Chronology of attacks on industrial enterprises. Countermeasures
Everyone has heard about ransomware “Ransomware” that infiltrate a company’s computer network and encrypt files. The attackers then offer to buy a decryption key.
Both state institutions and commercial companies become victims of attacks. For example, a military IT contractor was recently injured NJVC, which develops specialized software for cybersecurity. Although in that case, the ransomware probably received a retaliatory attack, since denied claims very quickly..
However, government agencies and IT companies are not the main target.
According to the IBM X-Force report Threat Intelligence 2022, the most delicious client is an industrial enterprise. There, every hour of downtime results in a direct loss, so extortionists get the opportunity to demand a large ransom.
To attack industrial systems, attackers can exploit vulnerabilities in specialized communication protocols and devices. For example, in 2021, a vulnerability was exploited in the protocol Modbus, which is used for communication between PLC controllers in industrial networks and SCADA systems. For Modbus, the default port is TCP 502, so the activity of malware can be traced by the volume of scanning open ports on the Internet.
However, scanning open ports on the Internet is a relatively rare case. Most often, an attack on industrial production begins with a simple infection of office computers. Here are some of the biggest attacks on industrial production in recent years:
To protect against such attacks, a set of measures to enhance the information security of the enterprise is recommended.
1. Protection of physical devices
Some variants of ransomware target physical devices directly, including routers, smart TVs, refrigerators, and other Internet of Things (IoT) devices. Their protection starts from the manufacturing stage.
We have already discussed how PKI fits into the production pipeline of IoT devices. In short, the PKIaaS scheme (device registration authority as a service) in this case may look like this:
- The production CA signs the keys at the endpoints. The server generates unique public/private key pairs and sends batches of CSR signing requests. Signed endpoint certificates are returned from the CA and distributed across pipelines.
- The CA for signing the firmware creates a firmware signing certificate. It is located in a secure cloud, and access to it is carried out very rarely and only by authorized persons.
- The Code Verification CA issues certificates for individual devices that potentially interact with millions of endpoints. A unique key pair is generated for each device, the public key is sent to the CA for signing, and certificates are dynamically distributed to endpoints to verify signed critical commands (for example, proprietary network interfaces of the manufacturer may be used).
Throughout the life cycle of devices, the IoT Identity platform supports a range of operations, including certificate and key management, token issuance, and secure code signing.
Theoretically, any device with embedded electronics is potentially vulnerable to backdoor injection, including at the design or production stages. The threat is present not only for IoT, but in principle for any modern technology. However, the cryptographic signature of the firmware and code guarantees the immutability and authenticity of the software.
As for ransomware specifically, together with a reliable backup system, it is desirable to block the main channels for spreading malware. By Egress evaluation, about 90% of such malware is distributed via email phishing. Verizon in the report 2021 Data Breach indicates that phishing was used in 36% of successful hacks. In the above report Threat Intelligence 2022 it is indicated that the share of phishing as an attack vector has grown from 33% to 41% over the past year.
2. Phishing protection
As the simplest and most effective protection against phishing, digital
for email. The S/MIME standard is compatible with all popular email clients. For example, the system
automatically installs and configures certificates for Outlook on Windows.
S/MIME (Secure / Multipurpose Internet Mail Extensions) is a standard for encrypting and signing email using a public key. When using such certificates, no manipulation of the message is possible at any stage:
- The public key for verifying the signature is attached to the certificate that comes with the letter. Therefore, the email client does not need to rely on the DNS entry.
- The organization of the sender in the certificate is verified by a certificate authority.
- Name format according to the standard RFC 822 in the certificate exactly matches the field
fromthat is, the identity of the sender is guaranteed at the email address level, not just at the domain level.
After the certificates are installed, outgoing messages from the standard client are signed automatically. The system installation procedure is simple and practically does not require the participation of technical support staff, as well as further support.
“The computer departments of companies are already very busy, and PKI is usually not among their main tasks,” writes Lila Kee, Chief Product Officer, GlobalSign. “Unsurprisingly, when implementing an internal PKI solution, various problems arise. Despite the high level of complexity, specific knowledge is required here.”
Automated PKI management tools can be a cost-effective option when you consider IT department time savings, savings on hardware, software, maintenance, support, etc.
PKI management recommendations also apply to manufacturing companies, which are considered prime targets for ransomware phishing.
Because strong cryptography in the form of managed PKI and S/MIME certificates is used to protect against ransomware, it appears that “good” cryptography protects against “bad” cryptography. In fact, these are the same public key encryption systems (asymmetric encryption). Cryptography, like mathematics, cannot be “good” or “bad”. Just another example of a double-edged weapon that is used on both sides of the barricades.