Building a Resilient World

Practical Automation Cybersecurity

Welcome to the official blog of the International Society of Automation (ISA) Global Cybersecurity Alliance.
All Posts

With Many Automation Professionals Working from Home, Cybersecurity Exposure Is Rising

One of the commonly targeted pathways into an industrial automation and control system (IACS) is through compromised remote access such as virtual private networks (VPNs) and remote desktop protocol (RDP). During the stay-at-home orders and other self-quarantining measures around the globe to combat the COVID-19 pandemic, many automation engineers for industrial facilities have increased their use of remote connections to provide support for their sites from home. Remote access has allowed for essential support to maintain the operations for critical facilities, but also results in increased cybersecurity exposure for IACS.

Last year, Microsoft released an advisory for known vulnerabilities in remote desktop services that, when exploited, allow attackers to gain remote control of legacy Microsoft systems such as Windows 7, Windows Server 2008/2008R2, and older systems like Windows 2003 and Windows XP using RDP.1 Because many industrial control networks contain a mixture of legacy and updated systems for operator and engineering workstations, as well as other network devices, these vulnerabilities can pose a significant risk. If targeted malware is executed on one of these outdated devices, there is the potential for it to affect other devices (even more recent devices) on the compromised network. This has already happened in the past with the NotPetya attack, where vulnerable devices were used as an entry point before the wiper worm quickly moved to patched devices in the affected system, resulting in approximately $10 billion in damages.2

Even when updated devices are used, if authorized users can legitimately establish access remotely, there exists a potential for threat agents to do so as well. For remote access endpoints with weak or unused security features, especially those that are exposed to the internet, attackers can easily use common attack methods to compromise the entry point and use it as a stepping stone for further attacks on the network. This is exactly what happened in a Sodinokibi ransomware attack on an IACS, where attackers used brute force to compromise the RDP endpoint and gain access to the system, ultimately resulting in loss of availability of three systems required for operation.3

The first step in reducing cybersecurity exposure is to identify the highest risk parts of the network. Conducting an IACS cybersecurity gap assessment considering the current network, system vulnerabilities, and personnel security provides a clearer picture of the current exposure, as well as actionable guidance for reducing this exposure and fortifying existing protection measures. With the current level of remote access for many IACS, the need for a clear understanding of cybersecurity exposure and risk has never been more pressing.

 

1. Prevent a worm by updating remote desktop services (CVE-2019-0708), Microsoft Security Response Center, Microsoft, 2019

2. Andy Greenberg, The Untold Story of NotPetya, The Most Devastating Cyberattack in History, Wired, 2018

3. Year in Review: The ICS Landscape and Threat Activity Groups, Dragos, 2019


A version of this post can also be found on the exida blog. It appears on the ISAGCA blog with adjustments made by the author.

Patrick O'Brien, exida
Patrick O'Brien, exida
Patrick O'Brien, CFSP, CACS, is a safety and cybersecurity engineer at exida.

Related Posts

The Top 20 Secure PLC Coding Practices Project

So Far, Secure Coding Practices Have Been for IT Software Only. That Needs to Change. Can we start using ...
Sarah Fluchs Aug 4, 2020 5:15:00 AM

What IT Pros Should Know About OT Cybersecurity

As industrial organizations strive to reduce cyber risks in their operational technology (OT) environment...
Joshua Carlson, Dragos Jul 28, 2020 5:30:00 AM

Industrial Control System (ICS) Security and Segmentation

Why Should We Segment ICS Environments? Network and device segmentation should be part of the defense in ...
Paul Arceneaux, Mission Secure Jul 21, 2020 5:15:00 AM