Menu

IoT FEATURE NEWS

When A Ransomware Attack Took over Cameras, Where Was the Last Line of Defense?

By Special Guest
Matt Henson, General Manager, Ultra Electronics, 3eTI
July 16, 2018

Video surveillance cameras used every day to survey the streets of Washington DC and keep the people safe – hacked! We are familiar with data hacks, but this incident received noteworthy press coverage because it was one of the first high profile public examples of operational technology (OT) being impacted by ransomware.

The Romanian hackers took control of 123 of the Washington, DC police department's 187 outdoor surveillance cameras in January of 2017 – rendering them unable to record between January 12 through January 15 - just eight days before President Trump's inauguration.

Operational technology is comprised of the hardware and software used to control and monitor industrial processes — processing lines, utilities and the packaging equipment involved in producing products – which are not designed with security in mind. As OT systems become increasingly controlled by hardware and software they become more complex and more vulnerable.

To date, ransomware has been known mainly to effect enterprise IT networks. The fact that it is now attacking operational technology devices and facilities is a significant change that can have real impacts on cyber-physical concerns. With OT it is not just data that is being held for ransom, it could be a real threat to human life.

To resolve the problem, DC police took each of the compromised devices offline, removed all software, then reinstalled new video recording software and restarted each system individually. This process caused great loss in terms of time and money to fix the problem, not to mention the inability to monitor the streets of our capital city while the CCTV cameras were off line.

Because the intrusion affected a finite number of the CCTV cameras that police use to watch over public areas, identifying the cause became a top priority because of the potential impact on the Secret Service's ability to secure the 2017 Presidential Inauguration.

The DC Police detected the attack on January 12th when they learned that several cameras were malfunctioning. They discovered two separate forms of ransomware in four of their video recording devices and commenced a citywide examination of the network to find the remaining infected sites; 70% of their video storage devices were found to be infected.

Ransomware infects computers and can be triggered by something as seemingly innocuous as opening an attachment or clicking a link in an email message. This type of cyberweapon encrypts files and locks out users until they pay the ransom. No ransom was paid to the hackers in this case.

The suspects, Eveline Cismaru and Mihai Alexandru Isvanca, were also accused of using the computers they gained control of to distribute ransomware through spam emails. Law enforcement officials believe that Cismaru and Isvanca were part of a large extortionist group and have charged both of the Romanian nationals in DC Federal Court with fraud and computer crimes.

According to an affidavit by Secret Service Special Agent, James Graham, the hackers intended to lock victims' computers and then extort users for payments in order to release their data. In the affidavit, Cismaru and Isvanca are accused of "intent to extort from persons money and other things of value, to transmit in interstate and foreign commerce communications containing threats to cause damage to protected computers." It is not yet clear if they knew that they had hacked into a DC Police Dept. network.

The affidavit also states that the hackers were found through their registered email addresses and were arrested in Romania in January of 2017 along with three other suspects who will face prosecution in Europe.

Could This Attack Have Been Averted?
These CCTV cameras and the computers that operate them could have been spared this calamity altogether had a “last line of defense” solution been in-place.

A last line of defense is a cybersecurity device placed in front of any operational technology endpoint to validate all incoming commands and communications. In the case of DC’s CCTV devices, the last line of defense would have recognized the shut-off command as fraudulent, blocked it, and immediately notified authorities of the attempted breach. This command could have been validated in real-time.

Empowered with these resources, an organization’s IT department can create a whitelist of allowed commands for any device, while preventing and/or alerting authorities on any commands that fall outside of what is allowed.

This solution should easily fit right into the control environment, to shield critical infrastructure against cyberattacks without interruption. It should augment the traditional firewall, perimeter and signature-based defense, extending protection to networked system endpoints using protocol-specific parsing and whitelisting to assure data integrity.

3eTI’s CyberFence CIP series acts as a last line of defense to protect industrial devices like CCTVs and their computer controllers that are also quite vulnerable. It sits in front of them and validates all of the commands going to that controller.

This type of last line of defense should be incorporated into an end-to-end, robust and layered cyber-physical defense. A complete end-to-end solution must be employed for all computers and devices, including CCTVs.

It is very important to realize that OT isn’t the same thing as enterprise IT. OT needs its own special last line of defense that goes beyond what is required to protect an enterprise’s front office systems such as accounting, ERP and CRM, etc.

The hackers who were arrested for this incident learned first-hand that it doesn’t pay to hack into a police department. And with a layered security ecosystem, complete with a line of defense strategy, it won’t pay to hack into any organization. 

About the author: Matt Henson is General Manager for Ultra Electronics, 3eTI. Henson a highly accomplished executive with more than 13 years of Department of Defense (DoD) experience, an active DoD SECRET clearance, and advanced expertise in all facets of project, program and portfolio management from pursuit to close out. 




Edited by Ken Briodagh


SHARE THIS ARTICLE
Related Articles

Smart, Connected Technologies in Dairy Industry the Key to Feeding Future Populations

By: Special Guest    8/14/2018

A dairy cow lumbering through a field seems to be the antithesis of high technology but sensors, AI, analytics, connectivity and the other elements of…

Read More

Servato Introduces Smart Power GE Rectifier and Battery Management Solution

By: Ken Briodagh    8/14/2018

Smart Power System Rectifier Offers Remote Battery Management in GE's Latest Rectifiers

Read More

Hack the Grid: It May Be Easier Than We Thought. Now What?

By: Special Guest    8/13/2018

Cybereason reported earlier this month that the Industrial Control System environments that handle energy may be easier to hack than even the most sea…

Read More

Constitutional Convention: Re-Imagining the Internet for Liberty, Justice and Privacy

By: Cynthia S. Artin    8/13/2018

On the day and on the site where the US Constitution was signed in 1787, a group of professors will be hosting the first Constitutional Summit Meeting…

Read More

Winners of the 2018 IoT Evolution Product of the Year Awards Announced

By: TMCnet News    8/13/2018

TMC, in conjunction with its partner Crossfire Media, today announced the winners of the 2018 IoT Product of the Year Award, presented by IoT Evolutio…

Read More