Hijacked Two-Factor | The Top 20 Cyber Attacks on Industrial Control Systems #11 | iSi

Dig deeper - download the accompanying ebook here

OT / industrial / ICS cybersecurity concepts from the perspective of the world’s most secure industrial sites. Truly secure sites ask different questions, and so get different answers. Subscribe to never miss an episode

EPS. 11 – Hijacked Two-Factor
Sophisticated attackers seek to compromise operations at an industrial site protected by best practice industrial security. They write custom RAT malware to evade antivirus systems and target support technicians at the industrial site using social media research and targeted phishing emails. The support technicians activate malware attachments and authorize administrative privileges for the malware because they believe the malware is a video codec or some other legitimate seeming technology. Rather than activate the RAT at the industrial site, where the site’s sophisticated intrusion detection systems might detect its operation, the attackers wait until the technician victim is on their home network but needs to log into the industrial site remotely to deal with some problem. The technician activates their VPN and logs in using two factor authentication. At this point the malware activates, moving the Remote Desktop window to an invisible extension of the laptop’s screen and shows the technician a deceptive error message, such as “Remote Desktop has stopped responding. Click here to try to correct the problem.” The malware provides remote control of the invisible Remote Desktop window to the attackers. The technician starts another Remote Desktop session to the industrial site, thinking nothing of the interruption. In this way, sophisticated attackers have access to industrial operations for as long as the technician’s laptop and VPN are enabled. The only hint of the problem that the ICS IDS sees is that the technician logged in twice. The attackers eventually learn enough about the system to mis operate the physical process and cause serious damage to equipment or cause an environmental disaster through a discharge of toxic materials.

These Top 20 attacks have been selected to represent cyber threats to industrial sites across a wide range of circumstances, consequences and sophistication. No industrial operation is free of risk, and different industrial enterprises may legitimately have different “appetites” for certain types of risks. In this series we show how to use the Top 20 Cyberattacks to compare the strength of two security postures at a hypothetical water treatment plant: Defence in depth 2013 (software based security) vs. that same security posture plus a unidirectional security gateway device providing hardware-enfonced security). We ask the question, does either defensive posture reliably defeat each attack? Over the course of 20 episodes we build a score card that can be used to easily communicate risk reduction benefits to business decision-makers who are not familiar with cyber-security.

At Waterfall, Andrew leads a team of experts who work with the world’s most secure industrial sites. He is author of two books on industrial security, a co-author of the Industrial Internet Consortium’s Security Framework, and the co-host of the Industrial Security Podcast. Andrew spent 35 years designing SCADA system products for Hewlett Packard, IT/OT connectivity products for Agilent Technologies, and OT/ICS security products for Industrial Defender and Waterfall Security Solutions.


Newsletter Signup