An IoT DDOS attack against DYN.com in October used factory automation equipment to take down Netflix, Twitter, Amazon, and other high profile sites in large sections of the USA for several hours. DYN.com is a CDN (content distribution network) responsible for caching and replicating content around the world. Hackers used the default user ID and password built into IP cameras to create a botnet. This open IoT component was a large security hole that not many people had thought about before. Cyber defences are traditionally focused on hardening the IT systems in the plant, and not the factory automation devices themselves. Here we look at that exploit, and more generally at the nature of IoT in the factory.
There are two sides to IoT in the factory: Factory automation and the sensor-driven IP operating across wired and wireless networks. The second is what we usually think of when we write about IoT.
But if you talk to engineers who programme PLC devices, they will tell you that they have been doing IoT for decades. The only thing new is the name assigned to it. True. Yet the difference is that today there is the cloud, big data databases, and analytics. But programming a serial or ethernet PLC device to control a lathe, welding machine, or painting machine is still an old-fashioned ordeal of programming ladder logic using desktop PC software like RSLogix for the Allen Bradley serial PLC devices.
This kind of tedious programming has nothing to do with writing web services or otherwise using a full-featured programming language. Instead, the PLC programmer writes memory address information using the designation ‘file’, which is a file location and offset. The offset is the length of the data element. In the DF1 industrial protocol, the offset is the length of a single field, where the offset from the file’s initial location is the size of the element and element number. That size is given in hexadecimal, decimal, or octet notation. The values are written as a string of single values. These are simple commands like start, stop, change baud rate, rotate, etc. that together describe a complete industrial process.
Industrial network routers convert this serial (or ethernet) data to send to other serial or ethernet devices, and the management cloud. So it is difficult to imagine a hacker hacking this, since they are focused on PC hardware and network devices. Yet, attacking PLC devices is exactly what the American spy agencies allegedly did in 2010. They are said to have attacked Siemens PLC controllers that ran the centrifuges in Iranian nuclear fuel enrichment facilities. The Stuxnet worm was introduced by a phishing attack on Windows PCs. That attack caused the centrifuges to spin out of control and break. That wildly effective, daring operation dealt a huge blow to Iran’s nuclear programme.
The other side of IoT is sensors deployed for preventive maintenance, predictive models, measuring uptime, and gathering data to make changes to the line. That is done by adding assembly and sub-assembly stations, adding shift operators, improving training, and shifting material flow.
Acoustic sensors ping devices and measure resonance to test the quality of materials and the completed product. They use transducers to convert mechanical to electrical energy to check vibration. Increased vibration indicates when a machine needs new filters, maintenance, or calibration. Plants count items with cameras to measure operator and station productivity. They check emissions, temperature, humidity, ambient light, etc. All of this data is used to operate the plant in real time and fine tune the factory floor through offline, after the factor analysis, and make changes to the assembly line, using planning software designed for that.
IP Camera Exploit
The October attack was caused by an IoT device that its Chinese manufacturer has since replaced. Hackers planted the Mirai DDOS malware in IP cameras and DVR recorders made by XiongMai Technologies, and unleashed up to 1.4 TBPS DNS traffic on the DYN.com cloud. That caused more traffic than the servers could respond too, thus taking them offline.
IP (internet protocol) cameras are obviously connected to the internet, so there is no need to attack them at any wireless industrial or wired non-Ethernet protocol, as would be the case with an industrial controller. And the camera’s IP network is what enabled hackers to discover their location in the first place. The hackers planted the malware easily because the devices had the default user-id and password. The password was hard-coded into the firmware. The hackers could log in with telnet and ssh.
In the write-up analyzing the attack, DYN.com made clear what the problem is when they wrote: “During a DDoS which uses the DNS protocol it can be difficult to distinguish legitimate traffic from attack traffic.” Despite their efforts to surge bandwidth and shape traffic, two successive waves of attacks overwhelmed their systems for several hours.
The source code for Mirai is freely available on the internet. So the hackers did not write anything new. One part of the attack came from the Mirai command and control centre, showing perhaps an increased level of sophistication that warrants further analysis. This botnet was also released on the security blog Krebs and the French ISP and hosting company OVH earlier last year. Different parties have claimed responsibility, although no group has of yet been confirmed as the actual culprit. The consensus is this was not state-sponsored.