Erkan Teskancan
Corporate
- Thread Author
- #1
Digital transformation, hyper-connectivity, automation, and smart machines have brought cost reductions and production efficiency. However, the interconnected nature of these devices makes them more vulnerable to cyberattacks.
βββββββββββββββββββββββββ
βοΈ Security Challenges of OT and IoT Devices
Operational Technology (OT) and Internet of Things (IoT) devices are challenging to secure due to their lack of built-in security features and 24/7 operational requirements. Even when cybersecurity solutions are in place, malicious actors can employ various techniques to remain as invisible "ghosts" on the network.
βββββββββββββββββββββββββ
π» Volt Typhoon and "Living Off The Land" Tactics
In 2023, CISA issued a cybersecurity advisory about Volt Typhoon, a Chinese state-sponsored threat actor targeting critical infrastructure sectors. Volt Typhoon is notable for its ability to "live off the land" by using built-in network administration tools to carry out its attacks undetected. These techniques are difficult to detect because they resemble legitimate activities, which reduces the likelihood of investigation.
βββββββββββββββββββββββββ
π The Needle in the TCP/IP Stack: Hidden Vulnerabilities
There are many other ways for attackers to gain initial access or exploit network devices without detection. OT and IoT devices, network infrastructure, and building automation systems can be exploited by targeting vulnerable libraries and embedded technology stacks.
For example, Ripple20 and Project Memoria were two security research projects that uncovered over 100 vulnerabilities affecting more than a dozen TCP/IP stacks.
TCP/IP vulnerabilities are extremely dangerous because targeted organizations are often unaware of their existence due to the lack of a Software Bill of Materials (SBOM) for most unmanaged devices. These vulnerabilities can be used to exploit a device without defenders having a way to detect it. Even 3 years after Ripple20, CVE-2020-11899, which affects the Treck TCP/IP stack, remains one of the most well-known exploited vulnerabilities, according to data collected by Forescout Vedere Labs.
[]NUMBER:JACK: Can expose TCP/IP connections to attackers.
[]NAME:WRECK: Can enable remote code execution (RCE).
[]INFRA:HALT: Can lead to denial-of-service (DoS) attacks.
Security researchers have also demonstrated how ransomware for IoT (R4IoT) can target the TCP/IP stack of IoT devices as a first step in a ransomware attack.
Project Memoria also shows how vulnerabilities in software libraries can propagate throughout the supply chain, increasing third-party risk; 100 vulnerabilities affected over 250,000 devices. The reality of "shared responsibility" is that security teams are ultimately responsible for protecting their organizations, as security researchers have shown that even devices touted as "secure by design" are vulnerable to exploits.
βββββββββββββββββββββββββ
ποΈβπ¨οΈ Three-Dimensional Visibility: The Foundation of Defense
There are countless steps an organization can take to prevent and detect advanced and stealthy cyberattacks, and all of them begin with deep visibility. Visibility is required across multiple dimensions:
[
- ]First, discovering all devices connected to the enterprise network, their software, and security configurations.
[]Then, assessing the device's posture (e.g., is it vulnerable, how exposed is it).
[]Finally, monitoring network traffic for malicious or anomalous activity.
βββββββββββββββββββββββββ
π SBOM and Network Segmentation
Over the past five years, CISA has been pushing for an SBOM, which would list software components similar to an ingredient list on food packaging. However, while mandates and customer procurement processes are increasingly demanding vendors include SBOMs with their products, as of 2023, the vast majority of device manufacturers still do not include SBOMs with the products they ship, and many are still struggling to figure out how to determine a comprehensive list of libraries and components included in their software stacks.
Moreover, even if the industry reaches a point where vendors provide SBOMs, the responsibility for ensuring their devices are not vulnerable still lies with security teams.
Network segmentation is arguably the most effective approach to mitigate the risk of vulnerable devices, especially for OT, IoT, and unmanaged devices more generally. In many cases, patching these devices is impossible or at least not immediately feasible; perhaps they rely on outdated operating systems or must operate 24/7 for the next few months to meet production targets. Network segmentation limits the exposure of vulnerable and insecure devices and restricts the ability for lateral movement in the event of successful attacks.
βββββββββββββββββββββββββ
π― Conclusion: Responsibility and Priorities
Vulnerabilities and exposure are practically inevitable, whether due to insecurity by design or organizations' inability to configure devices securely. Advanced threat actors are aware of this reality, which makes it very easy for them to stealthily gain access to a network and move laterally. Consequently, security teams must take on the responsibility of making risks and threats visible on their networks and implementing security measures that respect organizational priorities (i.e., no downtime) and device limitations.
