Are Embedded Devices the Next Ransomware Target?

The Escalating Threat to Critical Infrastructure

The year 2021 marked a significant shift in the tactics of ransomware groups, with a pronounced focus on critical infrastructure. Industries vital to daily life – including manufacturing, energy distribution, and food production – became primary targets.

The Colonial Pipeline Attack and its Aftermath

The ransomware attack on the Colonial Pipeline serves as a stark example of this trend. The incident led to the shutdown of 5,500 miles of pipeline due to concerns that the compromise of the IT network could extend to the operational network responsible for fuel distribution.

Operational technology (OT) networks are designed to manage and control essential industrial processes, such as production lines and power grids. These networks are typically isolated from public-facing IT networks to enhance security and protect critical hardware from cyber threats.

While attacks targeting OT networks have historically been infrequent, the Colonial Pipeline incident prompted a warning from CISA regarding a growing danger to critical infrastructure operators.

Vulnerabilities in Embedded Devices

Current security research highlights the risks associated with embedded devices within OT networks. Red Balloon Security, a specialist in embedded device security, has demonstrated the feasibility of deploying ransomware on these systems.

Their research identified vulnerabilities in the Schneider Electric Easergy P5 protection relay, a crucial component for maintaining the stability of electric grids by activating circuit breakers in response to faults.

Exploitation of this vulnerability could enable the deployment of a ransomware payload, a process Red Balloon characterized as both “sophisticated” and “reproducible.” Schneider Electric responded swiftly, stating their commitment to cybersecurity and immediate action to address the identified vulnerabilities.

The Greater Impact of OT Compromises

Ang Cui, co-CEO of Red Balloon, emphasized that a successful compromise of an OT embedded device can be considerably more damaging than attacks on traditional IT networks.

“Organizations lack the experience and procedures for recovering from attacks directly targeting embedded devices,” Cui explained. “Replacement devices may take weeks to procure due to limited availability if a device is rendered unusable.”

The Weaknesses of Legacy Systems

Window Snyder, a security veteran and founder of an IoT security startup, noted that embedded devices are becoming increasingly attractive targets as other attack vectors are hardened.

Many embedded systems lack fundamental security features, such as privilege separation and code/data separation. Furthermore, they were often designed with the assumption of operating on isolated, air-gapped networks, a condition that is no longer reliably met.

Calls for Enhanced Security Standards

Red Balloon Security argues that the security measures currently implemented in these devices – many of which are decades old – require substantial improvement. They advocate for end-users to demand higher security standards from device vendors.

“Relying solely on firmware updates is a reactive and inefficient approach,” stated Cui. “Vendors must prioritize security at the embedded device level.” He also called for increased government regulation and incentives for manufacturers to build more secure devices.

The Role of Resilience and Compartmentalization

Snyder, however, expressed skepticism about the effectiveness of a regulation-driven approach. She believes that reducing the attack surface and enhancing compartmentalization are more crucial.

“We won’t regulate our way to more secure devices,” Snyder asserted. “Building resilience into these systems is paramount.”