Special thanks to Sean McBride of FireEye for his expertise and consultation on this topic.
On October 21, 2016, a notably significant internet security event occurred affecting millions of U.S. internet users via an army of hacked internet-connected devices. Normally we don’t think too much about the security of our seemingly helpful and harmless home routers, DVRs, surveillance cameras, cable set-top boxes and other systems we use every day, though there are plenty of indicators that we should attend to making them more secure.
Photo: USA Today, October 22, 2016
In this case, the Mirai botnet -- an army of infected routers, IP cameras, DVRs, CCTV and other internet-connected devices -- conducted a distributed denial of service (DDoS) attack against the Dyn Managed DNS infrastructure. Unable to handle Mirai’s barrage of traffic, Dyn could not direct Internet users to its clients’ Web platforms including Twitter, Netflix and Amazon. Dyn battled the effects of the attacks for over 11 hours.
Mirai propagates by scanning the entire Internet for poorly configured devices. It tries default passwords and installs itself when successful. With 5.5 million potentially insecure “things” added to the Internet every day, botnets with Mirai-like capabilities are the new reality. In the aftermath Dyn Stated, “This attack has opened up an important conversation about internet security and volatility. Not only has it highlighted vulnerabilities in the security of ’Internet of Things‘(IoT) devices that need to be addressed, but it has also sparked further dialogue in the internet infrastructure community about the future of the internet.”
What really merits our consideration is the increasing adoption of industrial IoT devices (IIoT) for critical infrastructure operations such as power, oil and gas, water and transportation as well as other critical sectors. Just because a pervasively connected device is labeled “smart” doesn’t infer it’s "secure."
"You have to realize that the attacks on Dyn are among the most devastating DDoS attacks ever seen," said Sean McBride, lead analyst for critical infrastructure at FireEye’s iSIGHT Intelligence division. "I don’t doubt that creative attackers can identify and target Internet-based services that support critical infrastructure, potentially achieving and/or magnifying physical, real-world consequences with these types of attacks."
Botnets Are Not New
The Department of Homeland Security (DHS) Industrial Control System – Cyber Emergency Response Team (ICS-CERT) has logged these types of attacks as part of its incident response analysis and has issued numerous reports and advisories since 2009. Further, there is real concern regarding Mirai and other botnet attacks such that ICS-CERT issued Alert (TA16-288A). Hopefully your organization stays current with this excellent organization’s work and its advisories for the benefit of security and risk awareness. One worthwhile report with forensic findings and attack source information is the ICS-CERT Incident Response Summary Report for the years 2009-2011.
We haven’t seen the end of this type of attack – botnet software has been made publicly available and requires little skill for various threat actors to begin tinkering with it. The Mirai botnet DDoS attack on Dyn was highly sophisticated and orchestrated in a specific manner to cause the greatest possible outage, but the application of this type of attack against industrial organizations could not only disrupt industrial products and services but could potentially impact public safety.
Does your industrial organization use wireless routers, cloud services in the production network, SSH or Telnet for remote administrative access or routinely allow trusted employees and contractors to attach their laptops, tablet devices or USBs into systems under maintenance? Many do – these are common use cases within industrial environments. However, as more and more pervasively connected “things” take advantage of new internet connections, processes and services, our growing dependence is not keeping pace with increasing security concerns.
For general information on DDoS attacks, there is a Security Publication by US-CERT worth downloading called the DDoS Quick Guide. Also, if you’re concerned about Mirai malware within your systems, ICS-CERT’s Alert (TA16-288A) advises mitigation and prevention actions. Industrial facilities and critical infrastructure must constantly assess the evolving threat landscape while balancing risks.
Download the SANS 2016 State of ICS Security Survey Report for current trends, new job titles, top attack vectors and key areas of concern for protecting ICS and SCADA. Please feel free to leave a comment or question related to how your organization balances risk with business priorities in your industrial and critical infrastructure.