2021 will be remembered as the year ransomware Gangs turned their attention to critical infrastructure, targeting businesses built around manufacturing, power distribution, and food production.
The Colonial Pipeline ransomware alone resulted in the shutdown of 5,500 miles of pipeline over fears that the ransomware attack on its IT network would spread to the operational network that controls the fuel distribution pipeline.
Operational technology (OT) networks control the devices critical to the ongoing operation of production lines, power plants, and energy supplies, and as such are typically segmented from an organization’s internet-connected IT networks to better protect critical hardware from cyberattacks isolate. Successful attacks on OT networks are rare, but in the wake of the Colonial ransomware attack, CISA warned of a growing threat for critical infrastructure owners.
Now security researchers are warning about the risks posed by embedded devices on these OT networks. Red Balloon Security, a security provider for embedded devices, found that to be the case in a new study possible to deploy ransomware on embedded systems used in real networks.
The company said it found vulnerabilities in Schneider Electric’s Easergy P5 protection relay, a device that is key to the operation and stability of modern power grids by tripping circuit breakers when a fault is detected.
This vulnerability could be exploited to deliver a ransomware payload, a “sophisticated but reproducible” process Red Balloon says it has achieved. A Schneider Electric spokesperson told TechCrunch, “It is extremely vigilant against cyber threats” and “when we learned of the vulnerabilities of Schneider Electric’s Easergy P5 protection relay, we immediately worked to fix them.”
Ang Cui, founder and co-CEO of Red Balloon, told TechCrunch that while ransomware attacks have hit IT networks of critical infrastructure providers, a successful compromise of an OT embedded device can be “far more damaging.”
“Enterprises are not used or experienced in recovering from an attack on the embedded devices themselves,” he said. “If the device is destroyed or rendered irretrievable, a replacement device must be obtained and this can take weeks as supplies are limited.”
Security veteran Window Snyder, who last year launched a startup to help IoT manufacturers deliver software updates reliably and securely on their devices, said embedded devices could become an easy target, especially as other entry points become more resilient.
Speaking of embedded systems, “many of them have no separation of privileges, many of them have no separation between code and data, and many of them were designed with the idea that they would sit in air-gap networks — it’s insufficient.” , Snyder told TechCrunch.
Red Balloon says its research shows that the security built into these devices – many are several decades old – needs to be improved and urges end-users in government and commercial sectors to demand higher standards from the vendors who make these devices.
“Firmware fix issuance is a reactive, inefficient approach that fails to address the common uncertainty of our most mission-critical industries and services,” says Cui. “Vendors need to bring more security to the embedded device level.” He also believes the US government needs to do more work at the regulatory level and believes there needs to be more pressure on device manufacturers who currently have no incentive to build in more device-level security.
However, Snyder believes that a regulation-driven approach is unlikely to help: “I think what helps the most is reducing the attack surface and increasing compartmentalization,” she says. “We will not regulate our way out of safer devices. Someone has to go out there and give them resilience.”
