Fighting the hardware hack

Hackers look beyond software to target industrial control systems

In 2010, the Stuxnet cybersecurity attack knocked offline an entire nuclear facility in Iran. This attack crippled Iran’s nuclear capability. As the story goes, Stuxnet – a malicious computer worm – was carried on a USB flash drive and delivered through physical access to the systems within the plant.

Today, however, that kind of physical access is no longer necessary. Advanced Persistent Threat groups are employing attacks such as the LoJax rootkit, which can remotely infect platform firmware.

Cyberattacks against hardware are becoming far more destructive and are more common, according to Nathan Palmer, a security researcher for Raytheon Technologies’ Cyber Offensive and Defensive group.

“Attackers look for the low-hanging fruit and historically hardware was not easy to remotely access,” Palmer said. “The easy stuff includes web browsers, misconfigured servers and OS networking bugs, but as we are getting smarter on the application side and operating systems are getting better at preventing the exploit technology, it forces attackers to go down to the lower level – to the firmware and hardware.

If attackers can gain access on the physical board itself, then it’s “very hard to kick them out,” Palmer explained.

“Traditionally, hardware has been implicitly trusted,” he said. “Software has always been suspicious, but the logic that is on the hardware itself, the thinking used to be ‘Well, that was done by professional engineers in a lab, so it is perfect.’ Not only that, ‘It is hardware so it can’t be compromised in the field.’ This is not the case.”

For Palmer, the hardware attack surface is like the Wild West.

“There are so many places for attackers to penetrate and hide that it is very hard for an organization to detect until it is too late and the damage is done,” he said.

In the past, “you’d have to turn your computer off and manually change a chip out” to alter embedded code on a device, according to Palmer. Now that’s done with software updates.

“It’s sort of ironic,” he said, “because of security wanting to be able to patch quickly and update systems in a timely manner to combat vulnerabilities, hardware updates have been made more convenient through the use of software, which has significantly expanded the attack surface.”

It is the trade-off between ease of maintenance and locking a system down, Palmer explained.

The use of information technology as a bridge toward better maintenance and update capabilities is being adopted by the Industrial Control System and Supervisory Control And Data Acquisition systems community, according to Paul Washington, Raytheon Technologies Cyber Physical Systems innovation area lead.

ICS and SCADA systems are often used in large power generation, oil and gas processing and telecommunications plants.

“Previously, the avenues of attack were extremely isolated,” Washington said. “You needed to have, on the ground, physical access to deploy cyber effects in OT systems, but that extreme isolation is weakening with modern day updates to the way we maintain and service legacy system equipment. We can’t hide behind physical separation anymore.”

Once an attacker gains access to the physical hardware of a system, recovery options are minimal, but there are options for protecting system hardware. Raytheon Technologies experts recommend a Zero Trust framework, where organizations don’t automatically trust anything inside or outside its network’s perimeters. Instead, they verify anything and anybody trying to connect to or access data and systems.

Raytheon Technologies has developed hardware root-of-trust tools called Boot Shield and Electronic Armor Trusted Boot, which are designed to trust no one and verify everyone.

These tools enforce advanced security technologies in commercial systems, but in a way that prevents them from being disabled or bypassed, even by insiders or attackers that have administrator privilege on the system.

“Boot Shield is set up in a way that it is designed to provide a secondary check,” Palmer said. “It is locked into a configuration, so even if you gain administrative access, there are components of the device you cannot alter under any circumstances.”

By using technology built into the hardware, it allows cyber defenders to detect and protect against manipulation that tries to change the system’s or platform’s configuration, Washington said.