By Katherine Brocklehurst
On October 21, 2016, a notably significant Internet security event occurred affecting millions of U.S. Internet users via an army of hacked Internet-connected devices.
Normally we don’t think too much about the security of our seemingly helpful and harmless home routers, DVRs, surveillance cameras, cable set-top boxes and other systems we use every day, though there are plenty of indicators we should attend to making them more secure.
In this case, the Mirai botnet — an army of infected routers, IP cameras, DVRs, CCTV and other Internet-connected devices — conducted a distributed denial of service (DDoS) attack against the Dyn Managed DNS infrastructure.
Unable to handle Mirai’s barrage of traffic, Dyn could not direct Internet users to its clients’ Web platforms including Twitter, Netflix and Amazon. Dyn battled the effects of the attacks for over 11 hours.
Mirai propagates by scanning the entire Internet for poorly configured devices. It tries default passwords and installs itself when successful. With 5.5 million potentially insecure “things” added to the Internet every day, botnets with Mirai-like capabilities are the new reality. In the aftermath Dyn said, “This attack has opened up an important conversation about Internet security and volatility. Not only has it highlighted vulnerabilities in the security of ’Internet of Things’ (IoT) devices that need to be addressed, but it has also sparked further dialogue in the Internet infrastructure community about the future of the internet.”
IIoT Brings Risk
What really merits our consideration is the increasing adoption of Industrial Internet of Things (IIoT) devices for critical infrastructure operations such as power, oil and gas, water and transportation as well as other critical sectors. Just because a pervasively connected device is labeled “smart” doesn’t infer it’s “secure.”
“You have to realize that the attacks on Dyn are among the most devastating DDoS attacks ever seen,” said Sean McBride, lead analyst for critical infrastructure at FireEye’s iSIGHT Intelligence division. “I don’t doubt that creative attackers can identify and target Internet-based services that support critical infrastructure, potentially achieving and/or magnifying physical, real-world consequences with these types of attacks.”
Botnets’ Long Legacy
The Department of Homeland Security (DHS) Industrial Control System – Cyber Emergency Response Team (ICS-CERT) logged these types of attacks as part of its incident response analysis and has issued numerous reports and advisories since 2009.
Further, there is real concern regarding Mirai and other botnet attacks such that ICS-CERT issued Alert (TA16-288A).
Hopefully your organization stays current with ICS-CERT’s work and its advisories for the benefit of security and risk awareness.
We haven’t seen the end of this type of attack – botnet software has been made publicly available and requires little skill for various threat actors to begin tinkering with it. The Mirai botnet DDoS attack on Dyn was highly sophisticated and orchestrated in a specific manner to cause the greatest possible outage, but the application of this type of attack against industrial organizations could not only disrupt industrial products and services but could potentially impact public safety.
Information, Mitigation, Prevention
Does your industrial organization use wireless routers, cloud services in the production network, SSH or Telnet for remote administrative access or routinely allow trusted employees and contractors to attach their laptops, tablet devices or USBs into systems under maintenance? Many do – these are common use cases within industrial environments. However, as more and more pervasively connected “things” take advantage of new Internet connections, processes and services, our growing dependence is not keeping pace with increasing security concerns.
Katherine Brocklehurst is with Belden’s Industrial IT group. Her area of responsibility covers industrial networking equipment and cyber security products across four product lines and multiple market segments. She has 20 years of experience in network security, most recently with Tripwire. Click here to view Katherine’s full blog.