure mode, it can’t
come soon enough.
In the recent years, there has been an escalation
on the attempts to gain access to these network-connected systems, which paints
sort of a heat map of how interested a potential adversary may be, and they are
indeed interested. Now, it will be up to the plant operators to embrace the
transition to a more IT-aware environment they find themselves thrust into. Whether
or not that will be smooth remains to be seen. But change must come, so that
simple network-based attacks showcased here at Black Hat won’t be effective at
taking down vast swaths of the critical
infrastructure that we all use and (mostly) take for granted.