Posted by Geraldine Hunt on Fri, Sep 13th, 2019
In 2015, Russian attackers were able to cause blackouts for 230,000 residents due to remote control software distributed using spear-phishing attacks. It was an unprecedented moment that reminded government agencies and utility organizations that hackers can do more than just steal data. They had affected infrastructure, which set the course for future attacks on SCADA machines.
The New March Attack on US Infrastructure
The US utilities attack in March 2019 was a reminder that federal infrastructure should take precautions to protect from common attacks. The latest attack took advantage of firewall misconfigurations allowing an attacker to continually reboot the system. The outages were very brief – five-minute intervals – but the issue persisted for 10 hours. The attack wasn’t as devastating as the attack in Ukraine, but it was a reminder that firewall settings and firmware should always be reviewed regularly to patch them for any open, public cybersecurity issues.
The North American Electric Reliability Corporation (NERC) released a “lessons learned” document that highlighted what happened and what the targeted organization did to remedy the cybersecurity event. The document reveals that the issue was with firewall vulnerabilities, many of them public exploits run by scripts available to anyone who had limited skills to run them and scan for infrastructure misconfigurations.
Patching Firewalls with the Latest Firmware
As organizations grow, it’s not uncommon for IT staff to lose track of infrastructure across the network. Every firewall should be scanned for vulnerabilities, but it’s especially important for organizations to regularly audit and penetration test public-facing firewalls for any known issues. Manufacturers announce cybersecurity issues found in equipment along with patches published to fix vulnerabilities. If IT does not keep track of the latest threats, patches, and notifications, the organization could be exposed to known attacks.
It’s critical that IT staff always takes time to review and audit equipment. Attackers create scripts that scan thousands of machines for vulnerabilities. Scripts are made public allowing even attackers with limited exploitation skills to perform commands against the system. Unskilled attackers can cause just as many issues as skilled ones when public scripts are available.
Lessons Learned by NERC That Can Help Other Organizations
The affected devices were all perimeter equipment, which means that it was public-facing critical routers used to block traffic from spilling into the private network. It’s not unusual for these devices to have continual scans made against them as attackers from around the globe search for vulnerabilities. IT staff can identify critical cybersecurity events, however, but reviewing logs and setting notifications should suspicious traffic leak into the internal network.
After reading logs, IT staff at the unnamed utility was able to quickly deploy a patch that stopped the unauthorized reboots of their system. The reboots themselves did not cause any noticeable issues to consumers, but they cut off communications between utility components and engineers. In some cases, these minor attacks can be used to test system resources and staff response. If attackers notice slow response times or identify lack of notifications, they could launch more critical attacks against infrastructure causing serious possible injury from lost power across a grid.
Perimeter firewalls are global cybersecurity defense mechanisms, so lessons learned from the NERC incident can be applied to any organization. The primary lesson is to always audit and patch firewalls. IT staff can review firewall vendors specific to deployed equipment or search and read the Common Weakness Enumeration site for the latest known issues. Before deploying any solution including patches, IT staff should test the changes in a sandboxed environment. Patches with misconfigurations can also be sources of vulnerabilities for attackers.
Limiting the Attack Surface
It’s not uncommon for organizations to have a demilitarized zone (DMZ) where public-facing equipment is outside of the internal network, but these systems should be limited. Only systems necessary for the public should be outside of perimeter firewalls. Organizations should strive to limit their attack surface by only placing mission-critical equipment outside of protective firewalls that absolutely need public access.
Any employee or vendor that needs access to the internal network from the outside should be using a VPN. Use of a VPN will protect for eavesdropping where attackers could possibly obtain user credentials with access to the local network.
Finally, firewall configurations should use access control lists (ACLs) to allow only authorized users. Use a whitelist of IP addresses (if possible) to limit inbound traffic and stop access from unknown locations. The firewall rules should block everyone except IP addresses on the whitelist, which stops many unauthorized attacks including the one that recently occurred for the US utility.
Multi-layered security is essential
A successful cyber-attack must overcome all the security systems put into place to protect against it. This requires knowledge and persistence by the cybercriminals. Now more than ever, IT Pros need to double down on security and layer up. Only a multi-layered security approach can provide the protection you need against increasingly sophisticated cyber-threats.