Researchers recently discovered a cryptomining malware attack that spread to a number of workstations at a major international airport in Europe. The malware, designed evade discovery, was detected by only 16 out of 73 tools available in VirusTotal, an online service specializing in analyzing files and web locations for malicious content.
The abnormal behavior of the infected systems went unnoticed for months, with only minor performance impacts that didn’t raise any red flags for airport personnel. This behavior is typical for cryptominers – a type of software that clings to a host device to add its computing power to the blockchain digital ledger. Its stealthy operation makes it more difficult to detect than ransomware, which is a much more visible threat.
The researchers couldn’t determine the source of the original attack or the system. Luckily, the purpose of this particular operation was only to mine cryptocurrency. However, the fact that attackers were able to infiltrate a major airport network remotely and access 50% of its workstations while remaining undetected should be a red alert for the aviation sector as a whole, given that it’s a critical and potentially lucrative target for hackers and state-sponsored cyber warfare initiatives.
The stability of operations is an airport’s #1 priority, and attackers can often find their way into the OT network via IT connections. Disrupting operations of any airport building network, even for a couple of hours, could result in millions of dollars of lost revenue for airlines and related vendors. Additionally, air transport consists of exceedingly complex operations that orchestrate a multitude of critical IT and OT systems, including air traffic management (ATM), air fleet management, APRON and tarmac operations, airline operations center (AOC) networks, luggage and goods management, surveillance and many others.
That is why it is fundamental to reduce cyber risk as much as possible through a multi-factor approach:
- It is crucial to establish complete visibility and control on the network. The Center for Internet Security (CIS) Top 20 Controls provides good guidance: Control starts with a thorough inventory of devices, followed by secure configuration and continuous vulnerability assessment. The CIS Controls also suggest further limiting the exposure of network ports and services. Forescout offers a unified device visibility and control platform for converging IT and OT networks, enabling organizations to gain complete visibility of all IP-connected devices in their environment and to orchestrate actions mitigating their cyber and operational risk, with extensive data gathered from countless sources over the years, making it easier to recognize known threats and discover a possibility of previously unknown ones, while maintaining ecosystem integration with many inline products and tools.
- A defense-in-depth strategy and proper network segmentation will help with lowering the risk of IT malware spreading into OT networks. Do not forget to apply recognized design strategies, like IEC 62443/ISA99, with secure remote access to separate control layer from the engineering layers.
- Analyze your normal network and OT protocol communications to identify anomalous behavior that could be worth investigating. Network whitelisting and protocol deep packet inspection, in conjunction with host-based application whitelisting, could be invaluable.
- Nowadays, smart behavioral monitoring combined with threat intelligence is crucial to detect advanced threats and zero-day attacks and to efficiently measure the risk posture of your network and the adoption of threat hunting techniques.
- The next step should include conducting tabletop and/or controlled red team exercises to assess your current security posture and ability to respond to cyber threats. Simulating multiple attack scenarios (in safe, non-production environments) can teach teams how to detect, analyze, and recover from those threats, improving awareness and ability to respond to real-life incidents.
Securing all these systems is no small feat, and defending them against attacks should be taken very seriously, as hackers are getting better at endangering this highly sensitive ecosystem. All of this happens while the aviation industry is navigating heavy regulation and heterogeneity of technology available in the cybersecurity. The differing interests of various stakeholders can make investing in the right technology a complicated task that requires balancing the security budgets with the foreseeable risk.
It’s important to underline the amount of information these tools produce. They can alert for network changes and potential security or operational threats, vulnerabilities and insecure protocols, connectivity with external networks, and proximity to potentially infected devices. These are all important factors that need to be taken into consideration when understanding the risk posture of a network.
Currently, most of the available tools can only look at these factors independently, but the Forescout SilentDefense Asset Risk Framework can help solve this problem. It’s the first network security monitoring tool that puts together relevant risk factors to determine current risk posture and provides two impact-based risk scores for every monitored device, a security risk score and an operational risk score.
Users don’t have to separately access alerts, vulnerabilities, and communication information statistics to connect the dots on their own anymore. Instead, they can quickly access their asset inventory and start an investigation from there with the help of powerful filtering capabilities.
Want to learn more? Join our expert, Luca Barba, on November 5th at the Aviation Cyber Security Summit 2019 in London. He will participate in the panel discussion on the Current State of Threat Detection, where he will discuss the maturity of the OT threat detection market, security investment decisions versus risk, and available solutions.
To learn more about how the Asset Risk Framework works, watch the short video below.