Challenges and solutions of global equipment manufacturers on DoS attacks

Due to the convenience brought by the IoT, the application range of connected devices has expanded from consumer products to national infrastructures. The three meters (water, electricity and gas) in many regions of the United States have been replaced by Smart Meters with networking capabilities. Taiwan also started to build a smart grid a few years ago. It has multiple benefits such as quick access to user’s energy usage information, accurate estimation of energy usage, and customized charges based on usage. As a result, the traditional electricity meter is gradually replaced by a digital electricity meter with networking feature. However, the convenient connection has become a weapon for hackers to launch attacks on energy company infrastructure. Among the frequent attacks, there is no shortage of DoS attacks aimed at paralyzing devices. For consumer products, the immediate impact of an attack caused by insufficient security may be that consumers are unable to use the product temporarily. But for infrastructure, the consequences of attacks on power generation equipment or water supply equipment are quite different. During the attack, the energy company may be unable to obtain the customer's usage data, or, at worst, a large-scale power outage, water outage or national security level disaster may occur.
 

The damages caused by DoS attacks on industrial control equipment

According to the survey, 70% of the known vulnerabilities of the Industrial Control System (ICS) can be remotely exploited. 49% of them may use Remote Code Execution (RCE) vulnerability to hack into industrial control systems. Up to 39% of them may conduct a DoS attack after the hacking. Another statistical survey conducted by Kaspersky in 2018 also pointed out that most of the vulnerabilities in the industrial control systems are the significant risk level. They may cause DoS attacks, and the attack success rate is as high as 50%.[6]

In 2018, the paper "You Snooze, You Lose: Measuring PLC Cycle Times Under Attacks" published by the University of Augsburg, Germany and the Free University of Berlin pointed out that launching a flooding attack to a Programmable Logic Controller (PLC) can cause the physical control process of the industrial control device to be interrupted or invalid, which can achieve the DoS attack effect. On December 12, 2019, ICS-CERT released a report on "PLC Cycle Time Influences", which pointed out the methods of such attacks. Because the attacks have the characteristics of "remote attack" and "low technical requirements", they are classified as a CVE-2019-10953 vulnerability. Besides, CVSSv3 was given a score of 7.5 and was listed as a high-risk vulnerability (The CVSS vector is AV: N/AC: M/Au: M/C: P/I: N/A: N). The affected devices include ABB, Phoenix Contact, Schneider Electric, Siemens, WAGO.[3][4]

In recent years, Taiwan has also vigorously promoted smart manufacturing in manufacturing, encouraging industrial equipment to be connected to the network to provide a complete production history and improve product yield. In the past, the concept of cybersecurity protection was very weak at the factory, because there is no need for device connectivity. If the security protection mechanism of the factory fails to keep up with modern protection concepts, it is very likely that the production line will be shut down after DoS attacks, which will cause great harm to the manufacturing industry and related supply chains. Therefore, there is an urgent need for improving the security of industrial control equipment to reduce the risk of DoS attacks.
 

Security norms and standards for IoT

The security issues of IoT devices are gradually rising, and more and more countries require device manufacturers to improve the security of their devices. For example, the US released a set of Strategic Principles for Securing the IoT in November 2016; there are cybersecurity standards for Industrial Automation and Control Systems (IACS) in the industrial control field. Both set requirements for the protection and security of industrial control. On February 27, 2019, the International Electrotechnical Commission (IECEE) released Part 4-2 (IEC 62443-4-2: 2019) on the security of industrial automation and control systems, listing resource availability as Fundamental Requirement No.7. Its Component Requirement 7.1: Denial of Service Protection regulates that when the performance of industrial control equipment is affected by a DoS attack, the components should still maintain a good and basic functions for operation. Therefore, equipment manufacturers need to verify and improve their products resistance against DoS attacks during the development process.[7]
 

Solutions for equipment manufacturers against DoS attacks

How to have both the convenience of networking and cybersecurity has always been a topic of concern for enterprises. For manufacturers of connected devices, how to improve the security of IoT products is a new challenge. Fortunately, the IoT cybersecurity issue is not without solution. The first thing is to establish a compliant development process for products, and then carrying out security design at each stage to implement the concept of Secure by Design. In the testing phase, automated tools can be used to test, thereby reducing the risk of cybersecurity before the product goes to market.

The "HERCULES SecDevice Automated Vulnerability Assessment Tool" of Onward Security is a security assessment tool, providing test environment configuration, security assessment and other automated features. It provides more than 120 test items to assist in discovering known and unknown vulnerabilities during the product development. One of the test items can simulate DoS attacks from Data Link Layer to Transport Layer protocols for the device in the test process to achieve the effect of denial of service attacks. This simulation item is suitable for equipment manufacturers to conduct DoS attack drills and test the security strength of connected devices. In addition, the "HERCULES SecFlow Product Security Management System" allows the R&D team to check whether the third-party open source packages used in the software design and development phase have controversial licensing issues and major cybersecurity vulnerabilities. This platform enables to check layer by layer during the product development, so as to improve product security and comply with regulatory requirements, while reducing cybersecurity risks.