Critical Infrastructure Cybersecurity: the crude reality (II/II)

The cybersecurity context: Smart City & IIoT

Second part of 2

Barcelona, Apr. 19th

The company WORLDSENSING has written this article for the CIPSEC PROJECT BLOG.

WOS has divided the article into two blog posts: this is the second and final part. In this article, you will find out how cyberattackers can use JAMMER technology to penetrate a nuclear power station system and we will explain how the CIPSEC project aims to counteract them.


INTRODUCTION

Do you know about violations of critical infrastructure by cyberattacks? We will describe all the phases, classify the attack, locate it and then provide a possible solution, enriching our analysis with forensic evidence and additional research.

We will explain what jammer technology is and how it could put an entire nation in a tight spot. We will also set out the main activities of the CIPSEC project for counteracting denial-of-service attacks against wireless channels using jammer devices.


Jammer device - Source: http://www.jammer4uk.com/

SCENARIO

Imagine a person on top of a hill, with the only view being that of a nuclear power plant 2 kilometres in the distance. This person is calm because nobody has observed him and nobody will notice his attack – it will go without a hitch, using a jammer (a US$40 device that is easy to find on the internet) and a laptop. This is a real and common scenario and unfortunately it is a perfect combination for a cyberattack.

In the nuclear power plant it is an ordinary day, with employees doing their jobs working to provide energy to a large population. Suddenly, a deafening siren sounds throughout the plant. Some employees flee in panic and others try to get the chaos under control. All the security protocols are activated. Different control units are stuck and then the emergency response team arrives. Nuclear energy production slows down and those responsible for international energy distribution start contacting other nuclear power plants to ask to buy energy urgently so as not to leave the population they supply with no light. As all this is happening, the person at the top of the hill observes everything with total impunity and, on the other side of the country, a rival electricity company makes some extra money.

IDENTIFICATION of the attack

How did all this happen?

In this case, the person on the hill is a cyberattacker and has used a jammer device to interrupt the wireless network and then penetrate the nuclear power station system. What is jammer technology?

A JAMMER is a noise generator that blocks signal transmissions on any radio frequency by making the radio channel unavailable on the physical layer of the wireless networks.

Jammers are small and undetectable. They can be used from a long distance and can be purchased from several online stores for just $40.
At the nuclear power plant, dozens of devices are connected to different wireless networks – not only smartphones, tablets and laptops but also IoT (internet of things) devices for the plant’s operation and the sensors collecting data. As a cyberprotection measure, most nuclear power plants are not connected to the internet, which prevents any hacker getting in. Unfortunately, with the wireless connections, the protection disappears and here is where the jammer starts to play a key role in cyberattacks. When a jammer is activated, devices connected to wireless networks get blocked and cannot connect for as long as the jammer is up and running. Meanwhile, the hacker can use his or her laptop and certain other devices to create a rogue access point or gateway, so all the devices connect to it and the attacker has access to all the traffic coming from the wireless devices, including IoT. The traffic and the information the attacker gets from the wireless devices are key elements for preparing a more customized and direct connection to the servers and controllers, using the most relevant information and accessing the internal equipment remotely.

The problem arises when the devices are disconnected from their original access point or gateway and then reconnected to the rogue ones controlled by the attacker. This is because the attacker will connect to those critical interconnection gateways by emulating an IoT device and infiltrating the production network very smoothly and stealthily. It is at this critical point that hackers take advantage to penetrate the whole network, even the most important servers and controllers.

How?
Stealing the identity of IoT devices and internal users

This happens in a totally hidden and stealthy way. In a nuclear power plant, IoT devices get disconnected sometimes. This is typical behaviour of devices connected to wireless networks such as Sigfox, LoRa, Wi Fi and 3G. For this reason, the wireless system automatically reconnects and resynchronizes as a matter of routine when the connection fails. The wireless devices continuously attempt to connect until the gateway lets them connect. Attackers takes advantage of this critical point to enter the nuclear power plant system. On the one hand, attackers steal the identity of the IoT devices to connect to the IoT network and, on the other hand, they take over the gateways to gain full control and access to the IoT devices to manage the nuclear plant’s automated processes. Once attackers have infiltrated the gateways, they are able to pivot to the rest of the network (wireless and wired) where the users, servers and data are located, so getting access to the internal resources, usernames, passwords, critical information and eventually full control of the nuclear plant.

It is well documented that hackers usually infiltrate corporate and critical infrastructure networks by stealth over a long period, more than two years, so they have a lot of time to commit crimes, extract critical information and delete their traces. In other words, attackers have all the time they need to do whatever they want to create chaos.

Hackers know critical infrastructure networks and environments very well. They have time and unlimited resources, so it is just a matter of time before they get into the network and act. They know the systems are not always monitored and are patched, updated and full of blind spots, so it is a simple matter for them to go through and find those.

For a long time it has been very common to hear that, as a cybersecurity measure, some elements of critical infrastructure are not connected to the internet to avoid attackers gaining access remotely through the web. However, this blog entry is showing that this measure is useless and part of what is called security by obscurity, which is proven to be one of the worst ways to deal with the security of any system or device. The article “Critical Infrastructure: Off the Web, Out of Danger?” by Taylor Armerding backs up this point of view. It quotes retired admiral James Stavridis, dean at Tufts Fletcher School and a former NATO supreme allied commander, as warning of a “‘cyber Pearl Harbor’ that could leave swaths of the country in darkness and cold”.

How does CIPSEC want to stop it?
Detection and geolocation of jammer attacks

Detecting jamming attacks is a crucial aspect of critical infrastructure protection and even of any network as a very cheap and small device can give any attacker the best starting point (at the weakest point of the IT infrastructure) to disrupt the wireless network in a smooth and stealthy attack.

Protecting any IT infrastructure from jamming attacks against wireless networks prevents more sophisticated attacks and closes the biggest and most dangerous unmonitored backdoor with the biggest impact on critical infrastructure.


DoS-Sensing jamming attack detection

This is why Worldsensing, within the framework of the CIPSEC project, is creating a new generation of critical infrastructure wireless network protection, called DoS-Sensing. This product aims to detect and locate jamming attacks and then report on them to the command and control systems of critical infrastructure and the authorities.

DoS-Sensing is being integrated into a large and extensive framework developed, created and tested in real-life pilots by a consortium of 13 partners. The European-founded CIPSEC project is aimed at protecting critical infrastructure from cyberattacks by creating a whole cybersecurity life-cycle platform, represented by the products and services needed to have an end-to-end framework that is easy to deploy and manage.


In the case set out here, DoS-Sensing would be able to detect the jamming attack at a very early stage at the nuclear plant, reporting to the critical infrastructure command and control system and the authorities in order to prevent a more sophisticated attack and to prosecute the perpetrators.