Ransomware gangs moved their attention to essential infrastructure in 2021, attacking organizations in the manufacturing, electricity distribution, and food production industries. The Colonial Pipeline ransomware alone shut down 5,500 miles of the pipeline due to concerns that the ransomware attack on the company’s IT network might extend to the operational network, which operates the pipeline for gasoline distribution.
Operational technology (OT) networks manage the devices that keep production lines, power plants, and energy sources running, and they are usually separated from a company’s internet-facing IT networks to protect vital infrastructure from hackers. Successful assaults on OT networks are uncommon, but CISA warned of increasing concern for critical infrastructure owners in the aftermath of the Colonial ransomware outbreak.
Now, security experts are warning about the dangers posed by embedded devices connected to OT networks. In new research, Red Balloon Security, a security supplier for embedded devices, discovered that ransomware might be deployed on embedded systems in real-world networks. The Schneider Electric Easergy P5 protection relay, a component that is critical to the operation and stability of modern electric grids by triggering circuit breakers whenever a problem is discovered, found to have vulnerabilities, according to the company.
This flaw may be used to deliver a ransomware payload, according to Red Balloon, which described the technique as “complex yet repeatable.” Schneider Electric informed TechCrunch that “it is extremely watchful of cyber threats” and that “we acted immediately to remedy the vulnerabilities with the Schneider Electric Easergy P5 protection relay.” While ransomware attacks have targeted IT networks of critical infrastructure providers, successful penetration of an OT embedded device can be “much more destructive,” according to Ang Cui, founder, and co-CEO of Red Balloon.
“Companies aren’t used to or familiar with recovering from attacks on embedded devices,” he explained. “If the device is destroyed or rendered unrecoverable, a replacement must be obtained, which can take weeks due to a limited supply.” Window Snyder, a security expert who founded a company to help IoT manufacturers consistently and securely distribute software upgrades to their devices last year, believes embedded devices will become an easier target as other avenues of entry grow more durable.
“A lot of them don’t have separation of privilege on them,” Snyder told TechCrunch. “A lot of them don’t have a separation between code and data, and a lot of them were designed with the notion that they’d be sitting on air-gapped networks — it’s insufficient.” Red Balloon claims that their research shows that the security built into these devices, many of which are decade’s old, needs to updated, and it is urging end-users in the government and business sectors to demand higher standards from device manufacturers.
“Issuing firmware fixes is a reactive, wasteful approach that will fail to address the overall insecurity of our most mission-critical sectors and services,” Cui argues. “Vendors must bring additional security down to the level of embedded devices.” He also feels that the US government should do more on a regulatory level and that greater pressure should be applied to devise manufacturers who are not currently incentivized to build in better security at the device level. Snyder, on the other hand, believes that a regulatory-led strategy is unlikely to help: “I believe that decreasing the attack surface and boosting compartmentalization are the two things that help the most,” she explains. “We’re not going to regulate our way out of more secure devices,” says the author. Someone has to go out there and teach them how to be resilient.”