News

LEADING BRAND IN SECURITY ASSESSMENT - ONWARD

Challenges and solutions of global equipment manufacturers on DoS attacks

2020 / 10 / 13

The diversified development of the Internet of Things (IoT) has brought business opportunities to various sectors. Many industries have successively launched connected products. In addition to the smart home appliance, smart camera and other consumer products, the non-consumer equipments in industrial control, medical, communications, transportation and other industries have also joined the ranks of the IoT. However, for this booming business opportunity, no one is happiest than the black industry chain. The fields that were originally difficult to capture have created new blueprints for attacks because of devices connected to the Internet. Instantly, devices newly added to the connected world become targets for hackers to access.

The impact of DoS attacks on infrastructure

The cybersecurity attack suffered by the US sPower power company in 2019 is a typical Denial of Service (DoS) attack. sPower is the largest private solar power producer in the United States. In March 2019, hackers used known vulnerabilities in the power system to conduct a 12-hour attack, repeatedly interrupting the communication between operators and 12 power stations. As a result, more than a dozen wind farms and solar farms were temporarily unable to supply power.[1]

In view of the frequent attacks on infrastructure, the US government pays more attention to the cybersecurity incidents. Therefore, the U.S. Government Accountability Office (GAO) was commissioned by the U.S. Congress to study critical infrastructure protection. In August 2019, it released a research document that puts forward recommendations for the implementation of federal power cybersecurity strategy. Meanwhile, it assessed the extent to which the Department of Energy (DOE) has defined a strategy for addressing grid cybersecurity risks and the extent to which the cybersecurity standards approved by the Federal Energy Regulatory Commission (FERC) can solve the risks of power cybersecurity. The GAO also defines many details of countries, criminal groups, terrorists, and different attack strategies that threaten the power grid. As a result, DoS attacks are listed as one of the possible terrorist attacks.[2]

Dos attack

Due to the convenience brought by the IoT, the application range of connected devices has expanded from consumer products to national infrastructures. The three meters (water, electricity and gas) in many regions of the United States have been replaced by Smart Meters with networking capabilities. Taiwan also started to build a smart grid a few years ago. It has multiple benefits such as quick access to user’s energy usage information, accurate estimation of energy usage, and customized charges based on usage. As a result, the traditional electricity meter is gradually replaced by a digital electricity meter with networking feature. However, the convenient connection has become a weapon for hackers to launch attacks on energy company infrastructure. Among the frequent attacks, there is no shortage of DoS attacks aimed at paralyzing devices. For consumer products, the immediate impact of an attack caused by insufficient security may be that consumers are unable to use the product temporarily. But for infrastructure, the consequences of attacks on power generation equipment or water supply equipment are quite different. During the attack, the energy company may be unable to obtain the customer's usage data, or, at worst, a large-scale power outage, water outage or national security level disaster may occur.

The damages caused by DoS attacks on industrial control equipment

According to the survey, 70% of the known vulnerabilities of the Industrial Control System (ICS) can be remotely exploited. 49% of them may use Remote Code Execution (RCE) vulnerability to hack into industrial control systems. Up to 39% of them may conduct a DoS attack after the hacking. Another statistical survey conducted by Kaspersky in 2018 also pointed out that most of the vulnerabilities in the industrial control systems are the significant risk level. They may cause DoS attacks, and the attack success rate is as high as 50%.[6]

In 2018, the paper "You Snooze, You Lose: Measuring PLC Cycle Times Under Attacks" published by the University of Augsburg, Germany and the Free University of Berlin pointed out that launching a flooding attack to a Programmable Logic Controller (PLC) can cause the physical control process of the industrial control device to be interrupted or invalid, which can achieve the DoS attack effect. On December 12, 2019, ICS-CERT released a report on "PLC Cycle Time Influences", which pointed out the methods of such attacks. Because the attacks have the characteristics of "remote attack" and "low technical requirements", they are classified as a CVE-2019-10953 vulnerability. Besides, CVSSv3 was given a score of 7.5 and was listed as a high-risk vulnerability (The CVSS vector is AV: N/AC: M/Au: M/C: P/I: N/A: N). The affected devices include ABB, Phoenix Contact, Schneider Electric, Siemens, WAGO.[3][4]

