The CrowdStrike Incident: Proof Critical Infrastructure is not Prepared for Real Cyber Threats
Introduction
After my third trip to LAX in a single day to drop off a friend battling endless flight delays and cancellations due to the global CrowdStrike outage, my mind began to wander. First, will my repeated treks through LAX’s notorious traffic to save my friend cab fare earn me some angelic wings in the afterlife? And second, how would the world respond to a genuine coordinated attack on our critical infrastructure? The latter question weighs heavily, especially after navigating the chaos sparked by a mere software outage.
What the heck happened?
On Friday, July 19, 2024, CrowdStrike pushed out a faulty update to their Falcon Endpoint Detection and Response (EDR) causing an estimate of 8.5 million devices to crash:
“July 20 (Reuters) – A global tech outage that was related to a software update by cybersecurity firm CrowdStrike (CRWD.O), opens new tab affected nearly 8.5 million Microsoft (MSFT.O).” (https://www.reuters.com/technology/microsoft-says-about-85-million-its-devices-affected-by-crowdstrike-related-2024-07-20/) Microsoft further amplifying this in a blog post on the same day that, affected Windows devices [equated to] less than one percent of all Windows machines. “A software update by global cybersecurity firm CrowdStrike, one of the largest operators in the industry, triggered systems problems that grounded flights, forced broadcasters off air and left customers without access to services such as healthcare or banking.”
Due to the massive scale of the outage, many of these affected industries are still not running at full capacity, causing a major strain in the global population’s day-to-day affairs. Some of the major concerns experienced by Redbot Security’s clients; and witnessed first-hand while senior testing consultants were onsite for penetration testing of Critical Services with Industrial Control Systems and SCADA environments, concluded that the media only mentioned the main industries, such as travel, shipping, and financial, but failed to mention or highlight any impact to power, water, electricity, waste treatment facilities, etc., which could have had incredibly alarming effects on the global population.
As of writing this blog post, the CEO of CrowdStrike released a statement addressing the incident and providing guidance on how to mitigate the corrupted update: https://www.crowdstrike.com/falcon-content-update-remediation-and-guidance-hub/. However, due to the scope of the damage, the need for manual intervention to correct these devices may be another factor in why the world will be feeling the sting from this event for days to come. Yes, you read that correctly, AI and automation did not save IT and security teams from a loss of sleep and exhaustion as they manually went machine-to-machine to issue repairs. These are our unsung heroes and heroines; for which, we salute you.
Interestingly enough, sighs of relief were expressed on the news and the tech blog-o-sphere because the outage wasn’t from the actions of malicious actors. I think this cautionary tale should illicit great concern for what our ever-growing technological futures look like when facing real and potentially damaging cyber threats.
How critical is the state of our infrastructure?
Here at Redbot Security, we specialize in performing penetrations tests against Operational Technology (OT) Networks, targeting SCADA and Industrial Control System (ICS) environments. Our team has had remarkable success compromising these networks due to outdated software in use, lack of proper network segmentation between the IT network to the OT network, default admin credentials for SCADA devices, and lack of endpoint security solutions to detect and prevent malicious threats. Take into consideration, these have been assessments for organizations that have the time and resources to include third-party penetration tests in their security program. Globally, many ICS and SCADA environments do not have the budget or personnel to ensure a robust security posture to defend against Advance Persistent Threats (APTs), especially those funded by nation-state threat actors.
In March 2024, The U.S. Department of the Treasury sanctioned the Chinese company Wuhan Xiaoruizhi Science and Technology, and individuals Zhao Guangzong and Ni Gaobin, for cyberattacks targeting U.S. critical infrastructure. These actors were linked to the Chinese state-sponsored APT 31 hacking group.
https://home.treasury.gov/news/press-releases/jy2205
Even abroad we see similar attacks taking place. An article from UC Santa Cruz details malware attacks on Ukraine’s power grid, specifically Industroyer One and Two, which caused significant blackouts in 2016 and 2022. These attacks, attributed to Russian military intelligence, highlight the evolving threat of cyberattacks on physical infrastructure.
https://news.ucsc.edu/2024/05/ukraine-cybersecurity.html
It does not come as a surprise, that most successful attacks against Industrial Control Systems often originate from social engineering tactics, where attackers manipulate individuals to gain initial access. This could involve phishing emails, pretexting, or baiting to trick employees into revealing sensitive information or granting access to the network. Once the initial foothold is established, attackers can move laterally within the network, exploiting vulnerabilities and escalating privileges to reach and compromise critical systems. The human element remains a significant vulnerability, emphasizing the need for comprehensive security awareness training and robust phishing defenses in ICS environments.
