A brief history of IOT security

foreign [Music] thank you for being here and I'm very happy to be opening this great setup sessions so today I will be speaking about iot security and just for a reality check how many of you have to deal with iot security raise your hands all right so that means that this session is going to be useful for the majority of you because it gives like an overview on what iot security is what what have been the changes in the last 10 plus years and I want to start with a little introduction about myself and and my job and why basically you should be spending 40 minutes of your life listening to what I have to say and what you can gain

out of this session I I was raised and born in Italy in the south of Italy actually where I took my master in computer engineering I moved in Finland first in the Netherlands later you might wonder One why someone decides to move to the Netherlands or to Finland once that is born in the south of Italy but that's another discussion we can have it over here I I did my PhD in uh in the Netherlands it was actually in privacy and intuition detection and after that I started to work with a company which was called security matters and was the first company doing OT security so that means I have more than 10 years of experience in OT and iot security and

how things have changed nowadays after after a few years actually security matters which was a startup was bought by forescout which is one of the sponsors also here and and since then I am leading the research team at fourscout it's called Vedder labs in Italian but also if you speak Portuguese might make sense to humans to see to understand to analyze and the mission of our team is actually to look at the threat landscape especially looking at iot but not only we do stuff like network monitoring intuition detection we do threat research malware analysis threat intelligence so yeah I hope I can provide some of share some of my knowledge with you guys and that you

can find that useful so what do we do over their lab so I think it's quite interesting because it gives you an idea of what security researcher teams are actually doing all day long so in our case what we have and we are quite lucky because we have a set of data that is coming to to our clouds daily and this data that we collect in more than 3000 sites that we are monitoring and this data about devices so whenever we have these sensing capabilities from forescout We're actually looking at what devices are in a network you know is microphone connected to the network laptop servers whatever is there and we capture a lot of attributes out of this of these

devices what firmware operative system are they running what port what protocols all of this information comes up to our um to our cloud and then what we do is actually reaching this information let's say this gives us an information about what's out there so it's not really the threat landscape it's more like okay what what what are what are we deploying as a society what is what are the devices that actually creating and composing our our society our infrastructure then what we do is we integrate this information with information which is a little bit more threat related so we look at the Deep Web we look at we have a set of honeypots actually deployed Geo in different geographies

that are simulating a variety of devices and trying to understand what kind of techniques what type of kind of things are they looking for The Trackers are doing against those devices and what are the devices that are more sexy from a Tracker that are more after two and then we also put the we have together like put together a Sandbox where we actually analyze the malware how is the malware evolving what kind of things are happening what are the ttps that we can track Etc and then what we do in this um in In This Cloud what the data Labs team does is putting these things together so we do data enrichment we do aggregation

correlation and we are able to say you know this is the trends that we see we see that more threat actors are actually looking after VoIP phones and they try if you have avoid forms that actually try what are they trying to attack and why is that happening and what are the bad IPS where are they coming from are they Associated to certain infrastructure that is actually associated with a certain protector so all of these additional information reaching of the information is happening and then what we do as our team is both giving back this information this threat intelligence to our products um so that you know the customer that have this can actually be more up to

date with the landscape but at the same time you're actually having a big big mission around sharing it with the community so we are part we are basically all this information which can be in a form of a report you can be in a form of a more actionable threat feed is actually shared with a variety of stakeholders which include isats isats are like the centers that are sharing information for instance that is Healthcare Isaacs where like all the members are hospitals or manufacturing for medical devices We join stuff like actually EDP is part of the ISAC which is the energy Isaac is where like energy providers across Europe are actually joining and they are saying oh I've been

attacked by this kind of threat actors by this IP and shares that information security in a trusted network with others peers like with other utilities owner or with the with the researchers and and and research institution or we collaborate with the CSUN which is you know the cyber security agency of us and there are a variety of other agencies in uh in different countries that are actually looking at cyber security issues we share this information with them sometimes the FBI or sisa asks us do you know anything about this IP have you seen it active since when you have seen active what kind of ttps is using so we are basically joining the community in in this effort

actually most of the things I will be talking about today is done by my team the team is not huge but is highly skilled and a couple of things I wanted to share again like I think one of the mission like and when we were speaking um with Jorge is like oh don't try but if you can be inspirational so one of the things I would like to do is also share with you what threat research team can do who they are and what kind of skill sets they have in these cases it's a quite diverse team also in terms of language in terms of skill sets some of them have a PhD actually most of them

