Closed Networks Exposed: Signed, Sealed and Yet Malware Still Delivered
Closed, zero-trust, and segmented networks are never truly inaccessible by unauthorized people. These networks are created to protect the critical infrastructure that are often used in industrial control systems. While they provide a critical foundation of security, we know that these closed off-networks are still pentratable.
Some of the worst security breaches in 2021 have taught us this lesson the hard way. In February the Oldsmar water plant in Florida was attacked, where hackers were able to bypass the closed network to get access into the industrial control systems. They successfully adjusted the water’s pH in the city’s reservoir to dangerously high levels by increasing the sodium hydroxide (lye) by 100 times.
Again in May, Colonial Pipeline was successfully targeted in a ransomware attack. The event which forced one of the nation’s largest fuel pipeline operators to shut down its entire network, was able to penetrate through a VPN (a Virtual Private Network which is a tunnel between a private network to remote systems) by using password credentials that had been leaked onto the dark web.
While there are closed networks that are truly air-gapped, they are extremely rare and tend to only exist in top sensitive nation state departments. This is because they are difficult to build, even more difficult to maintain, and extremely cumbersome to work with.
Intentionally closed networks are designed to enable some level of operational flexibility but this comes with an adverse impact on security. We address the number of ways that closed or segmented networks which are designed to enable the most stringent levels of zero-trust security can still be breached.
Inescapable Attack Surfaces
In the sense of being thoroughly air-gapped, it’s incorrect to classify networks as ‘closed networks’. There is always some form of vulnerability that enables hackers to infiltrate. These vulnerabilities can exist in multiple attack surfaces, whether they be the WiFi, BLE, Zigbee, router software or network protocols etc.
Trading Off on Security for Flexibility
IT staff often feel the pressure to disregard security concerns in favor of enabling more flexible business operations. In fact a new survey found that 91% of IT teams felt ‘forced’ to trade security for business operations, as employees moved to working from home, causing greater demand to keep operations ticking over. However, in the balance between enforcing security controls and enabling higher levels of operational flexibility, a closed network can be penetrated. As security controls are not properly enforced, a window of opportunity is created where malware can seep through the firewall and into a closed network.
Exposure to the Wide Area Network (WAN)
IoT products are developed on the assumption that the networks that they will operate within will be closed, and only exposed to the network LAN. However, in reality IoT devices are inevitably exposed to the WAN due to insecure and misconfigured firewall settings.
Methods to Bypass the Network Address Translation (NAT)
As a precautionary measure a NAT is used as a method to map an IP range to LAN devices through the router. This means that every device in a network will be assigned with its own LAN IP address and the router will be able to route the correct network traffic to the correct LAN device. This method inhibits a hacker from connecting and targeting a LAN device, unfortunately there are multiple techniques to bypass a NAT. One example of this is NAT Slipstreaming v2.0 which allows an attacker to remotely access any TCP/UDP service that is held behind the target victim’s NAT. Another example is the UPnProxy: EternalSilence vulnerability that was discovered by Akamai’s Security Intelligence and Threat Research Center.
Susceptibility to Supply Chain Attacks
Closed networks are still susceptible to being compromised by supply chain attacks. This is where an unknown component is implanted into a device as part of the manufacturing supply chain process. Components provide hackers with backdoor access to a network, and methods have been known to widely vary, as spy chips can be embedded into hardware for as little as $200. In fact, China was found using a tiny chip, literally the size of a pencil tip, that they used to spy on almost 30 US companies.
Critical Infrastructure Still Requires Embedded Security
Once attackers are inside a closed or segmented network, they will scan the network to find open ports and try to infect those devices which are still not sufficiently secure. Manufacturers developing industrial IoT devices that are used as critical infrastructure and require being placed within a closed network, require a proactive security agent that is embedded in the device and able to detect threats in real time. By installing a security solution such as the Firedome IoT endpoint agent, IoT brands will be able to protect their device and prevent it from being targeted as the most susceptible device in the network. Furthermore, the Firedome agent is able to scan the closed network for any suspicious activity and detect which devices on the network are vulnerable to attack.