Are embedded devices the next target for ransomware? – Tech Crunch
2021 will be remembered as the year ransomware gangs turned their attention to critical infrastructure, targeting companies built around manufacturing, energy distribution and food production.
Colonial Pipeline ransomware alone caused the shutdown of 5,500 miles of pipeline over fears that the ransomware attack on its computer network would spread to the operational network that controls the fuel distribution pipeline.
Operational Technology (OT) networks control the devices essential to the continued operations of production lines, power plants and energy supplies, and as such are usually segmented from a company’s internet-facing computer networks to better isolate critical hardware from cyberattacks. Successful attacks against OT networks are rare, but following the Colonial ransomware attack, CISA warned of a growing threat for critical infrastructure owners.
Today, security researchers are warning of the risks posed by embedded devices that sit on these OT networks. Red Balloon Security, a security provider for in-vehicle devices, has found in a new study that it is possible to deploy ransomware on embedded systems used in real-world networks.
The company said it discovered vulnerabilities in the Schneider Electric Easergy P5 protection relay, a device critical to the operation and stability of modern electrical networks by tripping circuit breakers if a fault is discovered.
The vulnerability could be exploited to deploy a ransomware payload, a “sophisticated but repeatable” process that Red Balloon said it had done. A Schneider Electric spokesperson told TechCrunch “it is extremely vigilant against cyber threats” and that “after learning of the vulnerabilities in the Schneider Electric Easergy P5 protection relay, we immediately worked to resolve them.”
Ang Cui, founder and co-CEO of Red Balloon, told TechCrunch that while ransomware attacks have hit the IT networks of critical infrastructure providers, the successful compromise of an OT embedded device can be “much more damaging.” .
“Companies don’t have the habit or experience of recovering from an attack on the embedded devices themselves,” he said. “If the device is destroyed or rendered unrecoverable, a replacement device must be found, and this can take weeks as supplies are limited.”
Security veteran Window Snyder, who launched a startup last year to help IoT makers reliably and securely deliver software updates to their devices, said embedded devices could become a target. easy, especially as other entry points become more resilient.
Speaking of embedded systems: “A lot of them don’t have privilege separation, a lot of them don’t have code/data separation, and a lot of them were developed with the idea that they would be sitting on the isolated networks – that’s insufficient,” Snyder told TechCrunch.
Red Balloon says its research shows that the security built into these devices – many of which date back decades – needs to be improved, and calls on end users in government and commercial sectors to demand higher standards from suppliers who make these devices. devices.
“Releasing firmware patches is a reactive and inefficient approach that will not solve the overall insecurity of our most critical industries and services,” Cui said. “Vendors need to bring more security to embedded devices.” He also believes that more work needs to be done by the US government at the regulatory level, and thinks that more pressure needs to be put on device manufacturers who currently have no incentive to tighten security at the level of the device. device.
Snyder, however, thinks a regulation-driven approach is unlikely to help: “I think the thing that helps the most is reducing the attack surface and increasing compartmentalization,” she says. . “We’re not going to regulate our release of more secure devices. Somebody has to go out there and build resilience in them.