and even in languages if you're doing threat research having a team that can speak a lot of languages is actually quite useful and you need that because for instance to understand the comments in the code when you are doing reverse engineering if you speak Russian it can be quite useful if you speak Chinese even more so like those kind of things actually have like it's like things maybe you don't think at the beginning when you're hiring someone but it's definitely useful and also we have a broad skill set which allow us to to do all the kind of use cases I mentioned before right you need machine learning but you're not focusing on your machine

learning you also do need to do some detection some malware analysis and you need to learn how to to change those skill set and to adapt something else that we do is actually building Labs physically building labs and I think this is actually something that is incredibly useful if you are in iot and it is useful because sometimes when you speak about you know iot is building automation control iot is HVAC heating and ventilation controller what it really is what is the device that are actually controlling the HVAC so what we do we also have an internship program and we have students coming with us but also like me myself I've been built part of that lab actually the

house was my dollhouse and and the reason why we wanted to do that is because if you if you need to buy to deploy and to make the system work you really understand much better what is the real problem like some of those devices when you deploy them are very difficult to deploy so the challenge is like okay I have a PhD and I'm having trouble troubles understanding how to deploy this device so when deploying this is is maybe some you know um they do it like thousands of times but in the way at the beginning the the device is actually complex they need to understand they will find some Shortcut and you know what is the result of a

shortcut when you're doing an installation of those kind of systems security weaknesses so you really need to understand the problem from from the beginning so this lab that we see here we have it actually in Eindhoven it can be visited and it's quite interesting because it shows like really what do you see behind the doors of the control room behind the doors of um and the control Blue Room is everywhere it's in a hospital is in the government is in an airport is in critical infrastructure and most of the devices have common the devices that are there so today I will discuss what these devices are and why are they different from the standard way we do security for

web application web servers or I.T systems because there are quite some differences and some of them are huge now enough with the little introduction let's get started I will start with definitions oops here and I promise is this is the slide which that contains most of the text most of the others are going to be easier to digest but more than focusing on really the definition what is iot what I want to discuss with you is how difficult it is to Define iot if you go online and you try to say okay what is iot Internet of Things what are the things and and with with ears actually the terms I've emerged new terms that actually

specialized iot OT IMT ioe so let's let's give a little bit like stop a second and what I was speaking about so when we speak about IIT is general information technology standard systems standard system is like things that most of us like everybody has to deal with things like phones things like laptops servers computers networks and and that's like until 20 years ago it was mostly all the kind of devices you had to worry about but in the few last decades things have changed first of all there is something quite important which is called OT and stands for operational technology and is really like the technology that allows you to do controls of processes so if

you think about manufacturing if you think about the control of a hardware if you think about the belt for the luggage system in an airport those are typically controlled by OT system OT system include things like PLC and you have heard about programmable logic controllers and then communicate with scada that have specific Network specific protocols and those are sometimes I say that OT stands for old technology because they're very old and Legacy systems that sometimes rely on yeah Windows XP Windows Vista and then iot came was born and it was mostly to Define what is what what are the things that are communicating over the internet I think that this definition is actually not really

correct because most of the times they don't communicate over the Internet they actually communicate over their Network which can be a land can be connected and secured and controlled and things typically means sensor actuators so a sensor like for a light bulb or a sensor for um I don't know for the temperature in this room but actually there is also a huge difference between iot iot is fragmented iot for Enterprise which is typically called I iot so the internet of industrial things include stuff that are more for organization so I become cameras HVAC system access control with the badge Etc but there is also a huge part of the iot which is the consumer iot you

know your doorbell your Alexa your Philips Hue Lights that you have at home and those are very very different Technologies very different vendors a lot of different operating systems then you have the internet of medical things where the things in that case are medical medical devices like MRI and and infusion pumps and smart watches and whatever and then there is a new term which has been emerged in the latest years which is the internet of everything it's like really actually everything is connected so if there is something that really is common to all of those is connectivity all of those devices what really mean makes the eye of something IO X is the fact that they communicate and the fact

