The emergence of attacks on Internet of Things (IoT) or OT (Operational Technology) systems has become a game changer for businesses. Today it is unreasonable not to think of a cyber defense strategy for the IoT fleet / operations within the extended enterprise.
OT machines use specific networks. They form the basis of operating technologies for industrial systems. Until now, they have been protected by their isolation or even by the privacy of their operating systems. But little by little, we are witnessing the disregard of these industrial environments with the arrival of machinery and public grain. This democratization of software and hardware opens the “door” to cyber threats in the industrialized world. At the same time, the industrial sector is linked to the corporate information system. Network convergence which also contributes to increasing the attack surface of the field of OT.
Added to this is the arrival of the Internet of Things within businesses. It is undeniable that there are security weaknesses in the Internet of Things. Typically design flaws are used by cybercriminals as entry points.
IoT & OT over the cloud
According to Microsoft’s annual Digital Defense report, today’s solutions are part of a pattern that mostly includes cloud services. Having become everyday life for most companies, especially since the beginning of the pandemic, the Cloud-IoT-OT marriage is at the heart of business, operations, and therefore the security of the professional world. Attention is also due to the escalation of attacks he has suffered in the past two years. Attacks that demonstrate the need to enhance a cybersecurity strategy for connected objects.
From danger to attack
To support these facts, the report mentions, among other things, the cyber attack on the “colonial pipeline” that shut down the main US gas channel. Also, with potentially significant impact on people’s health, the “Digital Defense Report” talks about the hacking of a water treatment plant in Oldsmar, Florida. The goal of this attack was to modify the sodium hydroxide content in the water. The SCADA program was hacked twice in order to inject 11,100 ppm instead of 100 ppm NaOH into the water. Dangerous content for humans. Another example is the seizure of security cameras that gave access to hospitals, police stations, etc.
6 steps to enter
Microsoft cybersecurity analysts have come up with a six-step attack pattern described in the diagram below. The first step is recognition. Whether through social engineering, social networking, or otherwise, the attacker collects information about employees and the kind of things they work with. Once the target is identified, it attempts to hack through the Internet of Things or OT (when directly possible), often with less protection than a phone or laptop. Another possibility of the attacker: communicating with his target via traditional exchange (mail, SMS, instant messaging, etc.). Then, he just has to charge an attack by exploiting a flaw in the Internet of Things or OT, targeting the employee’s home network, and taking advantage of the current context that favors remote work. The next step is to bounce from IoT to OT when it hasn’t already done (sideways movement) and thus be able to access the rest of the home network, and then the corporate network once it’s open. From a remote session or when the employee returns to the company headquarters.
Attribution is always difficult
A rise in the power of this type of attack is also attested by the latest trends in numbers. Starting with “command and control” services used by cyber attackers to remotely control compromised systems. The following chart provides an indication of the geographical distribution of these threat providers. Remember, however, that you can be a custodian of such a service without even knowing it…
Mirai and Japhet prevail
Among the many malware, two really stood out by being the source of many attacks. Mireille and Javitt as well as their variants have been by far the majority over the past year.
One point to note is that IoT malware mostly attacks mobile/embedded platforms with MIPS/ARM processors.