2021 will be remembered as the year that ransomware gangs turned their attention to critical infrastructure, targeting companies built around manufacturing, energy distribution and food production.
The Colonial Pipeline ransomware alone resulted in the shutdown of 5,500 miles of pipeline over fears that the ransomware attack on its IT network would spread to the operational network that controls the pipeline for distributing fuel.
Operational technology (OT) networks control the devices critical to the continued operations of production lines, power plants and energy supplies, and as such are typically segmented from a company's internet-facing IT networks to better isolate critical hardware from cyberattacks. Successful attacks against OT networks are rare, but in the wake of the Colonial ransomware attack, CISA warned of a growing threat for critical infrastructure owners.
Now security researchers are warning of the risks posed by the embedded devices that sit on those OT networks. Red Balloon Security, a security provider for embedded devices, found in new research that it's possible to deploy ransomware on embedded systems that are used in real-world networks.
The company said it found vulnerabilities in the Schneider Electric Easergy P5 protection relay, a device that's key to the operation and stability of the modern electric grids by triggering circuit breakers if a fault is discovered.
This vulnerability could be exploited to deploy a ransomware payload, a “sophisticated but reproducible” process that Red Balloon said it achieved. A Schneider Electric spokesperson told TechCrunch "it is extremely vigilant of cyber threats," and that "upon learning of the vulnerabilities with the Schneider Electric Easergy P5 protection relay, we worked immediately to resolve them."
Ang Cui, founder and co-CEO of Red Balloon, told TechCrunch that while ransomware attacks have hit IT networks of critical infrastructure providers, a successful compromise of an OT embedded device can be "far more damaging."
“Companies are not used to or experienced in recovering from an attack on the embedded devices themselves," he said. "If the device is destroyed or made unrecoverable, then a replacement device needs to be sourced, and this can take weeks as there is a limited supply."
Security veteran Window Snyder, who last year launched a startup to help IoT manufacturers reliably and securely deliver software updates to their devices, said that embedded devices could become an easy target, particularly as other points of entry become more resilient.
Speaking of embedded systems: “A lot of them don’t have separation of privilege on them, a lot of them don’t have separation between code and data, and a lot of them were developed with the idea that they’d be sitting on air-gapped networks — it’s insufficient,” Snyder told TechCrunch.
Red Balloon says its research demonstrates that the security built into these devices — many are several decades old — needs to be improved, and is calling for end-users in government and commercial sectors to call for higher standards from the vendors who make those devices.
“Issuing firmware fixes is a reactive, inefficient approach that will not address the overall insecurity of our most mission-critical industries and services,” says Cui. “Vendors need to bring more security down to the embedded device level.” He also believes also that more work needs to be done by the U.S. government on a regulation level, and thinks more pressure needs to be put onto device manufacturers who currently aren’t incentivized to build in more security at a device level.
Snyder, however, thinks a regulation-led approach is unlikely to help: “I think the thing that helps most is reducing the attack surface and increasing compartmentalization," she says. "We’re not going to regulate our way out of more secure devices. Somebody has to go out there and build resilience into them."