The SolarWinds Hack Can Directly Affect Industrial Control Systems

Uploaded on 2020-12-23 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms, BUSINESS-Production-Utilities, BUSINESS-Production-Manufacturing

 It looks like Russian’s hackers succeeded in getting a “two-fer” in the SolarWinds hack which compromise both the IT infrastructure and direct control of building control system devices.

The Russians also got indirect control of industrial control systems via the IT network backdoors.

A highly sophisticated Russian Intelligence group has compromised the SolarWinds Orion platform. The platform’s broad base of users has been estimated at up to 18,000 customers and includes an unknown but vast number of sites.

FireEye, which was affected by SolarWinds, issued a blog on SolarWinds dated December 13, 2020, “Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor”. The blog states: “They gained access to victims via trojanized updates to Solar Wind’s Orion IT monitoring and management software. This campaign may have begun as early as Spring 2020 and is currently ongoing. Post compromise activity following this supply chain compromise has included lateral movement and data theft.”

The FireEye blog, the DHS CISA and the SolarWinds Advisory have all focused on the IT networks, network visibility, and data exfiltration/compromise. However, SolarWinds is used to manage all types of Simple Network Management Protocol (SNMP) devices and these include not just IT equipment like servers and switches, but, also Industrial Control Systems (ICS) like power and cooling systems. 

Specifically, SNMP management systems are used to monitor (using the SNMP "get" command") and control (using the SNMP "set" command) any SNMP device. SNMP management platforms like Orion also monitor and control critical power and cooling systems in mission-critical facilities even though SNMP has little or no viable security. Consequently, data center equipment can be compromised using SNMP vulnerabilities.

Most power and cooling systems in data centers, laboratories, telecom systems and network closets include SNMP communication cards or chips for the expressed purpose of allowing them to be monitored and remotely controlled. 

These power and cooling systems include:

  • Switchgear
  • Power Distribution Units
  • Rack Power Distribution Units
  • Uninterruptible Power Supplies
  • Rack Uninterruptible Power Supplies
  • Computer Room Air Conditioners and Air Handlers (CRAC and CRAH units)
  • Temperature and Humidity Sensors
  • Rack Environmental Monitoring Systems

In mission-critical facilities, it is common for multiple management platforms to have monitoring and control access to SNMP-based systems. For example, the Network Management System (NMS) like Orion typically tracks device information at the rack-level, including the servers, switches, Rack PDU's and, when present, Rack UPS, Rack Cooling, and Rack Monitoring systems. At the same time, Building Management Systems (BMS) track the central cooling units and rack cooling units while the Data Center Infrastructure Management (DCIM) system is also tracking Rack PDUs, Main PDUs, Main UPSs, and Switchgear. This gap in building risk assessments has been highlighted by the process automation experts at Control Global.

Even the most recent SNMP version, version 3, is now over 20 years old and has long been shown to be vulnerable (though not as vulnerable as versions 1 and 2). This peer-reviewed and well-researched report from the Georgia Institute of Technology shows just how easy it is to compromise SNMP devices and cause physical damage.  

Devices that are using SNMP are insecure and can easily be compromised.  The Russians used SNMP communication cards as attack vectors in their 2015 attack on the Ukrainian power grid that left hundreds of thousands without power.

The Russians used targeted the UPS in the control center as the starting point for their attack.  In short, they placed code on the UPS that made it shut down at precisely the moment when they also started a Denial of Service (DoS) attack on the telecom switch (just as shown above in the consequences of SNMP attacks as outlined by the Georgia Tech paper).  Simultaneously, they opened the main breaker that delivers power to the Ukrainian power grid serving much of the country.

It has long been speculated that the Russians have been using the Ukraine as the "test laboratory" for more extensive cyberattacks they intend to use against other countries. Unfortunately, we can now say that they have succeeded in this SolarWinds Orion attack. 

While almost all are searching for malicious code on servers and managed switches, the reality is that code has likely been placed on power and cooling systems' SNMP cards throughout mission-critical enterprises around the globe. SNMP malware is extremely difficult to detect, and there are only a handful of people who have been involved in finding and managing this type of malware. 

The Russians spent significant efforts to deliver the BlackEnergy2 malware that is still in the US grids. The Russians modified it to create BlackEnergy3 which was used in the Ukrainian power grid attacks where the starting point was hacking the UPSs which use SNMP.  Now they spent a significant amount of effort to develop SolarWinds which enables direct access to the SNMP devices in more than 18,000 customers who have critical buildings (e.g., data centers, control centers, laboratories, manufacturing buildings, etc.) with SNMP devices.  

This attack demonstrates the need for the paradigm shift for control system cyber security by having an independent view of the control system devices not connected to any IP network. At what point will control systems be adequately addressed?

About The Author:  Joe Weiss  is an international authority on cybersecurity, control systems and system security. He is Managing Partner at Applied Control Sloutions.

You Might Also Read: 

Russian Hackers Have Stolen US Secrets:

 

« The Different Types of Malware
How To Optimize The DevSecOps Pipeline »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Roka Security

Roka Security

Roka Security is a boutique security firm specializing in full-scale network protection, defending against advanced attacks, and rapid response to security incidents.

a1qa

a1qa

a1qa specializes in the delivery of full-cycle software QA and application testing services.

EIT Digital

EIT Digital

EIT Digital is a leading digital innovation and entrepreneurial education organisation driving Europe’s digital transformation. Areas of focus include digital infrastructure and cyber security.

Sliced Tech

Sliced Tech

Sliced Tech provides enterprise grade managed Cloud services, including Security-as-a-Services, aimed at meeting the needs of commercial and government clients from within Australia.

CERT.lu

CERT.lu

CERT.lu is an initiative to enhance cyber security practices and techniques, and support security professionals in Luxembourg.

Critical Insight

Critical Insight

Critical Insight provide Managed Detection and Response, Vulnerability Detection, and Consulting Services to help you secure your mission-critical systems.

GitGuardian

GitGuardian

Enable developers, ops, security and compliance professionals to enforce security policies across public and private code, and other data sources as well

Electric Power Research Institute (EPRI)

Electric Power Research Institute (EPRI)

The Electric Power Research Institute’s Cyber Security Research Laboratory (CSRL) addresses the security issues of critical functions of electric utilities.

Exceed Cybersecurity & I.T. Services

Exceed Cybersecurity & I.T. Services

Exceed Cybersecurity & I.T. Services is a premier Managed Internet Technology (I.T.) company with a focus in cybersecurity risk management and CMMC compliance management.

eCapital

eCapital

eCAPITAL is a leading venture capital firm that provides early to growth stage funding to technology companies in fields including software & information technology, cybersecurity and industry 4.0.

Cyberplc

Cyberplc

Cyberplc is a global cybersecurity consulting firm providing services to government, the public sector and enterprises.

Europol - European Cybercrime Centre (EC3)

Europol - European Cybercrime Centre (EC3)

The European Cybercrime Centre (EC3) was set up by Europol to strengthen the law enforcement response to cybercrime in the EU.

Blackpanda

Blackpanda

Blackpanda is Asia’s premier cyber security incident response group, hyper-focused on digital forensics and cyber crisis response.

Francisco Partners

Francisco Partners

Francisco Partners provide capital, expertise, and support for growth-aspiring technology companies.

Emircom

Emircom

Emircom is one of the Middle East's leading independent providers of IT infrastructure services, helping clients to drive growth and deliver measurable outcomes.

TekStream Solutions

TekStream Solutions

TekStream accelerates clients’ digital transformation by navigating complex technology environments with a combination of technical expertise and staffing solutions.