In recent years, Taiwan has also vigorously promoted smart manufacturing in manufacturing, encouraging industrial equipment to be connected to the network to provide a complete production history and improve product yield. In the past, the concept of cybersecurity protection was very weak at the factory, because there is no need for device connectivity. If the security protection mechanism of the factory fails to keep up with modern protection concepts, it is very likely that the production line will be shut down after DoS attacks, which will cause great harm to the manufacturing industry and related supply chains. Therefore, there is an urgent need for improving the security of industrial control equipment to reduce the risk of DoS attacks.

Security norms and standards for IoT

The security issues of IoT devices are gradually rising, and more and more countries require device manufacturers to improve the security of their devices. For example, the US released a set of Strategic Principles for Securing the IoT in November 2016; there are cybersecurity standards for Industrial Automation and Control Systems (IACS) in the industrial control field. Both set requirements for the protection and security of industrial control. On February 27, 2019, the International Electrotechnical Commission (IECEE) released Part 4-2 (IEC 62443-4-2: 2019) on the security of industrial automation and control systems, listing resource availability as Fundamental Requirement No.7. Its Component Requirement 7.1: Denial of Service Protection regulates that when the performance of industrial control equipment is affected by a DoS attack, the components should still maintain a good and basic functions for operation. Therefore, equipment manufacturers need to verify and improve their products resistance against DoS attacks during the development process.[7]

Solutions for equipment manufacturers against DoS attacks

How to have both the convenience of networking and cybersecurity has always been a topic of concern for enterprises. For manufacturers of connected devices, how to improve the security of IoT products is a new challenge. Fortunately, the IoT cybersecurity issue is not without solution. The first thing is to establish a compliant development process for products, and then carrying out security design at each stage to implement the concept of Secure by Design. In the testing phase, automated tools can be used to test, thereby reducing the risk of cybersecurity before the product goes to market.

The "HERCULES Automatic Vulnerability Assessment" of Onward Security is a security assessment tool, providing test environment configuration, security assessment and other automated features. It provides more than 120 test items to assist in discovering known and unknown vulnerabilities during the product development. One of the test items can simulate DoS attacks from Data Link Layer to Transport Layer protocols for the device in the test process to achieve the effect of denial of service attacks. This simulation item is suitable for equipment manufacturers to conduct DoS attack drills and test the security strength of connected devices. In addition, the "HERCULES SecFlow Product Security Management" allows the R&D team to check whether the third-party open source packages used in the software design and development phase have controversial licensing issues and major cybersecurity vulnerabilities. This platform enables to check layer by layer during the product development, so as to improve product security and comply with regulatory requirements, while reducing cybersecurity risks.

In the news

Reference
[1]  First-of-a-kind U.S. grid cyberattack hit wind,solar ,
https://www.eenews.net/stories/1061421301
[2] CRITICAL INFRASTRUCTURE PROTECTION,  Actions Needed to Address Significant Cybersecurity Risks Facing the Electric Grid,
https://www.gao.gov/assets/710/701079.pdf
[3] You Snooze, You Lose: Measuring PLC Cycle Times under Attacks, Hochschule Augsburg, Augsburg, Germany & Freie Universitat Berlin, Berlin, Germany, https://www.usenix.org/system/files/conference/woot18/woot18-paper-niedermaier.pdf
[4] ICS Advisory (ICSA-19-106-03) PLC Cycle Time Influences (Update A), https://us-cert.cisa.gov/ics/advisories/ICSA-19-106-03
[5]Most ICS vulnerabilities disclosed this year can be exploited remotely,
https://www.helpnetsecurity.com/2020/08/20/ics-vulnerabilities-exploited-remotely/
[6] Threat Landscape for Industrial Automation Systems in H2 2018,
https://securelist.com/threat-landscape-for-industrial-automation-systems-in-h2-2018/90041/
[7] Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components, https://webstore.iec.ch/publication/34421