{"id":48964,"date":"2022-10-21T16:00:00","date_gmt":"2022-10-21T16:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=124083"},"modified":"2022-10-21T16:00:00","modified_gmt":"2022-10-21T16:00:00","slug":"securing-iot-devices-against-attacks-that-target-critical-infrastructure","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/securing-iot-devices-against-attacks-that-target-critical-infrastructure\/","title":{"rendered":"Securing IoT devices against attacks that target critical infrastructure"},"content":{"rendered":"

South Staffordshire PLC, a company that supplies water to over one million customers in the United Kingdom, notified<\/a> its customers in August of being a target of a criminal cyberattack. This incident highlights the sophisticated threats that critical industries face today.  According to South Staffordshire, the breach did not appear to have caused damage to the systems and it did not impact their ability to supply safe water to their customers.<\/p>\n

The attack brings to light the risk of threat actors gaining access to industrial control system (ICS) environments. According to reports<\/a>, a group associated with the Cl0p ransomware claimed responsibility for the attack, which followed a familiar extortion model<\/a> wherein attackers extort the target for exfiltrated data without encrypting the organization\u2019s files. After the attack, confidential documents, along with screenshots of the supervisory control and data acquisition (SCADA) system used by water treatment plants were leaked.<\/p>\n

As details of the attack and the vector used to access South Staffordshire PLC\u2019s networks are limited, the Microsoft Defender for IoT research team did further research on techniques used by threat actors in similar attacks. Microsoft researchers have previously observed activity relating to internet-exposed IoT devices<\/a> across different industries, which may be used as a potential foothold into OT networks. Threat actors gain access by deploying malware on information technology (IT) devices and then crossing the boundary to the operational technology (OT) part of the network to target high-value operational assets, or by compromising unmanaged, usually less secure IoT and OT devices.<\/p>\n

IoT devices in critical infrastructure networks<\/h2>\n

IoT devices offer significant value to organizations and extend beyond environmental monitoring sensors to common office equipment and network devices. However, IoT devices in critical infrastructure networks, if not properly secured, increase the risk of unauthorized access to operational assets and networks. Improper configurations such as default credentials and unpatched vulnerabilities are often abused by threat actors to gain network or device access. Once access is established, attackers could identify other assets on the same network, perform reconnaissance, and plan large-scale attacks on sensitive equipment and devices.<\/p>\n

In monitoring threats against critical infrastructure and utilities, Microsoft researchers investigated water utility providers in the United Kingdom with exposed IoT devices within their networks. Using open-source intelligence (OSINT) and Microsoft Defender Threat Intelligence data, the team searched for exposed IoT devices integrated into the networks of water utility providers and found that such facilities were using Draytek Vigor routers, which are intended for home use.<\/p>\n

\"Map
Figure 1. Global mapping of internet-exposed Draytek Vigor devices<\/figcaption><\/figure>\n

With difficult-to-patch devices such as printers, cameras, routers, and gateway devices overlooked as potential footholds into networks, they are often left exposed. In analyzing Microsoft threat intelligence, Microsoft researchers observed threat actors abusing a known remote code execution vulnerability in Draytek Vigor devices (CVE-2020-8515<\/a>) to deploy the Mirai botnet. Once attackers establish device access, remote code execution vulnerabilities such as CVE-2020-8515 can then allow attackers to run malicious commands on devices, move laterally within the network, and access other vulnerable devices which were not directly exposed to the internet such as SCADA systems. <\/p>\n

In water treatment applications, SCADA systems allow water plants to monitor levels of specific chemicals and toxins and to collect records of the systems. While the attack against South Staffordshire PLC does not appear to have included the abuse of these devices, the release of files pertaining to OT systems constitutes a high-risk to operations and highlights the importance of network segmentation to protect devices and networks from lateral movement.<\/p>\n

Defending critical networks<\/h2>\n

Attacks on utility providers\u2019 OT networks and devices are high-risk events that can range from data theft to the manipulation of devices controlling the operations. Such events can lead to the interruption of operations, or in severe cases, potential harm to individuals and customers (For example, when hackers gained access to the water system of one Florida city<\/a> as reported in February 2021).<\/p>\n

Given the severity of these attacks and their potential impact on the utility providers\u2019 operations and even the safety of their customers, it becomes crucial to recognize the importance of proper security practices around IoT & OT unmanaged devices to ensure that such attacks do not happen. Defenses set up for OT networks must be comprehensive, able to prevent unauthorized system access and should include detections for abnormal, unfamiliar, and malicious behaviors after a breach.<\/p>\n

It is important to protect assets and have strict security protocols in place for how and when devices and data can be accessed. We recommend the following defense strategies for organizations with both IoT and OT devices within their networks:  <\/p>\n