Historically, 2021 will be recognized as the year when ransomware gangs switched their focus to key infrastructure, namely firms centered on the manufacture, delivery, and production of food and energy.
The Colonial Pipeline ransomware alone was responsible for the suspension of 5,500 miles of the pipeline due to concerns that the ransomware assault on the company’s information technology network might extend to the operational network that controls the pipeline’s gasoline distribution.
Operational technology (OT) networks are typically segmented from a company’s internet-facing information technology (IT) networks to protect critical hardware from cyberattacks better. These networks control the virtual devices in the continued operation of production lines, power plants, and energy supply systems. In the aftermath of the Colonial ransomware assault, CISA issued a warning to critical infrastructure owners that the potential of cyberattacks on operational technology networks is becoming more prevalent.
Now, security specialists are expressing concern about the threats of embedded devices connected to such operational technology networks. Recently, according to research conducted by Red Balloon Security, a security provider for embedded devices, it is conceivable to spread ransomware on embedded systems that are utilized in real-world networks.
In a statement, Schneider Electric claimed it detected weaknesses in the Schneider Electric Easergy P5 protection relay. This device is critical to the functioning and stability of contemporary electric grids since it triggers circuit breakers when a malfunction is spotted.
According to Red Balloon, this vulnerability may be exploited to distribute a ransomware payload, a “complex but repeatable” technique that the company claimed it has accomplished. An official from Schneider Electric told TechCrunch that the company is “very cautious” when it comes to cyber risks and that “as soon as we learned of the vulnerabilities with the Schneider Electric Easergy P5 protection relay, we promptly began working to remedy them.”
TechCrunch spoke with Ang Cui, the founder and co-CEO of Red Balloon, who said that although ransomware attacks have targeted the IT networks of critical infrastructure providers, successful penetration of an operational technology embedded device may be “much more destructive.”
According to him, “companies are not used to or skilled in recovering from an assault on the embedded devices themselves.” Because there is a limited supply of replacement devices, it may take weeks to get a replacement if the device is damaged or rendered unrecoverable.
Window Snyder, a security veteran who last year founded a business to assist IoT manufacturers inconsistently and securely delivering software upgrades to their devices, believes that embedded devices might become an easy target, especially if other ports of entry grow more durable.
Speaking about embedded systems, Snyder told TechCrunch that “a lot of them don’t have separation of privilege on them, a lot of them don’t have a separation between code and data, and a lot of them were created with the assumption that they’d be sitting on air-gapped networks — that’s inadequate.”
As a result of the company’s study, it believes that the security built into these devices — many of which are several decades old — needs to be enhanced. It urges end-users in the government and commercial sectors to demand better standards from the vendors that manufacture such devices.
According to Cui, the release of firmware updates is a reactive and wasteful strategy, and it will not address the overall vulnerability of our most mission-critical businesses and services. “Vendors must provide better security down to the level of the embedded device,” says the author. His other major point of contention is that the United States government has to do more work on a regulatory level. More significant pressure should be applied to devise makers, who are presently not encouraged to build better security at the device level.
Snyder, on the other hand, believes that a regulatory-driven strategy is unlikely to be effective: “I believe that the most effective method is to reduce the attack surface and increase compartmentalization,” she adds. According to the president, the use of more secure gadgets will not be thwarted by government regulation. “Someone needs to go out there and help them develop their resilience.”