As global conflicts intensify, the frequency and sophistication of cyberattacks against Industrial Control Systems are poised to rise. Critical infrastructure, such as power grids and water supplies, are increasingly at risk, exacerbated by the shortage of cybersecurity professionals and limited resources dedicated to defense. This alarming trend underscores the urgent need for robust cybersecurity measures and international cooperation to safeguard essential services from disruptive and potentially devastating cyber incidents. Proactive investment in cybersecurity talent and technology is crucial to counter these growing threats.
But there is still hope!
Protecting Industrial Control Systems (ICS) and SCADA systems from cyberattacks is critical for maintaining the integrity of essential services. Organizations can take the following steps to safeguard their critical assets, tailored to their budget and personnel capabilities:
For Organizations with Sufficient Budget and Personnel:
- Comprehensive Security Assessments: Regularly conduct security assessments and vulnerability scans to identify and mitigate potential threats.
- Network Segmentation: Implement robust network segmentation to isolate critical systems and limit the spread of malware.
- Advanced Threat Detection: Utilize advanced intrusion detection and prevention systems (IDS/IPS) tailored for ICS environments.
- Continuous Monitoring: Establish 24/7 monitoring of networks and systems to detect and respond to anomalies in real-time.
- Employee Training: Invest in ongoing cybersecurity training programs for employees to recognize and respond to potential threats.
- Incident Response Plan: Develop and regularly update an incident response plan, including simulations and drills to ensure preparedness.
For Organizations with Limited Budget and Personnel:
- Basic Security Hygiene: Ensure all systems are patched and up-to-date to prevent exploitation of known vulnerabilities.
- Firewall and Access Control: Implement basic firewall protections and strict access controls to limit unauthorized access to critical systems.
- Regular Backups: Maintain regular backups of critical data and systems to enable quick recovery in case of an attack.
- Use of Open-Source Tools: Leverage open-source security tools for monitoring and protecting ICS environments.
- Third-Party Security Services: Consider partnering with third-party security service providers for managed security services, which can be more cost-effective.
- Employee Awareness: Conduct basic cybersecurity awareness training for all employees to reduce the risk of phishing and other social engineering attacks.
- By adopting these tailored strategies, organizations can enhance their cybersecurity posture, regardless of their budget constraints, ensuring the protection of their critical ICS and SCADA assets from evolving cyber threats.
Defending your network from cyber threats is more crucial than ever, and having the right team to navigate through the myriads of roadblocks is the perfect start. At Redbot Security, we specialize in providing expert consultation and guidance on the best practices to secure your infrastructure. Our team of seasoned professionals can help identify vulnerabilities, fortify defenses, and ensure your systems are resilient against attacks. Do not wait for a breach to happen—contact us today for a comprehensive security consultation and request a quote for a penetration test to uncover and address potential weaknesses before they can be exploited. Your security is our priority.
Are you still listening?
Reflecting on the CrowdStrike blackout, we can see it as a mild preview of potential cyber disasters. Flight delays and cancellations are inconvenient, but they pale in comparison to the havoc a cyberattack on critical infrastructure would wreak. People lose their collective minds every time popular social media platforms go down for an hour. Imagine a national blackout or a crippled water plant: transportation, healthcare, and communication systems would collapse, leading to chaos and life-threatening situations. The risk to public health and safety is immense. This underscores the urgent need for robust cybersecurity measures. Hopefully, my frustration from wasted trips to the airport is just fuel for awareness, because we still have time to act!
Related Articles
-
Offensive Security
What is Offensive Security? Discover Offensive Security and learn how... -
What is Social Hacking?
Social hacking is an attack on the human operating system,... -
What You Need to Know About PCI Penetration Testing
A pen test, on the other hand, is a manual... -
What is Penetration Testing (pen-testing)?
Penetration testing (pen-testing) is the art and science of... -
Our Nation Under Attack
The basic necessities of life; water, power and transportation are... -
Manual Penetration Testing – Manual Testing vs Automated Testing
Manual Penetration Testing is essential for critical infrastructure. Scanning... -
What is Penetration Testing & Its Different Types
Manual Penetration Testing is essential for critical infrastructure. Scanning... -
Common cybersecurity issues that are easy to fix
Most companies know that critical vulnerabilities can be resolved simply...
Redbot Social