that the diversity of devices that is communicating is introducing a variety of issues and security challenges that we are going to speak about today so as I mentioned already definition of fuzzy so if you look at actually the kind of devices that are in it or t iiot iot per se and IMT there is a lot of overlap like for instance if you have something like you know a smartwatch is that ioter is medical iomp because it's actually a medical application so what we are going to do today is is I will use the word iot to speak about most of these things but excluding the I.T part of it and I want to give you also an idea of

why the connectivity is important and and with the use case which I find quite interesting so I think with Amazon if we take Amazon as an example most of the things that we are speaking about today are connected so Amazon has Selling Stuff Selling Stuff uh by basically shipping products across the globe to ship it uses drones and it actually also produces some of these things so it does manufacturing it has iot where there are a lot of sensors that are monitoring the manufacturing I don't know if you ever seen online there is a nice YouTube video that shows how the drones and how actually the the storage of Amazon are are controlled that is a loading system

but but Amazon is also selling Alexa and a lot of iot devices and at the same time is controlling all of that all the information that comes from whatever whatever things you are buying on Amazon on their data center so it's really like the picture I showed before like all those different devices in organization like Amazon or alike and there are a lot of other examples where you can see everything is starting to get connected and when things are getting connected is well if you don't do it properly some of the some of the issues can arise so again as I mentioned today's Focus I will call it iot I will not mention any more OT ermt blah

blah because I think it's just more complex I'll call iot but I mean a plethora of things so do not um do not come back to me and say oh but this is not iot after work so a couple of things about iot iot is diverse one of the first challenges about it is the amount of operating system that you can see of all those devices that I mentioned so at first Scout I mentioned before right we are collecting a variety of data we are tracking more than 2 000 different version of operating system you know what it means that you cannot have an antivirus because otherwise you need to support 2000 and more versions of that antivirus

so the fact that there is this diversity as some security implication so patches are very difficult to develop because if you have a lot of variety a lot of diversity and there is like one one system that is impacted is complex and is expensive so imagine that you are actually in the security team of a company or an organization and this organization has iot and first of all they will not know what iot they have in their Network that one of that's one of the first challenges but even even if they do understanding what software is running on the devices if it's vulnerable and if the patch is available is really complicated variety system in Contra position if you have a

Windows or another like a Linux server is like one command and then you get the patch done and installed and with one command actually you can install it and deploy it in all your thousand servers that you have in the organization so like really the level of complexity is incredibly different also a problem is that those devices are unagentable and unmanaged indeed like another synonymous that is often being used lately for for iot is unmanaged device what unmanaged means and manage means that you cannot have an agent easily for some of them you will but in in in the large majority you cannot have an agent meaning you cannot have software running on those devices that you can use to control

those devices there are some companies that are trying starting to do some agents for iot but you know like given the variety of the diversity it's really a difficult a challenging things you can do it and you can fix it forever for like a small set of devices vendor and model but doing it like to cover the scale of diversity of those devices is quite complicated and so typically I don't know if you have followed the solar wind case do you know about solar wind well solar wind is a um is a software that is used to to manage I.T systems there is not an equivalent of solar wind variety system when solar wind uh when

you are solar wind you can say okay if you are not running the latest version of Windows or if you're your antivirus is disabled you are not compliant I don't trust you anymore into my network and I kick you out of the network you cannot do the same for iot devices so it's really difficult to trust iot devices to understand where they are and to to apply changes remotely or to even give like some compliance Rule and that is the zero trust initiative where basically you need to comply with the certain policies before entering the networks it's very complicated to do that with iot devices and another thing about ioc iot is that it is really everywhere so these are

some of the data that come from the cloud I mentioned in the beginning so from the forescout data Lake and we track a variety of Industry we have 300 3000 more than three thousand sites across the globe in financial Healthcare utilities retail government and Manufacturing and if you look those are the iot the differences of iot devices that you find in those organic kind of organization so stuff like IP phones for me this was like amazing it's like really they are so common Vibe phones are everywhere like especially in hospitals and Healthcare is like every office has one and and in government there is stuff like patient monitor which is there and is also connected to a variety of other devices

and we as we will discuss why this becomes a problem um UPS's in operational technology which are like the one for the devices to to deal uh with the energy drops are also very common IP cameras are also very common iot devices but like the message is really there is no reason why someone that is in a cyber security should ignore the problem of iot because it's everywhere you eventually will have to deal with it but why why are we speaking about cyber security variety right it means that there is some attack landscape there is a threat landscape so why would people attack iot um there are a variety of reasons I try to summarize some of them but if you

