Defense In Depth: Common Cybersecurity Threats

Author’s Note: Our Defense In Depth series will demonstrate how over the past several years Corso Systems has helped companies implement security. The series includes relatively easy best practices like ensuring your systems are secured with user accounts, network segmentation with Firewalls to reduce the flow of traffic to only what is necessary to move between each part of your operation. We will also discuss more complex technologies such as threat detection, and backups/disaster recovery so you can get back up and running even in the worst case scenarios.

One of the things a lot of cybersecurity education is missing is what you are protecting yourself against in the first place. Yes everyone knows they should be “better” at cybersecurity, have hardened network infrastructure, protect Operational Technology (OT) assets like PLCs and SCADA systems, work to protect sensitive databases, and keep more stringent backups.

While there are numerous threats to manufacturing companies and critical infrastructure facilities, knowing where you might be most vulnerable to attack is a good place to start. It can help you better mitigate the largest risks you face, focus employee training to reduce the human risks involved in any system, and develop a plan to improve your approach to cybersecurity piece by piece.

While the risks to your systems are real and can be quite scary, implementing a plan to mitigate them and improving your threat management and prevention systems doesn’t need to be scary. Cisco has a great report on the most common types of cybersecurity threats. This, combined with our extensive experience of receiving many of these types of attacks ourselves, and working with customers who have dealt with them directly led to this post.

This post covers the most common cybersecurity threats to manufacturing companies and critical infrastructure facilities.

Information Based Attacks

One of the most common cybersecurity threats are information based attacks. The goal of these attacks is to obtain information. Typically attackers are targeting financial information like credit card numbers and login credentials to critical systems. Typically these take the form of phishing attacks preying on people’s curiosity and willingness to drop their guard around a trusted colleague to the point they open a malicious attachment or click a malicious link opening the door to installing the attacker’s malware on their system.

These types of phishing attacks will also usually try to install some sort of trojan software or backdoor into your system so the attacker can gain unfettered access to your systems.

Information based phishing attacks are very high risk due to the human component of cybersecurity, and can also be very high reward for attackers given the sensitive nature of the information they are seeking to obtain

On top of improved employee awareness of cybersecurity threats, using the best practices covered in the rest of the Defense In Depth series will help keep you and your systems safe.

Financial Based Attacks

A very common threat that is extremely high reward for attackers is known as a Ransomware attack. The main idea is an attacker will gain access to your systems, likely through a phishing attack, install software that will take over your systems and data, encrypt it so you no longer have access to it, and reach out with a note extorting you to pay to restore access to your data.

Sadly we have seen this type of attack play out many times over the years across many different industries. The main defense against these types of attacks is prevention. If your employees take into account cybersecurity best practices and don’t open attachments from unknown senders, and do some due diligence before opening attachments from known senders you will mitigate a lot of the risk of a ransomware attack. Beyond preventing them from occurring in the first place taking advantage of the best practices laid out in our Defense in Depth series will make it difficult for attackers to gain access to your data even if your system is breached, and if you have a regular backup system in place you can easily restore your systems back to a known state bypassing the attack entirely assuming you have done the work of securing or replacing any affected computers before restoring your backups.

We have also seen small wastewater companies become victims of these types of attacks when an attacker gains access to an otherwise unsecured remote pump station. In one instance the attackers were able to access the company’s Quickbooks and banking systems draining their accounts before they knew anyone was in the system.

This type of an attack can easily be thwarted by using better network segmentation, firewalls, and tools like MQTT to lock down what network segments the remote pump station has access to in the first place.

Denial of Service Attacks

Denial of Service attacks are a special kind of chaos attackers can inflict on your systems. Every couple of years the internet at large will go down when a denial of service attack hits major cloud hosting companies.

Essentially a denial of service attack is designed to completely overwhelm your systems when an attacker uses a botnet to hit your network with an unrelenting amount of traffic. This can be legitimate calls to your website, or if you have OT systems exposed to the internet they can even take those systems offline by flooding them with network traffic. There is only so much bandwidth to go around on any given network. In the case of OT networks this is usually more than enough for normal operations for devices and systems to communicate with one another. When a denial of service attack happens the system is overwhelmed and desired network traffic has no room to move across the network.

Like with all of the cybersecurity threats good network segmentation and security, combined with not exposing your OT systems to the internet is a great first step to prevent them. Beyond prevention network monitoring is important so you can shut down access to your systems from the botnet based on location and IP addresses before it completely overwhelms your systems.

If you want to see how many OT systems are connected directly to the internet check out the amazing Shodan tool.

System Access Attacks

With the exception of denial of service attacks the main goal of attackers is to gain access to your system, install software they can use to get in any time they wish and dig deeper into your infrastructure to ultimately capture data and information.

Once an attacker has installed software on your systems it becomes much more difficult to root them out and get back to a secure state. This can be prevented by making sure you have systems segmented from one another limiting the attacker’s access to the inner workings of your company, taking advantage of various network and threat monitoring tools, and making sure virus protection systems are up to date.

Attackers will attempt to install backdoors they can use to get into your system without your knowledge, keyloggers and other information stealing tools to discover usernames, passwords, and other critical business information as it is typed in, and various types of trojans they can use to expose your systems to their teams.

Preventing attackers from gaining access to your systems in the first place is the best approach to prevent these types of attacks.

Wrapping Up

With the exception of nation-state attacks like Stuxnet most attacks will take the form of phishing campaigns. Attackers can initiate these with very little work to target a massive amount of potential victims at one time. All it takes is one slip-up by an employee with access to your systems for an attacker to get in and take over.

This means employee training and overall cybersecurity awareness is the first step in protecting yourself. From there is it important to make sure your systems are secure as a whole to limit the damage an attacker can do if they gain access to your system.

This doesn’t mean attackers won’t try to access your systems in other ways. It simply means the easiest way to get into your systems is piggybacking on a legitimate user in the first place.

More involved attacks like trying to bypass network security, infiltrating supply chains to infect devices before they are sold to end users, and physical attacks like an attacker gaining access to a facility and plugging in their laptop do occur, however they require a lot more effort on the part of the attacker and typically require knowledge of your systems to get into them.

Critical Infrastructure facilities like substations, pump stations, power plants, data centers, etc. are typically more the target of nation-state level attackers with more involved attacks being attempted fairly regularly. These facilities can also be the target of phishing attacks as well, so it is important to have the strongest security possible at these facilities.

There are a number of websites and resources available to understand cybersecurity threats and best practices. Some we have found useful are the NIST Cybersecurity Resource Center, and FTC article on how to detect and mitigate phishing attacks, and the Cybersecurity and Infrastructure Security Agency (CISA) website, and Pascal Ackerman’s excellent book, Industrial Cybersecurity.

We hope you take cybersecurity seriously as it can have extremely detrimental effects on your business. Please reach out to the Corso Systems team if you have questions on how to apply cybersecurity tools and best practices at your company!