On October 23, 2018 ICS—CERT announced a vulnerability in Telecrane’s F25 Series remote controls, which are used for cranes. They found that anyone with a low skill level could listen in on the remote control’s communications in an attempt to “view commands, replay commands, control the device, or stop the device from running.”
In essence, a hacker could learn the commands that controlled the crane, play them back, and control the crane themselves.
The F25 Series have a wide variety of applications that range from the assembly floor to back-mounted vehicle cranes and more. While these remote controls are extremely versatile, their exposure to hacking also means that hackers have a target rich environment.
There are plenty of nightmare scenarios in which a hacker could use this exploit to deal havoc on the factory floor or in the streets in an attempt to disrupt a city or conduct corporate sabotage.
Fortunately, no reports of hacking have been reported thus far and Telecrane has already released a firmware update to combat this weakness.
The NCCIC has formally issued a list of recommendations to minimize the risk of attack for those using this type of remote control:
- Minimize network exposure for all devices by ensuring that they are not connected to the Internet
- Make sure all devices are behind firewalls
- Make sure all devices are separated from the business network
- If you need remote access use a Virtual Private Networks (VPNs). (But keep in mind that VPNs are only as secure as the connected devices)
- Perform proper impact analysis and risk assessment prior to deploying defensive measures
From Cranes to Your Organization
While most of us are not operating multi-ton equipment, it is a stark reminder that when best practices are overlooked (like end-to-end encryption in this case), dangerous weak points can be found and possibly exploited.
But, honestly, that is where the similarities may end for most businesses. Some of the advice that NCCIC gives falls short for most organizations. Here is what I mean:
- The NCCIC recommends cutting off the VPN from any Internet access. But having a network that is not internet enabled is not just not feasible for most organizations. Businesses need a more nuanced approach.
- They also recommend setting up a VPN. But, as they pointed out, VPNs, by themselves, will not automatically give you the security you need.
That being said, one thing that the NCCIC said that definitely applies to everyone is that organizations should conduct a risk assessment prior to updating their defensive posture. Tim Roncevich, Partner at CyberGuard Compliance agrees: “Undergoing an audit or compliance initiative can be a daunting task and a significant investment in time and money. You need assurance the audit outcome will have a high likelihood of success. I highly recommend you undergo a readiness assessment before embarking on any new compliance initiative. It helps answer the many of the questions around the audit scope, documentation requirements, and internal resources needed to complete the audit.”
You need a clear-eyed view of where you stand. If you don’t have a comprehensive understanding of your cybersecurity posture, you are only guessing as to where you should bolster your efforts.
From World War II to Today
In a recently declassified document, the CIA revealed a World War II era document that was circulated by the OSS (the precursor of the CIA). Labeled the Simple Sabotage Field Manual, it lists out 16 things that ordinary citizens can do to slow the economy of an occupying force. Surprisingly, much of it’s practical advice can be used as points of inspiration for cyber-criminals wishing to slow a company’s (or entire countries) economic progress. Here are three examples (paraphrased):
- Managers and Supervisors: To lower morale, be pleasant to inefficient workers; give them undeserved promotions.
- Telephone: At the office, delay putting calls through, give out wrong numbers, cut people off “accidentally,” or forget to disconnect them so that the line cannot be used again.
- Transportation: Make train travel as inconvenient as possible. Issue two tickets for the same seat on a train in order to set up an “interesting” argument.
While these are manual actions, cyber-criminals need only to use similar tactics as cyber-sabotage. Instead of verbal praise to unproductive employees, hackers can manipulate employee records. Instead of giving out wrong numbers, criminals could take down a company’s email servers using a DDoS attack. Finally, deals could be put in jeopardy by tampering with an executive’s travel plans.
In order to combat these threats, organizations should always be vigilant by keeping up with these best practices:
- Robust password management
- Multi-Factor Authentication
- Log Management
- Network monitoring
- Encryption
- Centralized Encryption Key Management
While most businesses don’t use equipment with fixed codes that are easily reproducible by sniffing communication lines, they still have virtual infrastructure that needs defending from possible sabotage. The only ready defense is vigilance and cybersecurity best practices.