look at OT and I am iomt so the medical part their legacy systems they are very old they are investment even in building automation there are investment I think in building automation the the statistic was that 60 of building automation system are at least 20 years old and we call them smart buildings when you go and you look at smart building they are far away from being smart they are old devices where you put connectivity on top of that and that's the recipe for disaster because it's like technology that was designed with insecurity by Design I mean the vendors even use the term because it's like what is necessary to have there is reliability and availability there is

nothing no need for confidentiality to be kept so there is no encryption no Authentication a funny story a bit of aggression so 10 years ago when I started and and staxnet with a thing and we will see what Saxon is but when the first attacks were they happened uh I think everybody in the industry was like okay no authentication okay no no um encryption we understand there was the no the seasons are like they are resource constrained you cannot really apply encryption because the latency is too high and blah blah blah blah we did it we did a test well we did a research now 12 years after saksnet about the security level of those devices 10 years

after and I don't know how many attacks after we will see like how many and the situation is still the same still nowadays if you buy a PLC for your brand new manufacturing plant you will still have those programs and this is something that this is the society and the community should not accept anymore um on the contrary iot is new diverse different and nobody really knows what is running into an iot device what operating system what TCP stack what's that like and then it is the supply chain um issue which will also discuss and is is a known it is not tracked by IIT system so it's really a risk for um for organization and on top of that

what you have is that everything is converging right the example of Amazon there are use cases in which you need your manufacturing plant to communicate with your data center because you want to track what you are producing so that you can maybe order in a order in advance all the material that you need to actually produce that product so the use cases are emerging for the need of connection but the devices that are the underlining devices that are creating the networks where we rely on are intrinsically challenging that and and with some security problems now let's give a look back uh how how the threat landscape evolved what kind of attacks do we really see to the to

the iot uh one of the questions sometimes when we speak with stakeholders like is why should I care about iot the attackers are actually attacking I.T system they are after ransomware is after is after my I.T system it's after my laptop servers uh why should I get also about iot so actually there has been quite an interesting evolution of um of the motivation of attacks the kind of attacks that we see into the iot world and I want to discuss this with you um so everything actually started in 2010 when stats net which is by far the most complex cyber War ever built was used to actually effectively having an impact on physical system so sometimes when you

speak about iot and you speak about attacks to iot you need to understand that in the I.T world what you are damaging is data so if you have a Dos you have unavailability of data if you have a data leakage you have over sharing of data if you have a ransomware is also an availability of data but in the OT world the impact is physical if I'm destroying if I am blocking the production of of a production line or in this case of sex net what was done basically with the malware was increasingly sorry slowly increasing the the speed of the router for the nuclear process so when it became too high actually there was an explosion and this is

believed to have been delayed the nuclear plan for Iran for more than two years and if you go and you look at you know I love the name the threat actor is called Gossip Girl Doing threat attribution is also quite complicated right every time I'm gonna say threat attribution is highly likely that is that that's what the community is converging to you're never never sure that that's actually the threat actor but it is believed that his organization that come that came together also it was very costly to to develop stats net and it will it is believed that where organization affiliated with the US and the Israeli government and this software was highly sophisticated and highly

targeted it was really targeted to a PLC in the plan of a very specific model which was a Siemens PLC that they knew was in uh used in the plant in in Iran the next attack which was big when we made the news these are like there have been also other and I can give you reference for actually giving a look at every attacks that happened from 2010 to 2022 but the next one word of attention is is industrial industrial one because recently there is Industries too uh which is also called crash override in this case the target was Ukraine and it was in the capital in Kiev to actually attack a substation for the energy

distribution so that it was able to cause a blackout of some hours in some of the region of of Kiev um in this case the threat actor that is attributed to this attack was sandworm which is half affiliated with the Russian government and the the difference from a technical perspective is that the sophistication of this malware was less destruction so like they're going to do like a malware is becoming less and less complex it was multi-stage so you have initial access lateral movement and eventually hit the the PLC that is actually running the substation and it was automated almost fully in 2017 something else that's really scared the community was threatened of Crisis and it was different because in

