Research results shape studies
The study was largely the result of research conducted by the US company in its security laboratory in the Netherlands, known as the Vedere Lab. The lab, which specialises in Operational Technology (OT), is located in Eindhoven in the immediate vicinity of the university. The proximity to science ensures an up-to-date level of knowledge and new specialists. Daniel dos Santos explains that it is possible to intensively analyse devices that are used in industry and business here. He has a PhD in computer science and heads the laboratory. It is not only used for testing and research, but also for demonstration purposes, for example for customers. The lab has repeatedly won prizes for its research, including this year.
In addition to industrial components, other OT and IOT systems are also part of the core area, including medical devices and building management systems. There are a large number of different systems in each area. The collection of devices in the lab is impressive. It took over ten years to set up the lab, procure the most important devices and analyse them, explains dos Santos. The most common industrial components are neatly lined up on top-hat rails in the lab, sorted by function and type. At the centre are Industrial Control Systems (ICS), including classic SCADA elements or components of programmable logic controllers (PLCs), which can be found everywhere in automated production.
No shortage of security problems
There are also typical devices from hospitals and other medical facilities. For example, an image management system which, among other things, enables images and video recordings of various formats to be taken and displayed in operating theatres or treatment rooms. However, it still runs on Windows XP and is therefore quite easy to attack. The lab is also home to newer devices such as a multi-parameter analyser for monitoring blood sugar levels in diabetics and for the early detection of kidney disease. In other words, devices that can be vital for patients.
They are all available for examinations and demonstrations. However, hardly any of them are free of security problems, according to voices in the lab. Devices often have default passwords. These are sometimes included in the operating manual or can even be found on the manufacturer's website. These are extremely easy attack scenarios for attackers to realise. There are even search engines to find such devices. They can also search specifically for the locations of components with certain security vulnerabilities. However, not only attackers benefit from this, but also the other side, i.e. security authorities or companies. For example, they can warn operators of emerging problems at an early stage. "We also analyse anonymised customer data for this purpose," explains Christina Höfer, Head of OT and IoT Strategy at Forescout. This allows us to know "where, for what and how often these devices are used", she adds. These results are also used in the lab. New studies are regularly produced as a result.
Intentional hazard
When you enter the lab, you notice a particularly secure and separate room. The security specialists call it the "Danger Zone", as the systems in it are exposed to the Internet relatively unprotected. This is the only way to observe the behaviour of attackers and study their methods, explains an employee. Among other things, a complete industrial environment consisting of several virtual machines is simulated here on a virtualisation server. It is supplemented by cloud systems. Routers, edge devices and engineering workstations are also included. Everything is completed as required by other OT or IT systems to be analysed. The entire ensemble serves as a playground for attackers and is known in IT as a honeypot. Every action and every step taken by an intruder can be observed in real time; you can look over the shoulder of an attacker live, so to speak. This allows new attack variants and approaches to be analysed very quickly. "For an attacker, it looks like a real production plant or a hospital, depending on the configuration," explains dos Santos. And it can be adapted very flexibly and quickly. All this to stay one step ahead of the attackers. However, they have long been aware of honeypots and usually check for evidence of such traps before launching attacks. It is therefore a challenging endeavour to design honeypots in such a way that they do not stand out as such.
The experts in the lab were also able to discover a new trend: the increase in indirect attacks. These are carried out via building management and automation systems, for example, which are often inadequately secured. Attacks on power supply components are therefore conceivable. If these succeed, a production facility or hospital could be severely disrupted. If security companies can use their research laboratories to help prevent such attacks, they can sometimes help save lives.
Wie sich Unternehmen schützen können, zeigt unser Überblick zum Thema OT-Security.
Erfahren Sie auf unserer Themenseite „Cyberangriffe“, wie Sie Ihr Unternehmen ganzheitlich vor Cyberangriffen schützen – mit Hintergrundwissen, Best Practices und aktuellen Trends.
