28 August 2023 Line

One of t​​​​​​he biggest opportunities in industrial security comes with automation

At the Industrial Security Conference 13-15 November Jos Wetzels, Co-founding Partner and Security Researcher, Midnight Blue will together with his partners Carlo Meijer and Wouter Bokslag, explore the new findings from their research on TETRA radio standards, used globally by police and military forces. 

Before the conference in November you can read an interveiw with Jos here.

What is your background? And how do you work with industrial security on a daily basis?

I am currently a Partner at Midnight Blue, a specialist security consultancy firm based in the Netherlands focusing on critical infrastructure and embedded systems in particular. In the past I’ve worked as a research assistant at the University of Twente in the Netherlands developing exploit mitigation solutions for resource-constrained Industrial Control Systems devices. On a day-to-day basis Midnight Blue performs various industrial security services to customers such as pentests, red teaming, in-depth vulnerability assessments, architecture reviews, and incident response support for several major European electric and water utilities, high-tech manufacturers, and government agencies.

What do you see as the biggest opportunities and challenges in connection with cyber- and industrial security?

Two major challenges have stood out since the advent of industrial cyber-security and continue to stand out:

​​​​​1) The continuing pervasiveness of insecure-by-design systems, compounded by the long lifecycles of legacy equipment and the slow pace of OT product security improvement even in newer equipment

2) The sheer scale and opacity of industrial environments. Many asset owners have little clue as to what kind of devices and systems they are running and how they are exactly connected to which other systems – let alone have a granular and automatically updated view of component part numbers, firmware versions, and network links. In many cases their asset inventory exist in a handful of excel sheets – scattered across different sites – updated once in a while through manual walkdowns, with network and system diagrams sometimes only available in not fully up-to-date hardcopy. All of this is compounded by the fact that new subsystems and connectivity get added on top of this over time.

One of t​​​​​​he biggest opportunities in industrial security comes with automation: there’s an increasing number of OT-focused security tools (for asset inventory building, vulnerability management, network monitoring and intrusion detection, etc.) that are able to tackle the massive security backlogs and gruntwork that simply isn’t doable otherwise and eats entire budgets. This has the potential to get the security posture of these organizations finally up to the point where they can start focusing on less automatable and more labor-intensive security efforts required to keep pace with more advanced and modern adversaries.

When looking forward just 5-10 years, what do you think will be different within security?

It’s always hard to forecast – especially in a field as dynamic and dependent upon various developments such as security, but I think when talking about industrial security specifically, I think one thing we will see is that with the increasing adoption of cloud services in OT/IIoT, there will be an increasing number of level 1 devices or data gateways communicating directly with cloud providers with all that implies. We’ve seen with SolarWinds and Kaseya how compromising a single vendor can be leveraged to rapidly compromise many of their customers. Given how a handful of OT product vendors dominate certain sectors, and how they often have privileged remote maintenance connectivity to customer systems and will have cloud connectivity in the future, i think we’re also due for some big supply chain attacks specifically targeting the bigger OT vendors.

Also, look at the recent MOVEit-related breaches or the perpetual compromises facilitated by Fortinet or Barracuda perimeter devices. There’s tons of OT-specific public-facing software packages and supposedly secure perimeter devices with equally terrible security posture that almost nobody has looked at. Once Ransomware gangs see other targets dry up, we may see a lot more focus on previously underexamined attack surfaces at industrial and infrastructural organizations like these.

From your point of view, how do you think we get more diversity in the industry?

One of the things that’s very important in industrial security – even more so than cyber-security in general – is having sufficient interdisciplinarity. Understanding complex systems-of-systems across different sectors, assessing potential threats and impacts, etc. requires an interplay between various skillsets ranging from cyber-security skills and domain-specific technical knowledge (devices, protocols, busses, etc.) to electrical and chemical engineering and complex systems analysis. Getting the right people around the right table – and getting them to talk eachothers language and understand eachothers priorities – is hard but crucial.

What are your own expectations for the conference? And which keynotes are you looking forward to hearing?

I’m pretty excited to talk to other industrial security professionals, especially from different industrial sectors around Europe, and hear what problems they’re struggling with and how they are planning to tackle them.

What will your keynote be about, and which learnings are you hoping the participants take with them?

Our talk will be about several serious vulnerabilities which we’ve uncovered in the TETRA radio standard – which is used globally by police and military forces but also for SCADA Wide Area Networking. This standard uses proprietary cryptography which has been kept secret for over 20 years and has now been made available by us for public inspection for the first time. We found several flaws in the standard itself and many more in the radio equipment used, including a backdoor in the TEA1 cipher used by critical infrastructure which allows attackers to break it on consumer hardware in under a minute and subsequently intercept but also inject traffic. Since these networks are typically used to directly carry telecontrol traffic to RTUs, this can have a very serious impact. We’ll discuss technical details as well as relevant mitigations for participants so they can harden their networks relying on this technology – and make informed future procurement decisions.

Do you want to hear more about the flaws found in TETRA radios used globally?

At the Industrial Security Conference 13-15 November Jos Wetzels, will together with his partners Carlo Meijer and Wouter Bokslag, explore the new findings from their research on TETRA radio standards, used globally by police and military forces. Read more about the conference and sign up today.