Security and industry experts have long advocated for the need to increase the protection of critical infrastructure – including transportation systems, energy and utilities providers, and financial services. The implications of an attack on our nation’s systems are far reaching – from disrupting delivery of key services to impacting public safety.
Just recently, researchers presented an analysis of Triton, a malware used in the third ever recorded cyber attack against industrial equipment. Findings indicate that the malware was able to enter the plant via an exploit in “security procedures that allowed access to some of its stations as well as its safety control network.” Additionally, recent erroneous alerts regarding missile strikes caused panic in Hawaii and Japan – each alleged to be the result of human error. These incidents shine an important light on the cyber security procedures used to safeguard these critical systems – from external attackers or insiders, whether intentional or not.
From an attacker perspective, whether they already compromised the network or target a specific mission critical objective, their TTP (tactics technique and procedure) will include getting access to privileged accounts to achieve their ultimate goal.
Historically, we’ve seen situations where the software and systems used to run critical infrastructure were compromised through shared privileged accounts and default passwords that haven’t been changed. These hardcoded passwords are static and can be guessed or brute forced by attackers. Once attackers gain access to privileged accounts, they can gain full control to the system.
In past attacks on similar systems, the attackers used this access to emergency communications for ‘prank attacks,’ such as the case in Montana in 2013 where a zombie outbreak was broadcast to residents. In light of the severity and panic-inducing nature of the recent erroneous emergency reports, these former ‘prank attacks’ take on a more ominous outlook in demonstrating the destructive potential of such false alerts.
These examples also provide insight into how malicious attackers could compromise sensitive systems and infrastructure, as well as the steps needed to protect them from outside attacks. This starts with identifying where privileged accounts exist, implementing stronger management of the credentials that provide access to and control over such critical infrastructure, and ensuring ongoing management and visibility into those accounts.