Enormous botnets of IoT devices are going after decades-old legacy systems that are rife in systems that control crucial infrastructure.
Full transparency: Curtis Simpson, CISO at Armis, the enterprise IoT security company, was fundamentally a black hat at the age of 12, before he even knew what a black hat was. One day he got flooded over IRC and was fascinated: What just happened? And how did it happen?
He’s since spent the vast majority of his career as a white hat. It was an easy transition, he told us in a recent Threatpost podcast: You take the attacker mindset, where “you think about the tactics and techniques that you would typically apply, and then reverse-engineer those when you think about a program.”
That mindset comes in handy in the space of OT and ICS: in other words, the world of operational technology (OT), – the computing systems used to manage industrial operations – and industrial control systems (ICS). In this space, where OT and ICS are powering some of the most critical infrastructure in the world – be it supply chain facilities or warehouse operations – a proliferation of legacy systems mean that outdated infrastructure is rife.
“Most of the tech, the OT and ICS tech that exists in an enterprise or in critical industry, is decades old,” Simpson explains, “The interesting thing we’re seeing now, and why we’re seeing so many vulnerabilities being disclosed, is because those vulnerabilities have always been there.”
The reality is that researchers and attackers weren’t really looking for those vulnerabilities at the level they are today, Simpson explains. “What we’re seeing is an interesting domino effect where record-setting ransomware payouts are happening with an OT and ICS organization. That’s not by chance. … The conversation I used to have with the execs and the board was that if this type of type of attack plays out in that environment and the computers that are the operational technology in this landscape, the IoT devices in this landscape, the integrated IT devices in this landscape, once they’re impacted, and that impact starts to actually get into the operational technology itself? We’re going to be in a rip and replace scenario. That’s going to take us days to weeks to fully recover from.”
And it’s going to cost victims a lot to try to recover. Case in point: Colonial Pipeline, forced to close down its pipeline by a DarkSide ransomware attack. “What we’re seeing is an exponential level of effort being put towards understanding exposures in these environments, streaming together, exploitations around [internet of things, or IoT] devices to be able to get to those environments,” Simpson observes.
In this podcast, Simpson details how threat actors are trying to get into those environments, be it APT28 – the threat actor that built one of the largest botnets ever seen, entirely from IoT devices – or the light shed subsequently shed on other bad actors that create weaponized abilities against ubiquitous IoT devices we all have.
Download the podcast here or listen to the episode below.
Check out our free upcoming live and on-demand webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community.