this time they were attacking the safety instrumentation system so every control system especially if it's for the oil refinery energy distribution or you know heavy industrial process they have Safety Systems so that if something fails they stop so that human lives can actually be saved right if you're working on the plant you need to have some some safety uh is the you hope that those systems never um never switch on but they are there so what happened is that the actor also in this case Russian government Associated hit in Saudi Arabia one of the petrochemical companies actually the particular Chemical Company to actually um targeting the safety instrumental system which kicked in was stopped and no no

many details emerged actually on what the impact was but for sure there were some stops to the production and the attack was successful in the sense that it arrived where it had to also in this case it was highly targeted and this one was highly complex this year though when the war started in Ukraine we all saw everybody in the industry was expecting a lot of cyber work we were expecting attacks to come and to hit the critical infrastructure of Ukraine and so there was after the after a month or two everybody was a bit surprised it's like why it didn't happen at the scale that everybody was predicting and industry was an attempt but actually it

was a failed attempt um if you look at the code of industrial too is an evolution of industryer one but is uh it looks like a proof of concept it looks like something was wrong uh it's like maybe it was deployed too early so that's the like the community sort of like converging to that idea and was also the target was Ukraine actually different critical infrastructures around Ukraine and when the communication in the energy sector let's say if you want to control the substation for the energy distribution it depends on a protocol which is called ISE 104 which is typically used for energy and only for energy and that was the kind of protocol that was like the

payload of that protocol was tweaked in this attack so that's how you understand you know they are after the energy sector another financial sector because you will not find this protocol in the financial sector um the sophistication also was low looks like a proof of concept and it was a little bit less targeted because he wanted to be more mainstream in wanted to attack all kind of energy utilities that he could whatever he could which brings us again to 2022 where we are seeing ransomware spilling to operational technology or to it so ransomware the primary that like Target of ransomware at the moment is an I.T system so that they are able to encrypt it and push push the companies to pay

for the ransom what we are seeing is actually that a lot of those of those ransomware are able to reach the OT for the operational technology or the I.T and then they can encrypt those and you know has a sort of byproduct as a collateral damage they can actually stop the production have you heard about the colonial pipeline case well basically there was uh it was one of the ransomware which was hitting the I.T part but it was almost propagating so what the the colonial pipeline decided to do which was the victim was to stop the operational technology so there were I don't know if you saw the images of kilometers kilometers and kilometers of queue to get oil in U.S in

in the in the west coast on this course but anyway it was it was an impact so it's like okay ransomware is not really only ID it's actually coming an organization if you're an organization that actually have planned or energy distribution or anything to do with physical process you need to also worry about ransomware hitting your production and if your production is down on top of the ransomware that you are paying you also need to pay the cost for the production being down so those are kind of risks that you need to take into account now this is the history of what happened what's happening now well there are some trends that I want to discuss with you

and then come to some conclusion some of the trends that we have on top of what we have been saying so far iot is diverse a lot of operating system there is another issue which is the supply chain issue which is not only for iot but for iot is quite heavy so we did a research in in vedera Labs it's called project Memorial in Project Memorial what we did was to analyze the tcpip stacks for we analyze 14 TCP stack the tcpip stack is the software component that is actually used to create TCP communication between devices so every Network device has a TCP stack we took them some of them open source some of them private with reverse engineered we

found it we find we found over 90 vulnerabilities in seven of the 14 of the 14 stacks and then like you have so we are researchers security researcher vulnerability researchers we we are located we are sitting on top of 98 vulnerabilities what do we do we contact sisa and it's like oh we have 9820 release what do we do and they're like who is impacted it's like we don't know we have no idea who is impacted nobody's telling you an IP camera is not telling you if he's running a certain IP TCP stack the same for an infusion pumps they don't so what we like it took us more than 18 months to do the whole

project from start to over most of it was actually over the responsible disclosure because we were trying to identify the impacted vendors so that we could for some of them we found documentation so we found the PDF of an IP camera and was saying uh for whatever reason a certain TCP was named there so it's like oh we believe you might be running this TCP seek that by the way is vulnerable to a lot of vulnerabilities and so that's the supply chain problem is like when you have vulnerability in a in a component which and with the TCP stack was very interesting because that component is then used in motherboard or network cards then then are used into a

final device so the same motherboard can be used by Nappy camera and avoid phone but really try hacking that is very complicated so and more and more researchers and also attackers are actually focusing on those kind of vulnerabilities you can see similar things in you know the solar wind case and another case and then there is the insecurity by design that is specifically for iot um where iot is developed still unfortunately by not having Security in mind and that's a mindset that needs to to be defeated um other strands are the fact that actually iot is increasing in number so if you see here this graph is also coming from from the sensors that we

