As the globe continues to wobble through the reverberations of COVID-19, observers say that the impact on critical infrastructure is likely to worsen.
Critical infrastructure – which includes government institutions, utilities, transportation and more – is now more vulnerable than ever given an exponential increase in attacks on the IoT technology that powers it.
Such technology has become a “soft target,” for malicious actors. That’s because Internet of Things (IoT) technology may be legacy technology, with inadequate updating and patching, and because the financial incentives to breach its security have grown.
Attacks on IoT Technology Garner Big Payouts
As a result, ransomware attacks on IoT have become more prevalent, with larger payouts possible for malicious actors.
Consider the February 2021 attack on the Oldsmar water plant in Florida; an attempt was made to manipulate the pH in the city’s water to dangerously high acidic levels by increasing sodium hydroxide (lye) by 100 times.
In May 2021, the Colonial pipeline was attacked for a ransom. A password leaked onto the dark web enabled malicious actors to access a virtual private network, then gain access to and take down the largest fuel pipeline in the U.S. Colonial paid the malicious attackers — an affiliate of a Russia-linked cybercrime group known as DarkSide — a $4.4 million ransom shortly after the attack.
Insiders say that the critical infrastructure environment is rife for breaches.
“The OT and ICS [incident command system] space is, honestly, the largest single attack vector with the greatest potential for impact,” said Curtis Simpson, CISO at Armis, in a podcast on critical infrastructure attacks . “OT and ICS are powering some of the most critical infrastructure in the world; it’s critical operations,” Simpson said.
One bright spot on the ransomware front is that the U.S. Department of Justice in April 2021 created a ransomware task force, after declaring 2020 the “worst year ever” for extortion-related cyberattacks.
And accordingly, in June, the Justice Department said it had seized the majority of the nearly $4.4 million in bitcoin ransom paid to DarkSide for the Colonial Pipeline takedown.
Pandemic Times Expand Definition of Critical Infrastructure
According to the OECD, the pandemic has unveiled a broader set of infrastructure vulnerabilities beyond transportation and fuel, for example.
“Notably, the crisis has brought renewed focus on social or ‘soft’ infrastructure, which is sometimes overshadowed by hard infrastructure like energy and transportation in the context of resilience,” the OECD note indicated. “These infrastructures that maintain the economic, health, education, cultural and social standards of a population are critical elements of modern societies.”
Simpson echoed this notion. He said that even a business such as Sysco Foods, where he worked previously, is in some ways critical infrastructure. Sysco is the largest food distributor in the world, and that business, Simpson said, is run entirely on IoT, OT and ICS.
Tips to Protect IoT Environments from Malicious Attacks on IoT Devices
Another bright spot lies in better security practices to protect IoT breaches. Here are some important practices to safeguard connected devices.
- Identify connected devices in your environment. Simpson noted that the most important step is to identify all connected devices in your estate. “When we don’t have visibility we can’t build an effective strategy,” he said. “It’s got to start there.”
- Change default passwords. Passwords should be changed from vendor-issued defaults, and IoT pros should deploy two-factor authentication.
- Update and patch regularly. Operational technology in general gets a bad rap for being outdated and poorly patched. Stay apprised of new vulnerabilities that are discovered, and that you keep device security up-to-date with the latest patches.
- Isolate IoT networks. IoT devices should reside on their own, siloed networks to prevent lateral movement of malicious actors from these devices to IT networks. It’s also important to restrict access from external networks by allowing communication only with relevant IP addresses and ASNs, blocking unnecessary ports from external access.
- Employ zero-trust methodology. Ultimately, enterprises need to architect their environments with zero-trust principles: That requires IT pros to eliminate implicit-trust policies for IoT devices and tightly control access to sensitive data using dynamic identity-based authentication – also known as zero trust.
