Attack Vector - Securing AV Control Systems Using CISA/NSA Cybersecurity Advisory Recommendations
By now, many readers have heard about the emerging cyberthreats targeting critical infrastructure. Did you know the same cybercriminal tactics can be used to attack AV control systems? Typical cyber security policy is about IP networks, it does not address AV systems that use serial, contact closure, or other classic 4-wire AV control busses like AXlink or Cresnet. Learning the Tactics, Techniques, and Procedures (TTPs) of industrial control cyber attackers may help the AV industry see how vulnerable their classic AV control systems really are.
Oftentimes, a malicious actor may compromise enterprise IT networks and steal control system related information. Procurement documents, engineering specifications, and software configurations may be stored on corporate folders. In audiovisual terms, this could be signal flow diagrams showing the wiring, control system code, engineering libraries, templates.
Any sort of wiring diagram, pinout, or cable pull schedule is valuable information to a cyber attacker.
But aren’t the pinouts readily available online? Yes and no; some are limited to a vendor portal / login.
So, imagine a malicious actor has access to an AV control system wiring diagram, including IP addresses. Next, the malicious actor could order the same components on the diagram and wire-up a mock system. With a mock control system in place, the malicious actor could find ways to exploit the components. Once an exploitable vulnerability is found, the malicious actor gains access to the real AV system, often using a combination of social engineering and static passwords that are used for maintaining the system.
In the old days, AV control system code was part of what an old coworker used to call “The Realm of Secret Knowledge”; in reality, source code was often stored locally on a laptop. Nowadays information about the technologies used in control systems is widely available, and code is often shared in groups. Knowledge that was once limited to control system programmers and savvy AV engineers has become easily available as AV control technologies move into more of the IT / Python / Github communities .
“Control system vendors, in conjunction with the owner/operator community, have continually optimized and reduced the cost of engineering, operating, and maintaining control systems by incorporating more commodity IT components and technologies in some parts of OT environments. These advancements can make more information about some systems easily available, thereby increasing the risk of cyber exploitation. [...]
As the control system community has incorporated commodity IT and modernized OT, the community has simplified the tools, techniques, scripts, and software packages used in control systems. As a result, a multitude of convenient tools are readily available to exploit IT and OT systems.”
- Control System Defense: Know the Opponent | CISA (Sep 2022 v1.0)
In 2019, I wrote an article for Commercial Integrator where I helped to squash some myths about industrial control systems (ICS) security protocols. I used Stuxnet worm to illustrate how air-gapping and security by obscurity does not work, as the attackers targeted specific PLCs (programmable logic controllers) used for nuclear centrifuges. I talked about how the Target attackers used custom malware that was unrecognizable by standard anti-virus software, and exploited a previously unknown flaw (a.k.a. zero-day vulnerability) in what was then traditional retailer point-of-sale encryption.
But more importantly, the hackers infiltrated Target’s internal systems using the stolen credentials of a third-party HVAC contractor, obtained through an email phishing attack, which is our biggest vulnerability. I say “our” because I mean me, you, the readers, the industry, my company, and our clients. Phishing is the most likely attack vector for any cybercriminal attacking an AV manufacturer, distributor, integrator, or client, and the UBER hack shows how even MFA cannot stop the social engineering. Once inside, the hacker can obtain information about our client’s projects, including CAD.
This is where the principles of Least Route and Least Privilege should help stop attackers from traversing your network laterally.
Least Privilege means that users or services should only be given the minimum access required to do their job.
Similarly, the principle of Least Route states that a device should only possess the minimum level of network access that is required for its individual function. If an attacker has compromised one login, it should not equal a massive breach. This is also why you never want to use shared passwords or common passwords among devices / logins. Apply a defense-in-depth approach, and make it difficult.
Let’s take some of the recent ICS/OT recommendations from CISA and apply them to our AV systems
Limit exposure of system information
The data of our clients, their clients, their operational and system information and configuration data is valuable information to a lot of malicious actors, or at minimum, to their competitors. The need to keep such data confidential cannot be overstated. To the extent possible, avoid disclosing information about your clients’ system hardware, firmware, and software in any public forum. Incorporate information security and privacy education into training for AV people. Limit information that is sent to the internet. Also, think ahead, and limit future new connections to your systems by locking out the unused ports etc.
While it is important document the as-built conditions, its equally important to secure the access to the as-built documents. This may seem counter to what many AV integrators have been doing with as-builts.
Identify and secure all wireless access points
Integrators and owners must maintain detailed knowledge of all installed AV systems, including which wireless access points (WAPs) are—or could be—operating in the control system network. Many AV devices have built in WAP vendor-provided devices maintain these access capabilities as an auxiliary function and may have services that will automatically ‘phone home’ in an attempt to register and update software or firmware. A vendor may also have multiple access points to cover different tasks. CISA included the following recommendations in the recent advisory, to improve their security posture:
- Reduce the attack surface by proactively limiting and hardening Internet-exposed assets.
- Establish a firewall and a demilitarized zone (DMZ) between the control system and devices
- Consider using virtual private networks (VPNs) at specific points to and from the system rather than allowing separate access points for individual devices.
- Utilize jump boxes to isolate and monitor access to the system.
- Ensure that data can only flow outward from the system – administratively and physically. Use encrypted links to exchange data outside of the system.
- If an AV device does not use its access points, ensure they are not active. Use strict hardware, software, and administrative techniques to prevent them from becoming covertly active.
- Do not allow vendor-provided system access devices and software to operate continuously in the system without full awareness of their security posture and access logs.
- Review configurations to ensure they are configured securely. Operators typically focus on necessary functionality, so properly securing the configurations and remote access may be overlooked.
- Consider penetration testing to validate the system’s security posture and any unknown accesses or access vulnerabilities.
- Add additional security features to the system as needed. Do not assume that one vendor has a monopoly on the security of their equipment; other vendors may produce security features to fill gaps.
- Change all default passwords throughout the system and update any products with hard-coded passwords, especially in all remote access and security components.
- Patch known exploited vulnerabilities whenever possible. Prioritize timely patching of all remote access points. Keep operating systems, firewalls, and all security features up-to-date.
- Continually monitor remote access logs for suspicious accesses. Securely aggregate logs for easier monitoring.
Additional recommendations and mitigations
The report goes on to suggest limiting access to network and control system application tools and scripts to legitimate users performing legitimate tasks on the control system. Monitor all IDS and system logs.
The owner/operator cannot solely depend on the views, options, and guidance of the vendor/integrator that designed, developed, or sold the system. Therefore owner or designer of the control system should consider performing an independent security audit of the system, especially of third-party vendor access points and systems.
Typical steps in a control system audit may include:
- Validate all connections (e.g., network, serial, modem, wireless, etc.).
- Review system software patching procedures.
- Confirm secure storage of gold copies (e.g., OS, firmware, patches, configurations, etc.).
- Verify removal from the system of all non-critical software, services, and tools.
- Audit the full asset inventory.
- Implement CISA ICS mitigations and best practices.
- Monitor system logs and intrusion detection system (IDS) logs.*
*Monitoring of access logs, system changes, IDS logs, and other tracking data should be performed continuously, with a deeper look at this data during periodic audits
Last but not least, you should implement a dynamic network, replacing old static IP address pools that may have been leaked during undiscovered breaches. Update old hardware that is no longer supported.