have OT iot and IMT together they form almost more than 40 percent of the devices that we see in average in organizations that's a lot so it's something like the iot should be on the agenda of of the the security team the popular iot devices are especially surveillance so and IP camera communication Network physical security and the plethora of all the other devices I showed in the other slide and what's happening from an attack perspective is that people are starting the threat actors are starting looking at iot so iot is being actively used either as an entry point in several cases or as uh elements for the bottleneck in the Mirai case so Mirai was actually able to to

get more than two millions devices on on one of the largest button botnet ever observed or there was a case in a casino in U.S the fish tank sensor for actually the temperature was used at an entry level to actually do the attack to the IC System and doing data infiltration even there was a big case in Tesco where something similar happened and they were able to enter from the posts which is the payment system so iot can actually be also an entry point for for more serious attacks and another trend and you you will see why I'm putting this here is the data actually attackers one money it might be simple but like for a lot of

for many years the reason why cyber security for iot was dismissed is because oh this is national state right if you saw the five initial threatsets I I discussed the threat actor was actually national state so it's like you know only a few organizations are going to be targeted only highly targeted this is not a problem for the mainstream but we are seeing that ransomware which is the most mainstream um attacks that we're seeing nowadays is actually very present and the reason why is because actually threat actors are trying to understand the best way to make the most amount of money in the fastest way so that's actually why ransomware is so popular ransomware has been named the threat of

the year for 2020 2021 and I'm sure it's going to be also for 2022. there is there are plenty of ganks that are deploying ransomware and a lot of money that is involved and I want to discuss a bit with you what how ransomware and iot can actually meet and to do so let's start with some some um some understanding of how ransomware has evolved so people think is there is a misconception that actually ransomware is about encryption so it's like if you stop the encryption you will stop the run somewhere but actually ransomware is about ransom they want money so they want as much leverage as possible on your organization to push you to pay the

money that you're asking for so that's how we see an evolutionary ransomware before was only encrypting the data now we are speaking and seeing two-stage three-stage ransomware where they are first leaking the data and that's another leverage it's like you know all these sensitive data the other organization and you're a healthcare organization are available online and they were not well protected so you will have to deal with the gdpr lows reputation damage and all the costs associated to that um and also they are doing something that is we predict is going to happen they can actually use iot OT and whatever is Meaningful for a process perspective from physical perspective for an organization to actually block

that if if the attack actually spills to the otn to the iot and you don't have access to the building anymore and or you do not have extra condition your production is down those are big pushers for you as an organization to actually pay for the ransomware that you've been asked So what at this point so we were doing this analysis last year and then we started it's like okay but do you really think that what role the iot can play in this kind of of landscape so what we did at Twitter Labs we created um we we did an hypothesis it's like okay let's see how feasible it is how realistic in so again we see we monitor

3000 um sites with all kind of networks understanding also how these networks are created it's like is it would really be possible if I am a Metro attacker would be possible for me to Target the um the the OT part of it or to enter via an iot device then what we did was okay let's let's assume that this Advantage is true so we want to enter Vienna iot we want to move laterally and try to encrypt I.T but then we also want to do the you know double explosion and also stop the OT system so that the so that you know we push more an organization to pay so this was all of an exercise about Theory

and that's actually what we did we we have the lab right you saw the lab we configure the lab after some configuration that we have seen in real networks so in real networks by the way segmentation is not really there so like your IP cameras most of the times are on the same network where the servers are or on the same network where laptops are or HVAC is so segmentation is not really a thing it's a recommendation something that everybody's recommended for but it's not really happening so after the initials access via the iot we wanted to do some lateral movement with some techniques that are very common and and then having an impact on the operational technology

so this was the plan this is a schema of the of the lab so and that's actually how networks typically work you have an iot Network some some people tell you this is on the gas Network it's isolated uh evidence shows that it's not always the case and where you have your IIT devices in this case we only put the camera in the nuts then you have your corporate network with all your I.T system servers and laptops and then you have your operational Network which has like you know the industrial part of it where you have production or if you are a hospital is where you have um control Access Control badges lighting for the robots for for the

