The threat to Australia’s critical infrastructure was brought to light in June when Prime Minister Scott Morrison revealed that local governments and industry were facing a sustained digital assault. Attacks on the industrial sector are not unique to Australia. In fact, both the Federal Bureau of Investigation and National Security Agency issued warnings that foreign actors are persistently attacking Operational Technology (OT) networks in the United States and beyond.
Australian firms using OT are especially vulnerable because of the faith put in one particular “security” measure – air gapping. This is where OT systems are isolated from the outside world to reduce exposure and prevent attacks. When the current Covid-19 situation eventually subsides in Australia and employees return to their offices, many of them will reconnect devices such as laptops, headphones, radios, smart tags amongst others that use Bluetooth, FM frequency signals, and Near Field Communication (NFC). Radio signals emitted by Bluetooth can invisibly penetrate perimeter defences and render air gaps useless, even when organisations believe they are protected.
Dispelling the air gap myth
In recent years, many organisations across multiple industries have opted to make their OT systems smarter and more efficient by linking them with IT networks. This is not without risk as melding IT and OT systems can make the latter vulnerable to attack because malicious actors can use the IT network as a conduit to the OT network and vice versa.
Typical OT environments are made up of a mix of devices – at least 20% of which are standard IT hardware and software. When companies introduce or accelerate IT and OT convergence by implementing an Industry 4.0 initiative, the percentage of IT equipment resident within the OT world can increase to as much as 40%.
While some organisations embrace this convergence, others have remained sceptical for strategic, technical or business reasons, choosing to keep OT systems isolated through air-gapping.
Air-gapping is perceived to be bullet-proof as OT systems are physically isolated from IT networks. Unfortunately, the reality is that there’s still a number of attack vectors for air-gapped networks. Something as seemingly harmless as a malware-bearing thumb drive or compromised laptop can permanently destroy even the most stringently enforced air-gap – in what’s known as “accidental convergence.”
Can wireless connectivity bring you down?
The last several years, and certainly the last several months, have seen an increase in the number of employees using personal devices in the workplace, from mobile phones to keyboards and mice. While these can seem harmless, there’s a single technology on many of these devices that can pose a significant threat – Bluetooth.
Earlier this year, a new Bluetooth vulnerability was disclosed, codenamed BIAS (Bluetooth Impersonation Attacks). In 2019 the same researchers discovered the KNOB (Key Negotiation of Bluetooth) vulnerability. BIAS allows one device to impersonate another, while KNOB causes Bluetooth peers to establish ‘weak keys.’ These vulnerabilities can be exploited to penetrate air-gaps by using employee-owned devices. The ubiquity of Bluetooth also means that hundreds of millions of devices suffer from these weaknesses, the vast majority of which go unpatched.
There are several possible attack scenarios when it comes to Bluetooth bypassing the air gap. One is that Bluetooth could be used to connect to an intelligent device, perhaps a keyboard connected to a PC or laptop. Most modern computers support Bluetooth-out-of-the-box which make them vulnerable to KNOB/BIAS attacks. Another attack scenario is Bluetooth being used as a pathway to the internal network. For example, a PC can be compromised if an employee connects a compromised mobile phone via a USB cable. Connections of this nature create a direct path between the outside world, the PC, and possibly the entire internal “air-gapped” network.
It’s key for organisations to mitigate these risks as best they can. Within industrial environments, risk can be mitigated by performing an audit for Bluetooth-enabled devices and disabling these devices – which removes the possibility of an attack. Organisations should also implement policies that prohibit employees from connecting personal devices to the OT network in any way, including via USB, which reduces the risk of a compromised device being leveraged as a vehicle to attack the network.
Protecting Australia’s industrial sector from the inside and out
The early days of the pandemic have shown the critical role the procurement and supply industry plays. Ensuring supply chain resilience wherever possible make essential goods and services available to Australians.
While external forces are outside of organisations’ control, it’s important that they do not ignore the internal risks facing their business. The risks that employee-owned devices can pose cannot be underestimated and organisations need to implement the right policies and procedures to minimise their exposure and risk of attack through these devices.