IIoT Software Vulnerabilities Fuel Critical Infrastructure Attacks—Again
In August 2021, Forescout Research Labs and JFrog Security Research identified 14 vulnerabilities affecting the NicheStack TCP/IP stack, which the organizations dubbed INFRA:HALT.
TCP/IP stacks enable vendors to implement basic network communications for IP-connected systems, including IT, operational technology (OT) and Industrial Internet of Things (IoT) devices.
Indeed, NicheStack is present in myriad OT devices that are commonly used in several critical infrastructure sectors, such as manufacturing plants, water treatment, power generation and more.
The new vulnerabilities enable remote code execution, denial of service, information leak, TCP spoofing, or DNS cache poisoning.
Critical Infrastructure Attacks Reveal ICS Weak Spots
The vulnerabilities discovered illuminate the risk to critical infrastructure systems should they be compromised by malicious actors. These systems are aging and vulnerable, said experts.
“It is … an unfortunate example of the huge vulnerability of an aging infrastructure that has been connected, directly or indirectly, to the Internet,” said Curtis Simpson, CISO at Armis in a recent article on increasing attacks on critical infrastructure.
Forrester Research’s Brian Kim said that critical infrastructure organizations need to focus on identifying vulnerable OT devices within their estate, then focus on building a zero-trust strategy, using least privilege and network segmentation to prevent malicious actors from gaining access to critical systems.
“One of the best ways we can reduce the impact of a breach is a zero-trust strategy by limiting the communications of these ICS [industrial control systems],” Kime said.. “We can create an allow list that only allows communications with control systems that run a process–allowing least privilege for network connections … is a best practice. And ideally, we should have a barrier between IT and OT and segment each facility to have its own network.
JFrog and Forescout research teams will present a webinar on August 19 to provide additional information about how these vulnerabilities were identified and how they can be mitigated.
Critical Infrastructure Attacks on the Rise
Last year, there were some 65,000 ransomware attacks, according to the Recorded Future, a Boston-based cybersecurity firm.
Cyberattacks on critical infrastructure present certain benefits from the attackers’ perspective, even if the objective of attackers is not a payout.
First, malicious attackers can gain access to these vulnerable devices with ease, as OT devices may be older and lack the security protocols of newer technologies. Second, once critical operations are affected, it can grind operations to a halt. Affected organizations have great incentive to pay ransomware demands just r resume operations.
“The nature of these vulnerabilities could lead to heightened risk and expose national critical infrastructure at a time when the industry is seeing an increase in OT attacks against global utilities, oil and gas pipeline operators as well as healthcare and the supply chain,” wrote Forescout Research Labs in an announcement regarding the vulnerabilities.
Third, access to OT devices can always provide entrée to other systems within organizations.
“Once accessed, the stack becomes a vulnerable entry point to spread infectious malware across IT networks,” the researchers continued.
Kime noted that attacks like the recent one on Colonial Pipeline revealed that critical infrastructure systems are interconnected, creating the opportunity for ripple effects within these systems, then across the chain to IT systems as well.
“An event like Colonial Pipeline has revealed that these are more systems of systems rather than independent, isolated sectors that operate within their own little world,” Kime said.
Ultimately, Kime noted, critical infrastructure operators need to shift their perspective to enable more thoroughgoing protection of the critical infrastructure they manage.
“There should be a strong focus among critical infrastructure on not just security but resilience,” he said.