[BreachExchange] Why DDoS attacks are a major threat to industrial control systems

[Sophia Kingsbury]

https://www.controleng.com/articles/why-ddos-attacks-are-a-major-threat-to-industrial-control-systems/

A distributed denial of service (DDoS) attack is a malicious attempt to
sabotage a network by overwhelming its ability to process legitimate
traffic and requests. In turn, this activity denies the victim of a
service, while causing downtime and costly setbacks. A DDoS attack is a
network-based attack; it exploits network-based internet services like
routers, domain name service (DNS) and network time protocol (NTP), and is
aimed at disrupting network devices that connect your organization to the
internet. Such devices include routers (traditional WAN, as well as ISP
edge routers), load balancers and firewalls.

There is quite a bit of confusion among information technology (IT)
professionals about the difference between a DDoS attack and a standard
denial of service (DoS) attack. A DDoS attack differs from a standard DoS
attack in two specific ways.


   - A standard DoS attack directly attacks a particular resource, such as
   a web server, email server or industrial control system (ICS) device. A
   DDoS attack targets the devices that provide access and connectivity to the
   servers and services on a network.
   - Another difference between DoS and DDoS attacks lies in the first “D,”
   which stands for distributed. That means the former comes from a single
   source, whereas the latter comes from a huge network of devices, which we
   call a botnet. The use of reflection, spoofing and distribution often makes
   thwarting DDoS attacks very difficult.


It is common for even experienced IT pros to think the majority of DDoS
attacks involve using large amounts of traffic. This is not the case. More
than 99% of successful attacks use a very small number of malicious
packets. Large-volume attacks (sometimes called volumetric) often gain
attention because it is easy to explain how a massive amount of traffic has
overwhelmed network resources.

Attack motives

DDoS attack perpetrators have many motives. They can be politically or
financially motivated. Nation-states have been known to conduct DDoS
attacks as part of efforts to disrupt communications during military
campaigns or as part of efforts to cause chaos worldwide. Some actors have
no particular motivation at all. In any case, an attacker will deny the
victim access to their servers, disable physical network equipment or
simply wreak havoc.

While no one is completely safe from DDoS attacks, critical infrastructures
and centralized control systems are the most vulnerable. These industries
should be the ones paying the most attention to DDoS attacks and investing
the most in their cyber protection.

ICSs are vulnerable to DDoS attacks

ICSs are an integral part of our lives today. They allow for easier
management of our most critical infrastructures and processes.
Manufacturing, gas, water, power distribution and transportation all depend
on ICSs to keep their processes running on a daily basis.

What’s more, the emergence of the Industrial Internet of Things (IIoT)
allowed users to automate some tasks in the process. We can now control
everything simultaneously from a remote location. Of course, that improved
workflow efficiency big time, helping us reach never-before-seen speed and
accuracy.

ICSs also have many cybersecurity issues. From weak passwords in internet
of things (IoT) devices and open-source software, to using commercial
communication protocols — ICSs have more than a few DDoS vulnerabilities.
With so much operational equipment and so many ICS layers to audit, malware
can easily sneak by manufacturers without getting noticed. That’s
frightening, considering how much we depend on these systems and what’s at
stake.

Anyone can execute a DDoS attack

In 2020, DDoS attacks were on the rise, partly due to the COVID-19
pandemic, which forced many sectors into digitalization. Unsurprisingly,
hackers took this as an opportunity to cause disruption and earn some money
on the side. State-sponsored actors saw 2020 as an opportunity to disrupt
business worldwide.

As devastating as they can be for the target, DDoS attacks can be
relatively easy to execute.

With the emergence of booters/stressers, also known as botnets for hire,
even those without any programming knowledge can carry out a successful
DDoS attack. Many attackers are also enlisting long-existing botnets to
help with DDoS attacks.

DDoS attacks are costly for the target

DDoS attacks are expensive for the victim, causing economic and
reputational losses. According to Kaspersky’s 2017 report, the average cost
of a DDoS attack for enterprises was around $2 million. However, years have
passed and attacks have evolved and are now even more devastating. It’s
fair to say this figure would be much higher today.

Cost isn’t the only loss. Some things simply can’t be measured, such as
brand reputation damage and loss of trust with clients and customers, among
many other intangible effects.

Aside from the resulting downtime and legal fees, a DDoS attack can be
costly in many other ways, especially for ICSs. The energy, manufacturing
and health care sectors, for example, are being increasingly targeted. An
attack can stop all production and deny vital services and resources to
millions of people. And shutting down crucial processes and equipment could
potentially cause major, even fatal, incidents.

DDoS attacks are becoming more sophisticated

Recent technological advances have brought about efficiency in every
possible way. Many people possess or benefit from multiple IoT devices,
from everyday personalized gadgets and appliances to complex machines and
robots that can build entire structures. However, as technology evolves, so
do DDoS attacks.

DDoS attacks are expected to become even more devastating as they deny
network connectivity to our smart devices, rendering them useless. DDoS
threat actors threaten to exploit various emerging — and emerged —
technologies.

First of all, 5G and Wi-Fi 6 have made connection and communication between
devices faster and smoother than ever. Of course, DDoS attackers took
advantage of that, expanding their botnets at incredible rates.

Artificial intelligence (AI) has found its way into the hackers’ arsenal,
as well. Today, they can automatically find, breach and hijack devices for
their botnets. That’s how Mirai, history’s most notorious botnet, is one of
the biggest cyber threats to this day.

DDoS attack tactics are also changing with time. Recently, hackers have
been modifying their use of longstanding DNS amplification techniques. In
short, this method allows them to magnify small queries and turn them into
large traffic-hogging responses.

What users can do to prevent DDoS attacks

Examples like Stuxnet, a computer worm that managed to shut down many of
Iran’s industrial facilities, and the Ukrainian power grid attacks
highlight the importance of investing in cyber protection.

We must build better defenses — address the security concerns surrounding
IoT devices, implement multilayer security solutions and closely monitor
every single activity in the ICS. After all, not doing so could compromise
our critical infrastructures.

On the bright side, we already have what it takes to effectively fight DDoS
attacks. All in all, the best way to fight a DDoS attack is to prevent it.
That often involves using scrubbing services, increasing available
bandwidth during attacks and using a content delivery network (CDN).

It’s important to have a detailed response plan in order to quickly stop
attacks and mitigate the consequences as much as possible.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210624/7bddc1f4/attachment.html>