2021 will be remembered as the year that ransomware gangs turned their attention to critical infrastructure, targeting companies built around manufacturing, energy distribution and food production.
Only Colonial Pipeline ransomware resulted in the closure of a 5,500-mile pipeline for fear that a ransomware attack on its IT network would spread to the operational network that controls the pipeline for fuel delivery.
Operational technology (OT) networks control equipment critical to the continued operation of production lines, power plants and energy supplies, and as such from a company’s Internet-facing IT network to better isolate critical hardware from cyberattacks. are fragmented. Successful attacks against OT networks are rare, but in wake of Colonial ransomware attack, CISA warns growing danger For owners of critical infrastructure.
Now security researchers are warning of the risks posed by embedded devices sitting on those OT networks. Red Balloon Security, a security provider for embedded devices, found in new research that it Possible to deploy ransomware On embedded systems used in real world networks.
The company said it found vulnerabilities in the Schneider Electric Easy P5 protection relay, a device critical to the operation and stability of the modern electric grid by triggering a circuit breaker when a fault is detected.
This vulnerability could be exploited to deploy ransomware payloads, a “sophisticated but reproducible” process that Red Balloon has achieved. “It is extremely alert to cyber threats,” a Schneider Electric spokesperson told Meczyki.Net, and “on learning of vulnerabilities with the Schneider Electric Easy P5 protection relay, we acted quickly to resolve them.”
Red Balloon founder and co-CEO Ang Cui told Meczyki.Net that while ransomware attacks have hit critical infrastructure providers’ IT networks, a successful compromise of OT embedded devices could be “more damaging.”
“Companies have no habit or experience in recovering from attacks on embedded devices,” he said. “If a device is destroyed or made unattended, a replacement device needs to be sourced, and this can take weeks due to limited supplies.”
Security giant Window Snyder, who last year launched a startup to help IoT makers reliably and securely distribute software updates to their devices, said embedded devices could become an easy target, especially when Other points of entry become more flexible.
Speaking of embedded systems: “Many of them don’t have separation of privilege on them, a lot of them don’t have separation between code and data, and a lot of them were developed with the idea that they sit Will stay on air-gapped networks – that’s insufficient,” Snyder told Meczyki.Net.
Red Balloon says its research shows that the security built into these devices – several decades old – needs improvement, and end users in the government and commercial sectors to higher standards from the vendors who make those devices. calling to call.
“Issuing firmware fixes is a reactive, inefficient approach that will not address the overall vulnerability of our most mission-critical industries and services,” Cui says. “Vendors need to bring more security at the embedded device level.” He also believes that more work needs to be done at the regulation level by the US government, and thinks there is a need to put more pressure on device makers, who currently need to build in more protection at the device level. is not encouraged.
Snyder, however, thinks a regulation-led approach is unlikely to help: “I think the thing that helps most is reducing the attack surface and increasing compartmentalization,” she says. Huh. “We’re not going to regulate our way out of more secure devices. Somebody has to go out there and build resilience into them.”