Meatspace Hacks at Hack the Building 2020
For three days in November, in a 150,000 square foot cyber arena, 60+ red teams came together virtually and in socially isolated meatspace to play out 13 different attack scenarios. The Maryland Innovation and Security Institute, in combination with DreamPort, a cyber innovation, collaboration and prototyping facility in Columbia, Maryland, together at the request of the US Department of Defense Cybercommand, put together an event that would help illustrate the impact of IT, IoT and OT cyber attacks against critical infrastructure including building automation and operations.
The "Don't You Lose Your Head" scenario at Hack the Building 2020
Why is this a big deal?
For a while security through obscurity was (incorrectly) reckoned to be enough. In the past a lot of key infrastructure was not networked or connected to the network. Now, increasingly much of the world’s key infrastructure is in some way networked and must therefore be protected. The penalties for getting this wrong are more than just a denial of access and some awkward moments as system admins explain to their bosses how they have just been locked out of their own systems. As Stuxnet illustrated, cyber attacks can do really nasty things to infrastructure. In the case of Stuxnet, it is widely estimated that over 1000 uranium centrifuges used in the Iranian nuclear weapons program were destroyed. Centrifuge failures are energetic events as this video illustrates: https://www.youtube.com/watch?v=FfK2KS0aSKY Imagine being in a large building filled with hundreds of failing centrifuges. Must have been an interesting day.
It is estimated that there are over 2.5 million unique ICS (industrial control systems) in use in over 300,000 buildings and 250,000 linear structures. While being able to do funny things to someone’s air conditioning may be an inconvenience or in extreme cases may deny functional access to a facility for meaningful work, using a robotic arm in a factory to swat down workers would take a heavier toll. Other unpleasant things could happen if, as is the case in one of the Hack the Building scenarios, an attacker were to disable ventilation fans for a large lead acid backup array allowing a potentially explosive concentration of hydrogen sulfide gas to accumulate. Compromised infrastructure can also be used as a stepping stone to gain access to systems with vital intellectual property and/or controlled unclassified information as well as be used for the subsequent exfiltration of that data.
Feeding the Tools
We were honored to have the opportunity to help support this event.
One of our most popular network packet brokers, the Vision ONE, helped power all the other vendor inspection tools and was the backbone of most of the blue team efforts. Remember, the purpose of a network packet broker to to ensure that the right data, and only the right data, is supplied to SIEM, firewall, IPS and other security and monitoring tools. In that respect, we are in the position of feeding the tools. Of course with this role comes responsibility. As the purpose of a network packet broker is to enhance rather than degrade visibility into network traffic, you need to be careful not to drop traffic. With decades of experience with our Ixia test gear, we have learned some tricks with regard to hardware architectural optimization that help us deliver on the promise of and need for no dropped packets.
Getting back to Hack the Building, our Vision ONE had our software enabled AppStack feature set, which helped provide our blue team with threat insights, geographical information and visibility into what apps were running on the network – all vital for those doing blue team type things.
A Little Help For Our Friends
Arguably more importantly we also played the role of data broker for many all of the vendors doing demos at the show, many of whom are also Keysight partners outside the show including Nozomi Networks, Vectra, SentryWire, Zuul, Forescout and others.
We also put a couple Threat Simulator agents in the event AWS infrastructure so we could run live demos of our breach and attack simulation solution. As expected, Threat Simulator generated a lot of interest and gained a lot of attention.
Speaking of Nozomi, we have an excellent solution brief, Nozomi + Keysight: Visibility to Secure ICS and IIoT that you might enjoy.
Takeaways
The good news is that there is growing awareness of the importance of securing OT and infrastructure in general. Back in the day when everything was analog things were different but now a compromised OT system can result in anything from a building rendered unusable due to HVAC antics to robotic assembly lines going rogue and turning on the workers who maintain them. Overcoming challenges with regard to mindset is a key part of the equation – the guy wandering around with a temperature wand trying to make the office AC work probably is not spending a lot of time worrying about CVEs. In fact, he probably doesn’t know what a CVE is.
With this in mind, network packet brokers allow you to feed the right data, and only the right data, to tools on your network such as Nozomi. Learn more about Keysight network packet brokers here and learn more about Nozomi here.
Stay safe.
Thanks for reading.