surgery so how the attacker work is basically using some exploitation and also what we wanted to do is like and the security tools that are out there are they actually helping with any of that can they detect those activities can they actually have to stop in the attack so we use like some exploitation of an IP camera one of the most commonly one used and from there once the attacker was on the IP camera it was scanning for other devices it will find some Windows device and then it will use something like RDP brute force or other other attack techniques and by the way I think in this case we use RDP credential which is the top technique used you will be

surprised it's like oh really like that it's one of the most used technique once they were on on on the Windows machine they can actually do a tunneling back to the attacker so that the attacker had the control over the network um and it could actually connect to the command and and connect server in the malware we actually also dropped a crypto Miner so to do the three three stage stuff so like they were also use with crypto mining for a while and then after that actually dropping the ransomware executing the ransomware and from there once you are in those like in the lateral movement you could actually also scan for OT devices and if there are OT

devices because of the way they are configured you can actually put them down easily sometimes with only one packet and that was like one of the results that we had from the project Memorial like on the tcpip stack if you are running one of the vulnerable TCP stack I sent one TCP packet with the wrong flag the device is dead and that's what we did here so I I invite you to actually read the full report and watch the video you can actually see all the impact we implemented everything in in the uh in our lab and that is a quite interesting video that you can look at it and then we we presented it and some

of the feedback we got is like yeah but this is not this is not real that's not what's happening then the county leakage happened and yeah the country league has happened and what happened here this is quite an interesting story so around the I think was February or March around the start of the war in Ukraine uh the County gang is a ransomware gang which had um both Russian and and Ukrainian and when the war started there was a split of course there were no there were no agreement on who to support what support Etc and then eventually the Ukrainian side leaked all telegram chat from this gang it was like days and days worth of

reading telegram chats are quite interesting all the times but in this time very especially interesting and we were lucky enough because yeah some of our guys is Ukrainian speaks Ukrainian is sat down in his room for a week and then pull out this report in which we unders all the stuff they were speaking about it's quite interesting because they were speaking about PTO not like it's a big gang right two or three hundred people they have actually an organizational chart they have the head of a charge they make the payment they actually have some training and amongst this conversation what they were saying is oh guys but we should look at iot I mean have you seen how many iot devices are

in this hospital or in this school like this would be super easy to just enter from there we need to ramp up our knowledge base and try to understand how to do that so it's like things are moving in that direction and why because it's easy because a lot of devices are there are connected I hope I provided you enough information on why that should be something we should be concerned now is this doomsday not really I mean there is there are some good news one of the the best news I think is the fact that these attacks are slow sometimes attackers are in your network for days before they actually unleash all their power so there is the

time to actually identify and attack them if you have a good strategy um so in this case for instance that it was one of our example it took at least five days for the ransomware to be dropped also there is this new trend of ransomware as a service right everything has to be easy so what the gangs want they want as many script kiddos able to actually run the run somewhere and Target in different organizations because that's the model right they get the 70 they give the 30 to the script kiddos because they actually give the infrastructure to them without the infrastructure they cannot work so it's also called the ransomware infrastructure as a service is a new

thing that is happening but there are actually two good news out of that the first one is that to be able to do that so if the gangs if the trade actors wants to scale up they need to make the the bad softer the malware easy easy to understand which means easy to develop which also means it's C to detect if it's scaling it means that the same bad piece of software is going to be used and used so if we do share intelligence if we do share the fingerprint if we actually have you know Collective threat intelligence platform which are emerging we can actually do something against that and and then if you have an organization

and now you believe you know okay iot security should be on my agenda what should I do about that well there are three main things that you know the security the cyber security Community is recommending and this visibility compliance and segmentation so the visibility is necessary to know what iot system do you have how many where are they how are they connected are they connected with your crown Jewelers are they isolated you you really believe they are on the gas Network so understand what's on the network profile them there are tools that do that there are companies like ours they do that do compliance put the rules in place if you do not comply you know with

my zero trust initiative or with my um rules of company just do not allow the devices to be to be on the network then you can do segmentation make sure that you know devices that should not communicate with the Internet or with a lot of another dmzad they are not enforce the segmentation do not do segmentation via vlans and of course there is the whole continuous monitoring threat detection and response but the basically the main takeaways is the iot is bringing great power and with great car power comes great responsibility so you need to take care of that um and cyber crime are changing and we need to track that and be prepared to those changes some of those changes

might be scary but for some of them we can actually get prepared um and in order to you know create a cyber security strategy you need to be aware about these problems and map them to your organization and create you know the best cyber security strategy that you could that you could if you are in a cyber security team if you are in a cyber security research team you should know about these things maybe they are also interesting for your day-to-day job so I hope this was interesting for you guys [Applause] thank you so much thank you so much Elisa anyone wants to ask something to Elisa

