User-Managed Passwords are a Massive Threat to Public Infrastructure
With this year’s World Password Day upon us, it’s high time to take a good look at the critical infrastructure sector and the password-related security vulnerabilities that are in dire need of updating. While modern utility systems become increasingly digitally connected, cyber criminals and the threat landscape are growing in sophistication.
While the Biden administration recently expressed plans to bolster the cybersecurity of critical utilities around the U.S. against potentially devastating takedowns, traditional password-based authentication remains a huge threat that the public-private complex must address to better protect the control systems upon which society depends.
Modernizing industrial systems and critical infrastructure—water, gas, electricity, communication, etc.—has been crucial to improving quality of life, reducing waste and costs, streamlining operations, and increasing productivity. But it is also exposing us to completely new types of threats from cybercriminals and state-backed actors. In addition to stealing data and spying, malicious actors now have ways to do real damage in the physical world and inflict pain on whole populations.
One of the most recent eye-openers to such threats was February’s thwarted attempt to disrupt the level of sodium hydroxide in the water supplies in a small Florida city, threatening the health of its 15,000 citizens. The attempt was not carried out by armed attackers trying to break into the water purification facilities—it was the work of hackers accessing the online systems through the internet. The incident drew the attention of politicians to the security of critical infrastructure.
This should be treated as a matter of national security.
— Marco Rubio (@marcorubio) February 8, 2021
The Florida incident is just one of several examples of industrial control systems getting hacked. Perhaps the best-known example is the power blackout in Ukraine, allegedly instigated by Russian hackers. Another attack on the water systems of Israel, this time attributed to Iran-backed hackers, was foiled in June last year.
In some cases, industrial control systems become the beachhead for other types of attacks. This was the case of mega-retailer Target, which was breached in 2013 through a security hole in its HVAC system. Attackers used the foothold to gain access to the company’s network and devices and eventually steal the credit card information of more than 40 million customers.
What’s for sure is that our critical infrastructure is becoming increasingly vulnerable to security threats, and mitigating these threats should be a top priority for any organization handling industrial control systems. But where to start?
Blockbuster movies and dystopian narratives often portray hackers as using very sophisticated methods and ferret out zero-day vulnerabilities to compromise industrial control systems. But the reality is that, like most other people, hackers are a lazy bunch. They go for the low-hanging fruit and prefer to try the simple methods first. And to their credit, their tactic pays off. In fact, many security incidents happen not because the attackers are very sophisticated but because the victims are very negligent.
According to a 2018 assessment by FireEye, most of the top-20 security attacks against industrial control systems were either triggered or facilitated by credential theft. This could be a disgruntled insider “shoulder-surfing” other employees and stealing their passwords to later abuse their administrative privileges, a phishing attack that tricks an employee to reveal his password to remote hackers, or even simpler, a weak password that can be guessed or cracked through brute force attacks.
Case in point: The Ukrainian power outage incident, which left 200,000 people without electricity in the freezing winter, started when attackers stole remote IT passwords through a phishing attack. In another incident, the attackers used social engineering techniques to gain access to the local WiFi network of a target plant and used their access to compromise ICS systems and cause plant shutdowns. And in the Target incident, the attackers stole the network credentials of the HVAC provider’s network to eventually gain access to credit card information.
When you examine these and other similar cases, there are several recurring patterns. First, every attack is unique in its own kind. Every industrial control system has its own unique combination of device types, software, network structure, and other physical and digital elements. This makes it hard for hackers to develop a systematic way to attack them. But the one thing that is present in all ICS networks is username and passwords. Whether it’s a remote desktop service, a network management tool, a WiFi hotspot, or a mobile device management system, attackers will find one gateway that is controlled through username and password authentication. From there, they will find their victims, lousy users who are not careful enough to protect their passwords, and target them with phishing attacks. If they’re lucky enough, the IT team was even lousier and used one of several very weak passwords such as “12345” or “passw0rd” to protect a network apparel or administrator account. Once the hackers gain their foothold in the network, the rest will not be very difficult because they will be interacting with the ICS devices as any inside user would.
This brings us to our important conclusion. If you want to secure your internet-connected industrial control systems, you should start by addressing the most vulnerable components: the username and passwords. As long as you’re basing the security of your critical infrastructure on operators typing in usernames and passwords, it will only be a matter of time before a malicious actor gains access to your ICS network. That is why we’re calling it a ticking timebomb ready to burst.
Fortunately, the passwordless authentication sector has come a long way in the past few years, and whether your operators are using Windows and Linux terminals, SSH gateways, or mobile applications, they should be able to access your networks without the need to remember and type passwords. An enterprise-grade solution such as Secret Double Octopus will help you replace your passwords with passwordless authentication without much hassle. Secret Double Octopus supports a wide variety of operating systems and standards, which makes it easy for organizations to replace their current authentication solutions without going through a lengthy and costly transition.
The first step to defuse the ICS timebomb is to get rid of passwords. And it’s never too soon to get started.