One of the commonly targeted pathways into an Industrial Automation and Control System (IACS) is through compromised remote access such as Virtual Private Networks (VPNs) and Remote Desktop Protocol (RDP). During the Stay at Home Orders and other self-quarantining measures around the globe to combat the COVID-19 pandemic, many automation engineers for industrial facilities have increased their use of remote connections to provide support for their sites from home. Remote access has allowed for essential support to maintain the operations for critical facilities, but also results in increased cybersecurity exposure for IACS.
Last year, Microsoft released an advisory for known vulnerabilities in Remote Desktop Services that when exploited allow attackers to gain remote control of legacy Microsoft systems such as Windows 7, Windows Server 2008/2008R2, and older systems like Windows 2003 and Windows XP using RDP.1 Because many industrial control networks contain a mixture of legacy and updated systems for operator and engineering workstations, as well as other network devices, these vulnerabilities can pose a significant risk. If targeted malware is executed on one of these outdated devices, there is the potential for it to affect other devices (even for more recent devices) on the compromised network. This has already happened in the past with the NotPetya attack where vulnerable devices were used as an entry point, before the wiper worm quickly moved to patched devices in the affected system resulting in approximately $10 Billion in damages.2
Even when updated devices are used, if authorized users can legitimately establish access remotely, there exists a potential for threat agents to as well. For remote access endpoints with weak or unused security features, especially those that are exposed to the internet, attackers can easily use common attack methods to compromise the entry point and use it as a stepping stone for further attacks on the network. This is exactly what happened in a Sodinokibi ransomware attack on an IACS, where attackers used brute force to compromise the RDP endpoint and gain access to the system, ultimately resulting in loss of availability of three systems required for operation.
The first step in reducing cybersecurity exposure is to identify the highest risk parts of the network. Conducting and IACS cybersecurity gap assessment considering the current network, system vulnerabilities, and personnel security provides a clearer picture of the current exposure, and actionable guidance for reducing this exposure and fortifying existing protection measures.
To learn more about why gap assessments are so important for industrial control systems and how these assessments can be done in the most effective manor tune in to our upcoming webinar series:
- Why is it important to conduct an Industrial Cybersecurity Gap Assessment?
- How to conduct an Effective Industrial Cybersecurity Gap Assessment?
1.Prevent a worm by updating remote desktop services (CVE-2019-0708), Microsoft Security Response Center, Microsoft, 2019
2. Andy Greenberg, The Untold Story of NotPetya, The Most Devastating Cyberattack in History, Wired, 2018.
3. Year in Review: The ICS Landscape and Threat Activity Groups, Dragos, 2019