One of the commonly targeted pathways into an industrial automation and control system (IACS) is through compromised remote access such as virtual private networks (VPNs) and remote desktop protocol (RDP). During the stay-at-home orders and other self-quarantining measures around the globe to combat the COVID-19 pandemic, many automation engineers for industrial facilities have increased their use of remote connections to provide support for their sites from home. Remote access has allowed for essential support to maintain the operations for critical facilities, but also results in increased cybersecurity exposure for IACS.
Last year, Microsoft released an advisory for known vulnerabilities in remote desktop services that, when exploited, allow attackers to gain remote control of legacy Microsoft systems such as Windows 7, Windows Server 2008/2008R2, and older systems like Windows 2003 and Windows XP using RDP.1 Because many industrial control networks contain a mixture of legacy and updated systems for operator and engineering workstations, as well as other network devices, these vulnerabilities can pose a significant risk. If targeted malware is executed on one of these outdated devices, there is the potential for it to affect other devices (even more recent devices) on the compromised network. This has already happened in the past with the NotPetya attack, where vulnerable devices were used as an entry point before the wiper worm quickly moved to patched devices in the affected system, resulting in approximately $10 billion in damages.2
Even when updated devices are used, if authorized users can legitimately establish access remotely, there exists a potential for threat agents to do so as well. For remote access endpoints with weak or unused security features, especially those that are exposed to the internet, attackers can easily use common attack methods to compromise the entry point and use it as a stepping stone for further attacks on the network. This is exactly what happened in a Sodinokibi ransomware attack on an IACS, where attackers used brute force to compromise the RDP endpoint and gain access to the system, ultimately resulting in loss of availability of three systems required for operation.3
The first step in reducing cybersecurity exposure is to identify the highest risk parts of the network. Conducting an IACS cybersecurity gap assessment considering the current network, system vulnerabilities, and personnel security provides a clearer picture of the current exposure, as well as actionable guidance for reducing this exposure and fortifying existing protection measures. With the current level of remote access for many IACS, the need for a clear understanding of cybersecurity exposure and risk has never been more pressing.
1. Prevent a worm by updating remote desktop services (CVE-2019-0708), Microsoft Security Response Center, Microsoft, 2019
2. Andy Greenberg, The Untold Story of NotPetya, The Most Devastating Cyberattack in History, Wired, 2018
3. Year in Review: The ICS Landscape and Threat Activity Groups, Dragos, 2019
A version of this post can also be found on the exida blog. It appears on the ISAGCA blog with adjustments made by the author.