Patient Status Critical
The threat level in Cyberspace keeps rising as evidenced by the recent alerts issued by the US Government (TA18-074A) and the long list of indicators of Compromise (IOC)
Targeting critical infrastructure with an extensive list of tools, attacks, and techniques. While this is not new, with cases dating back to Stuxnet in 2007 (remember that one featured in the documentary movie released in 2016 Zero Days)
And certainly by many accounts could well have been the trigger that unleashed this mode and method of attack. We are now seeing more attacks of this nature – the NY Times reporting the details of the attempt to cause explosions in August of 2017 at a petrochemical company with a plant in Saudi Arabia. In this instance, the attackers failed to achieve explosions due to an error in programming – otherwise known as a bug
The only thing that prevented significant damage was a bug in the attackers’ computer code that inadvertently shut down the plant’s production systems.
I’ll let that sink in for a second….. so in this case, the plant did not suffer an explosion that would likely kill and injure hundreds because of a computer bug in the programming. According to the reporting, the attackers have likely fixed their code already and it is ready to be deployed. And the target for this particular attack, Triconex safety controllers from Schneider Electric Systems. This particular controller is in about 18,000 plants around the world, including nuclear and water treatment facilities, oil and gas refineries, and chemical plants. And this was carried out remotely. This particular malware attack is possible under very specific conditions (eg outdated firmware in use on a legacy system) and has heightened the attention to follow industry-standard security protocols
They are Only Just Getting Started on Healthcare
You have to be hiding out on an internet and news free Island to not have heard that the Healthcare industry has a huge target on its back (here, here and here for example).
So if you are not focused on protecting your systems (or rather remediating the break-ins into your healthcare data that is already underway – see below) this research piece published by Denis Makrushin and Yury Namestnikov from the Kaspersky Lab: “Time of death? A therapeutic postmortem of connected medicine“, makes for some very sobering reading
They carried out some great research looking for entry points into organizations that had keywords “medic”, “clinic”, “hospit”, “surgery” and “healthcare” in the organization’s name and then used reporting tools to dig into the open ports. These are the channels that allow web services, file transfers, e-mails and even electric kettles (yes this service showed up with depressing frequency as this kettle is for some reason popular in medical facilities)
some medical organizations have an opened port 2000. It’s a smart kettle. We don’t know why, but this model of kettle is very popular in medical organizations. And they have publicly available information about a vulnerability that allows a connection to the kettle to be established using a simple pass and to extract info about the current Wi-Fi connection.
As they put it there were plenty of common trivial ports but things got really “interesting” with the non-trivial ports which offered access into the network and insights into the organization, the infrastructure and IT systems and int eh case of printers information from documents that had been printed
Top Services on Medical Network Perimeters
The statistics of their survey were jaw dropping
More than 60% of medical organizations had some kind of malware on their servers or computers
And as for Pharma
Hold onto your hats Pharma – follow the money. Attacks are even higher!
organizations closely connected to hospitals, clinics and doctors, i.e. the pharmaceutical industry. Here we see even more attacks. The pharmaceutical industry means “money”, so it’s another titbit for attackers.
That’s Not My Hospital
Are you sat reading this thinking we are in the 40% or so of facilities that have not been attacked? Think again based on the data even if that is true the likelihood of being attacked is high and the threats are wide and varied. The data gets even more, concerning with the identification of pentesting tools like Mimikatz, Meterpreter, tweaked remote administration kits to mention a few. As the authors point out
either medical organizations are very mature in terms of cybersecurity and perform constant audits of their own infrastructure using red teams and professional pentesters, or, more likely, their networks are infested with hackers
I know where I’d place my bets.
Incremental Steps to Combat Attacks
Start simple and focus on education and engagement with everyone in your organization and making it a central tenet fo your organization – not an afterthought. Then the advice from my post on “Incremental Security” bears repeating
Make Security a Top Down Primary Focus for your organization
Offer Training to your employees on Security Attacks and Mitigation
Train and Encourage Everyone to Question Information Requests so they can Make Good Decisions
Make Learning about Security Fun and Practical
Help Everyone Understand the Value of Information in the Context of Security
Consider Developing Simple Security Protocols that are Easy to Learn and Follow
Test Your Security
Mitigating our Desire to Help and Securing Your Data
Do you have any better suggestions? What small change have you seen that makes a difference that improves your security posture? What one thing could we do that would have a big impact in this area?
This article was updated on Mar 20, 2018 with clarifications at the request of Schneider Electric Systems to reflect:
– The Tasnee security incident was separate from the attack on the petrochemical plant involving Schneider Electric controllers
– That the risk to controllers is limited to those that meet a specific set of circumstances that includes older controllers and firmware, access to the network and access to a machine connected to the network
