Operational technology is the new low-hanging fruit for hackers

FireEye researchers say exposed and poorly guarded industrial systems are being increasingly compromised by low-skill hackers using entry-level exploit techniques.

Industrial systems with operational technology are being exposed on the internet in growing numbers, and many are vulnerable to basic entry-level intrusion techniques.

That's according to researchers at FireEye, who said in a research post Tuesday that operational technology (OT) networks are being compromised at their highest rate in years. As a result, vital industries, including electricity, mining and water management, are being put at risk of catastrophic attack.

Even more disturbing, said the FireEye team, the attackers pulling off these network breaches do not appear to be high-level teams who have dedicated weeks or months to infiltrate a specific target. Rather, they seem to be crimes of opportunity in which hackers stumble upon low-hanging fruit and decide to use it to either turn a quick buck or boost their own reputation among underground forums.

"The most common activity we observe involves actors trying to make money off exposed OT systems, but we also see actors simply sharing knowledge and expertise," the blog post said. "More recently, we have observed more low sophistication threat activity leveraging broadly known tactics, techniques, and procedures (TTPs), and commodity tools to access, interact with, or gather information from internet exposed assets -- something we had seen very little of in the past."

Despite recent government efforts to improve security for industrial IoT and OT networks, securing embedded systems and their associated networks has proven to be a difficult task. Aside from the challenges of bolting security onto devices that were never designed for connectivity, basic questions of responsibility and jurisdiction have arisen in areas such as solar power, where it can be unclear whether vendors, operators or government agencies have the responsibility to secure hardware.

Thus, the FireEye researchers said it should be highly concerning to all parties involved that hackers -- who appear in many cases to be low-skilled threat actors -- have been able to access a wide range of OT assets without much trouble.

In many cases, FireEye found that the OT equipment was left exposed to the open internet, where it was discoverable through well-known search services like Shodan. Armed with some basic knowledge of how to put together queries and a handful of entry-level hacking tools, the attackers were able to compromise numerous devices without even knowing what they were.

Among the breached systems the research team observed were solar power control systems, surveillance systems for a dam and a data-logging system used by a mining operation.

"In a few instances, actors operating as part of hacktivist collectives created and shared tutorials that instructed their affiliates and sympathetic parties on how to identify and compromise internet-accessible OT assets. The tutorials typically described simple methodologies, such as using VNC [virtual network computing] utilities to connect to IP addresses identified in Shodan or Censys searches for port 5900," the FireEye team wrote.

"These methods appear to have been used in some of the incidents we described," said the post, "as some of the shared screenshots of compromised OT systems also showed the actor's web browser tabs displaying similar Shodan queries and remote access tools."

That is not to say each of the observed attacks was a major heist. In some cases, the hackers were so unskilled they did not even understand what they had uncovered.

In one case, a forum user proudly displayed what they thought was the control system for a railroad, including screens displaying gauges and speed controls for a locomotive. As it turns out, the hacker was half-right: It was remote controls for a model train set for home hobbyists. The hack might dampen a model railroad buff's afternoon, but it would hardly be an industrial disaster.

In another logged case, hacktivists angry over Israeli attacks on Iranian weapons facilities boasted of taking revenge by hacking into a gas plant in Israel. Little did they know that their prized trophy was just the ventilation system for a restaurant in Ramat HaSharon.

While amusing, these hacker bloopers are not something that should be particularly comforting to administrators and security providers. That threat actors prone to such basic errors were able to access a full gamut of devices underscores just how poor the current state of OT network security is. If an adversary with little knowledge can get into these systems without even knowing what they are doing, imagine the havoc that could be wrecked by a skilled, determined intruder.

On the bright side, FireEye said in many cases admins can raise their networks from the ranks of low-hanging fruit by taking some simple security best practices. These include patching and isolating hardware whenever possible. The researchers also advised that companies keep a close eye on all devices on their networks and limit access from any unnecessary ports or applications.

Next Steps

FireEye and Mandiant part ways in $1.2B deal

Schneider Electric PLCs vulnerable to remote takeover attack

Gartner: 'Weaponized' operational tech poses grave danger

Dig Deeper on Threats and vulnerabilities