Tales From the Road: Got Critical Infrastructure?

Avoid these three pitfalls that are inherent to most SCADA systems that manage critical infrastructure.

A multinational corporation enlisted the services of DirectDefense to perform a security assessment of the organization’s newly-developed battery energy storage control (BESS) that would enable the company’s vendors and integrators to manage the voltage and power output for massive batteries. This major critical infrastructure component required testing of its SCADA architecture to ensure compliance with tight government-level regulations.  

Because the battery energy system needed to meet a high level of compliance under NERC-CIP and ISA99/IEC62443, being able to compromise the network quickly would be a serious red flag – one that goes beyond everyday life disruptions and carries the potential to be deadly (think power to a city going out and the emergency services that rely on the power to provide critical care). This is why it was so important to test this product before shipping it out to customers.

Keep reading to learn the top-threats we discovered (hint: your SCADA system likely has them too) and our quick fixes to immediately strengthen the security of any critical infrastructure.

Putting Critical Infrastructure to the Test

Even though our client’s BESS system was found to be relatively secure overall, it only takes one high severity finding (which we found) for an attacker to gain access to the network and do a lot of damage. What kind of damage are we talking? In the case of our client, whose critical BESS system would be managing batteries powerful enough to be used in a black start, a security breach has the potential to cause a system failure that could result in serious physical damage, or worse – especially if the outage occurs while the asset is powering business-critical operations.

Less than satisfactory security tends to be a common theme with legacy SCADA systems, but it doesn’t have to be. Take a lesson from our client and go the extra mile to ensure compliance by conducting testing before your organization has to experience the destruction (which in their case could be life-threatening) that could come from a SCADA network attack.

Exposing the Gaps

Using the remote testing environment, our team took a mixed white-box and red team approach and attempted to expose gaps in the network. The client needed to ensure compliance with NERC-CIP and ISA99/IEC62443 standards  before shipping the product, and our assessment uncovered less-than-satisfactory security around the system’s critical infrastructure. Testing revealed several areas for improvement on the BESS network.

These were the top three findings:

  1. IPv6 was enabled: One of the first things that our team checked was to see if IPv6 was enabled on the BESS network and it was, making the client vulnerable to a man-in-the-middle attack. Although IPv6 may not be actively in use within an organization’s environment, all Windows versions since Windows Vista (including server variants) have IPv6 enabled. This is a big problem because it’s possible to exploit this default configuration in order to spoof DNS replies by acting as malicious DNS servers, allowing an attacker to redirect traffic to their specified endpoint. As the DNS server, the attacker can selectively reply to DNS queries of the attacker’s choosing and redirect the victim’s traffic to the attacker machine instead of the legitimate server. From here, an attacker can intercept network traffic, gather credentials or hashes, or perform relay attacks. In the case of our client, an attacker would have full access to the battery’s ignition system – a dangerous possibility.

    The Quick Fix: Turn off IPv6 or set a firewall rule to stop the traffic.
  2. Microsoft Patching Issues: We identified outdated Microsoft Windows systems that would increase the attack surface and risk of compromise.  One of the first steps in protecting a Microsoft Windows-based system from security threats and vulnerabilities is to maintain current service pack and hotfix patch levels. While some of the patches released may be theoretical in nature (only exploitable in certain conditions), others, once made public, may have exploitable code widely available within a day of the release date.

    Quick Fix:  Apply the latest Windows patches and evaluate the current patching process to close any gaps.
  3. Network Segmentation Deficiencies: Our assessment revealed that the internal SCADA network wasn’t sufficiently segmented, creating a relatively flat network that would allow attackers to move throughout the network environment should they gain access. Because we identified network segmentation deficiencies within the SCADA network, we were able to make the important recommendation to lock down the plant network and the SCADA network to avoid attackers being able to move freely between each. Network segmentation is a way to decrease the damage of an attack before it even happens. Minimizing network segments and eliminating unnecessary pathways is an effective protection strategy to secure the organization.

    Quick Fix: Leverage firewalls to internally segment traffic at strategic network boundaries or use software-defined networking to segment the network by workload.

Take the Next Step to Secure Your Critical Infrastructure

For critical infrastructures, security is about protecting your business, but also protecting your customers’ businesses. Whenever critical infrastructure is involved, there are risks of serious disruptions to everyday life, liability and even loss of life following an attack.

If your critical infrastructure contains servers that haven’t been used in a long time, you’re not alone. By taking the next step to have your product audited and then following the recommendations from our security professionals, as our client did, not only will you protect your customers, but you will lower your potential liability cost.

If you’d like to know how you can make your organization more secure inside and out, let’s talk. Contact Us Today!


2023 Security Operations Threat Report