The rush to embrace digital transformation is all consuming. From healthcare to financial services, there’s not a CIO around today who hasn’t been tasked with driving innovation and business agility through emerging technologies. Unfortunately, for many of these organisations, the unpalatable side-effect of increased connectivity is greater exposure to cyber risk.
New Trend Micro research released recently highlighted one major weak link in the security chain: vulnerabilities in radio frequency (RF) controllers which could put millions of pieces of industrial equipment around the world at risk of attack. The result: financial and reputational damage stemming from extortion, sabotage and theft.
The march to digital
Operators of heavy machinery in manufacturing, construction, transportation, and other industrial sectors are increasingly investing in connectivity to drive growth. Cloud and IoT systems offer the promise of streamlining and automating processes, stripping away cost, and minimising manual error. Smart sensors can monitor for faults and alert managers when equipment needs replacing, reducing downtime. IoT equipment can also improve steering on mobile cranes, monitor mining environments for dangerous emissions, provide digital plans for more efficient construction, or improve the accuracy of portside cranes and other logistics. In many cases, they remove the need for humans altogether, or at least ensure that workers can operate heavy machinery remotely.
According to the World Economic Forum, digital transformation could impact the mining industry by $428-784 billion between 2016-2025; while the industrial IoT (IIoT) market as a whole is expected to reach $934 billion by 2025.
Yet despite the benefits of IIoT adoption, the bottom line is that it can create extra risk and complexity for IT managers. Adding connectivity to operational technology (OT) that has previously been built for safety but not IT security, can add significant challenges. RF controllers sit at the heart of the problem: relying not on standards-based wireless technologies but insecure proprietary RF protocols which are decades old.
Security-by-obscurity still reigns in many industrial IT departments. Equipment is often left unpatched, either because it’s difficult to apply fixes or because equipment is too critical to operations or expensive to be taken offline. Long replacement cycles on major pieces of industrial machinery increase risk exposure.
Yet as we found, RF controllers in these safety-critical environments are in many cases easier to hack than those operating garage doors.
Riddled with vulnerabilities
Trend Micro researchers analysed technology from seven of the most popular RF controller vendors and found three basic security failings: no rolling code; weak or no cryptography; and a lack of software protection.
By exploiting these vulnerabilities, hackers could launch replay attacks and command injection to remotely control the machine, or abuse emergency “e-stop” functionality by replaying commands which would create a DoS effect. Malicious re-pairing would allow an attacker to clone a remote controller or its functionality in order to hijack a legitimate one. All of these attacks could be achieved by standing within range but outside of the targeted site, with a coin-sized device. A fifth attack type targets remote controller software used by SIs, making remote, persistent attacks feasible by “trojanizing” the firmware.
With these capabilities in their back pocket, attackers could be hired to sabotage rival companies’ operations, extort targets with e-stop DoS threats, or even enable physical theft. By remotely controlling portside cargo cranes, for example, cybercrime groups could place containers on their own vehicles for speedy transportation out of the facility.
The impact of these threats on the bottom line, corporate reputation and even the physical safety of employees could be severe. So how do we move forward as an industry? Understanding the scale of the challenge is the first hurdle to overcome. With more research like this hopefully operators of IIoT, as well as vendors, SIs and other stakeholders will get the message.
Next, vendors need to provide secure firmware upgrades to existing devices, including rolling code to mitigate replay attacks, and tamperproof mechanisms to guard against reverse engineering. Going forward they need to build on secure, well-known standard protocols like Bluetooth Low Energy. SIs should play their part by ensuring programmable remote controllers are air-gapped or hardened like a secure endpoint, and also consider more secure next-gen products built on standards.
When security continues to be treated as an afterthought, the prognosis is grim. But if industrial operators start following best practices of security by design, then hopefully the scenarios outlined in our report won’t make the leap from theory to practice.
Ian Heritage, Cybersecurity Architect at Trend Micro