2021 will be remembered as the year ransomware gangs turned their attention to critical infrastructure, targeting businesses built around manufacturing, energy distribution and food production.
Colonial Pipeline ransomware alone resulted in the shutdown of 5,500 miles of pipeline due to fears that the ransomware attack on its IT network would spread to the operational network that controls the pipeline for fuel distribution.
Operational technology (OT) networks control devices critical to the ongoing operations of production lines, power plants, and energy supplies, and as such are typically segmented from a company’s Internet-facing IT networks to better isolate the critical hardware of cyber attacks. Successful attacks against OT networks are rare, but after the Colonial ransomware attack, CISA warned of a growing threat for critical infrastructure owners.
Now, security researchers are warning about the risks posed by embedded devices that sit on these OT networks. Red Balloon Security, a security provider for embedded devices, has discovered in new research that it is possible to deploy ransomware in embedded systems that are used in real-world networks.
The company said it found vulnerabilities in the Schneider Electric Easergy P5 protection relay, a device that is critical to the operation and stability of modern power grids, tripping circuit breakers if a fault is discovered.
This vulnerability could be exploited to deploy a ransomware payload, a “sophisticated but reproducible” process that Red Balloon said it has achieved. A spokesperson for Schneider Electric told Ploonge that it “is extremely vigilant against cyber threats” and that “when we learned of vulnerabilities with the Schneider Electric Easergy P5 protection relay, we immediately worked to address them.”
Ang Cui, founder and co-CEO of Red Balloon, told Ploonge that while ransomware attacks have hit the IT networks of critical infrastructure providers, a successful compromise of an embedded OT device can be “much more damaging. ”.
“Companies are not used or experienced in recovering from an attack on their embedded devices,” he said. “If the device is destroyed or becomes unrecoverable, a replacement device needs to be purchased, and this could take weeks as there is a limited supply.”
Security veteran Window Snyder, who last year launched a startup to help IoT manufacturers reliably and securely deliver software updates for their devices, said embedded devices could become an easy target, especially as other entry points become more resilient.
Speaking of embedded systems: “A lot of them don’t have separation of privileges, a lot of them don’t have separation between code and data, and a lot of them were developed with the idea that they would be sitting on air-gapped networks – it’s insufficient,” Snyder told Ploonge. .
Red Balloon says its research demonstrates that the security built into these devices – many are several decades old – needs to be improved and is urging end users in the government and commercial sectors to demand higher standards from the vendors who manufacture these devices.
“Issuing firmware patches is a reactive and inefficient approach that will not solve the general insecurity of our mission-critical industries and services,” says Cui. “Vendors need to bring more security to the embedded device level.” He also believes that more work needs to be done by the US government at the regulatory level and thinks more pressure needs to be put on device manufacturers who are currently not incentivized to create more security at the device level.
Snyder, however, thinks a regulation-based approach is unlikely to help: “I think what helps the most is reducing the attack surface and increasing compartmentalization,” she says. “We will not regulate our output of more secure devices. Someone has to go out there and build resilience in them.”