8 ways cyber attackers access industrial enterprise environments
Estimated reading time: 8 minutes
Think your OT (Operational Technology) and IT (Information Technology) environments are cyber safe?
Here are eight unexpected real-world examples of potential cyber disasters that might change your mind.
- A promiscuous security cam
- The camouflaged port scanner
- The rogue light switch
- Networks hidden in plain sight
- The fitness device that called rogue nations
- The “pi” on the power board
- The positively false negative
- The case of the leaking telemetry
1. A promiscuous security cam
In a mixed IT/OT environment in a medium-sized textile manufacturing business, the InsightCyber Platform found a connected camera in a sensitive location that no one in the organization had been aware of.
The network was complex, with a great deal of routing across myriad devices. The camera was open to the Internet and configured to enable remote management. The platform determined that dozens of suspicious hosts around the world were connecting to it, and that it had an unencrypted web server open on it. Security leadership in the company were surprised.
Since the camera was behind a firewall and seemingly operating in a ‘normal’ way, other security solutions had missed the issue. InsightCyber’s AI-driven platform spotted the camera because it was actually operating outside of expected device behavior within its specific environment. It was being accessed from IP (Internet Protocol) addresses known to be suspicious.
The platform delivered a customized playbook of remediation options, including closing the firewall openings (which the customer immediately did) and investigating why they were open in the first place.
2. The camouflaged port scanner
In a highly secure environment inside a European power generation facility, the InsightCyber Platform found a port scanner that wasn’t what it seemed. Port scanners are commonly used by administrators to verify network security policies, and that’s how they were intended to be used in this organization. Their regular asset inventory solution reported that all were working fine.
In this case, the platform found something unusual with one specific port scanner: three very subtle but distinctive behaviors that indicated anomalous activity, including operations to evade detection. An alert was immediately sent to notify the customer of a potential infected device performing reconnaissance activity. An InsightCyber playbook was sent with guidance on how to investigate. As was originally identified, the port scanner was unexpectedly running on a standard workstation that was never intended to be used for such activity.
This example illustrates how in even the most secure environments, it’s not enough to protect the perimeter. You also need excellent “East-West” monitoring and inspection of traffic moving inside your network.
3. The rogue light switch
While scanning an environment, the InsightCyber Platform found a common device doing very uncommon things.
At first glance, it looked like a basic connected light switch, the type you find at a big box store. The customer installed it to control the lights, so was understandably surprised to learn that the device was actively looking for network file shares to connect to. Was it a sophisticated malware compromising the device? Could have been a design goal of the firmware (ostensibly to provide added functionality)? It wasn’t initially clear. The larger issue was that the customer didn’t know it existed at all and they did not want the switch manufacturer—or anyone else—to gain unauthorized information about their environment.
Other solutions were missing the device because it was not working outside of its behavioral baseline. But like a rogue employee, it was violating its ‘job description.’ InsightCyber’s AI-driven platform noticed the activity and flagged it as inappropriate, recommending that the customer isolate the device in a VLAN and/or block its outbound access, or simply replace it with another product.
4. Networks hidden in plain sight
An industrial controls vendor had recently suffered a ransomware attack, and asked InsightCyber to help find how the attackers had gotten in.
Within minutes of the InsightCyber Asset creating a real-time, unique asset inventory, two subnets that the vendor hadn’t known about were found. One was within a HVAC controller environment, and the other was associated with an electric vehicle charging station in front of the building. Both were routed directly into their main operational network.
The vendor’s security team had been unaware of these violations of the basic security tenet that networks and functionality should be carefully segregated. The company’s existing solutions were oriented to finding vulnerabilities and malware, offering an inadequate view of the subtleties of their network configuration. The team was shocked to get the true picture.
While it is impossible to determine that this misconfiguration was how the ransomware attackers had breached the organization’s defenses, it was a possibility. With insights from the InsightCyber Platform, the vendor made immediate changes that closed off an insecure attack vector.