[Music] hey can you hear me yeah brilliant with the rise of home working how much do you think businesses should be worried about consumer level iot devices being within the network that their laptop might be connected to or so on and so forth sorry yeah I want to make sure I got it how

um you obviously been talking about iot devices connected to business networks industrial with homeworking you now have consumer iot devices connected to the same network as the work laptop for example yeah is that a concern oh yeah yeah that's the bring your own device sort of thing yeah I mean with the pandemic that that that's part of the problem with the pandemic for instance like there was it was actually the reverse right it was not bringing your own device home it's like your home becomes like the organizational Network and then there are all those issues related to that and the decay of the system and you cannot push compliance because you are not in the network

system so all those I.T uh you know uh ID agents cannot really work or work good as before so yeah I think it's an extension of that problem sometimes I'm gonna like an anodox in the substation the substation for energy are very remote sometimes they are unmanned and sometimes they are men so when we monitor those stuff we see PlayStation Raspberry Pi just just going there I mean like if you're working there for a shift which is a night shift you just need to be there but not much you get bored and although the policy is like we do not attach anything to the network guess what it happens so yes it's definitely something to be concerned

about the feet over there

hello hi um given how hard it is to patch iot devices how should we handle disclosing vulnerabilities it's a very interesting question so I I am a firm believer that we should keep doing vulnerability disclosure so like I don't agree when saying that like keeping it closed will solve the problem because it will not what we should do is working on initiating for instance like this bomb which is the softer bill of material in this initiative you actually have a list of components that are affected so that you're using the problem of the supply chain we need to make sure that the vendors of iot and OT Fields as reliable as accountable for bags as they are in the I.T system you

know like 20 years ago vulnerability search for Windows was also treated you know like it was also like skeptical from the vendors it changed the behavior until the moment where the vendor themselves they actually have a vulnerability research program within their own companies I think we should get there also for iot and OT

I got a question as well as it's uh as difficult to to patch especially OT systems um but do you see an interest from the vendors in doing those patches and the interests from the side of the let's say end users to patch those devices or uh one of them is willing to to to do something and the other side the the other side doesn't I think there are different forces on this topic right you can accept as an asset owner I can even accept that the device is vulnerable and it will not be patched but I need to know not doing the vulnerability disclosure will basically mean that I trust that device but it's vulnerable

and then patch maybe is not the is not the way because you know the vendor is out of business or whatever happened but then I can do a risk assessment I can see that device is Untouchable has a vulnerability for sure needs my attention so let me put it in a in a way let me secure it around it let me put it like behind the firewall let me do the segmentation maybe patching is not always the solution sometimes we cannot stop that it's not on the other hand though you know like you need to an asset owner as the capabilities to actually push and put some pressure on the vendor of the device to deliver

devices that are more secure so I think we need to both ways while we are educating the community and we are slowly changing our mindset there are other things that we can do in between I mean patching Is Not the Only Solution not always

anyone else hi so do you see in the future regulation the necessity to have regulation playing a role in in the sense that the vendors keep pushing for more and more devices to be connected to the internet that can have a physical impact in the world like a toaster a lamp or whatever there's this there's this competition between vendors to have everything connected some of the stuff that are being sold as a consumer devices have a potential disastrous impact in our lives do you think that regulation will have to play and step in at some point there is a lot of plenty of Regulation like especially like healthcare for instance like the FDA has put off of the market an infusion pump

because it was uh um it was insecure so and both the FDA the CSI and U.S especially they are coming with a lot of regulations if you have like if you are an asset owner in the clinic if you are running a critical infrastructure and critical infrastructure is a lot like Transportation energy even manufacturing some sorry in some countries then you need to have risk assessment and I think vulnerability assessment every week so like there are coming those kind of regulations they are not touching too much the iot consumer but like for sure the the Enterprise and the organization iot is being touched by those they're coming and they are going to be quite strict and some of them are

already

any more questions no thank you all right thank you [Applause] [Music]