5. The fitness device that called rogue nations
One of our customers decided to have a little fun and see what the InsightCyber Platform would find in their home network. Can you imagine how surprised they were to discover that a family member’s fitness tracker wearable was connecting to the home network and reaching out to multiple IP addresses across the Internet?
This finding might not have been noteworthy to other solutions but was flagged as suspicious for two reasons. First, because a fitness device should not be performing such behavior and second, it was contacting IP addresses on InsightCyber’s watchlist, which includes global locations known to be sources of cyberattacks the US.
The validation that even a simple consumer item could be an attack vector is valuable information for any security administrator. It is unknown know how or why this device gained this functionality. Since it has been identified, InsightCyber applied it to the learning utilized by our artificial intelligence for all customers. In the future, if an attacker finds a way to use this device to breach an otherwise secure perimeter, the InsightCyber Platform with recognize and flag the behavior immediately for remediation.
6. The “pi” on the power board
Deep within the protected perimeter of a major telecom provider, we were surprised to discover a “Raspberry Pi”–a credit-card-sized, single-board computer designed to perform a wide variety of computing functions. Far from what you expect to find within a world-class, locked-down critical infrastructure.
The InsightCyber Platform found the device busily exchanging packets with a large power panel in the environment, deep within one corner of the network that was not visible to network-wide scanning solutions.
Was this a malicious attempt to cause damage? Not this time. It was found that the device had been intentionally placed by an engineer, who wanted external access to manage the facility remotely. The problem was that the telecom provider had no way of seeing if anyone else was using it. The InsightCyber Platform could, by looking outside IP addresses.
In the end, the business chose to keep the Raspberry Pi in place. And InsightCyber is ready to keep an eye on it, just to keep it honest.
7. The positively false negative
A cybersecurity lead in a mixed IT/OT manufacturing company was unimpressed when our service had flagged potentially anomalous network traffic. The InsightCyber Platform traced the activity to a computer running a mail server, which was attempting to contact other machines in the network using non-existent machine names.
Over the next three weeks, our platform alerted the lead that it was a potential vector for a ransomware attack. The cybersecurity lead’s position — which was understandable —was that the company’s existing cybersecurity solutions did not find malware in the machine, and the mail server was not operating outside of expected parameters. InsightCyber saw this was a potential “false negative”, when an organization’s security system fails to recognize malware (as it is traditionally only recognized after an attack is successful) and continues to tell the customer that everything is fine.
Ultimately, the cybersecurity lead was convinced by InsightCyber’s findings and recommendation to rebuild the computer. A few days later, the exact moment the computer returned to service was pinpointed by the InsightCyber platform, because the detected anomalous behavior had stopped.
Along the way, our platform noticed some unauthorized Bitcoin miners in the same environment, but that’s story for another day.
8. The case of the leaking telemetry
“That’s just not possible.”
Security administrators at a major telecommunications provider were seemingly offended when the InsightCyber Platform detected that one of their industrial-grade air conditioning systems was connected to the network and was sending telemetry to outside destinations.
They explained that when their service provider — a trusted vendor selling well-known devices — had installed a controller recently, they had offered to include a network connection. The vendor’s pitch “This will let us monitor the system to help save you money.” The telecommunications provider’s reply “No way on this earth will anyone ever get access to this kind of operational information, thank you very much.”
Because their existing solutions reported that nothing was operating outside of the rules, the telecommunications provider was certain that no connections had been enabled. But they agreed to let InsightCyber check it out. Sure enough, a small door on the front of the AC system was found, inside of which was a circuit board with a network cable plugged in, blinking away.
Who can say how that system ended up being connected in a way the customer never intended? Was it a mistake on the vendor’s part? An unauthorized move they thought would never be discovered? An early step in a sophisticated attack? Once the provider knew that important telemetry was no longer leaking (thanks to InsightCyber), they set out to find the answers.