ICS Industrial networks in need of RAT control Remote Administration Tools in ICS environment are an additional risk factor, and not necessarily a justified one. Nikolay Pankov September 20, 2018 Remote Administration Tools (RATs) have always been controversial. Yes, they let people avoid direct access to hardware, but at the same time, they put computer systems at risk by opening remote access to equipment. In an industrial environment, remote access is especially dangerous, and so our colleagues from KL ICS CERT undertook a study on how widespread RATs are on industrial computers and what harm they can cause. According to statistics from Kaspersky Security Network, in the first half of 2018 legitimate RATs were installed on one in three industrial systems using Windows OS. By industrial systems we mean SCADA servers, historian servers, data gateways, engineers’ and operators’ workstations, and human–machine interface computers. Sometimes, local administrators and engineers use RATs in their daily work. Sometimes, outside parties such as system integrators or industrial control system developers need remote access for diagnostics, maintenance and troubleshooting. So actually, in some cases RATs are used not for operational needs but to lower service costs. And even if they are required for normal technological processes, it is worth assessing possible risks and maybe even restructuring processes to decrease attack surface. Another possibility cannot be excluded: To deceive protective solutions, malware actors sometimes use legitimate remote administration software as an attack tool. What is the problem? It appears that not all specialists understand the dangers of RATs in industrial networks. Here is what our colleagues found about the RATs in the systems they examined: They often used system privileges; They did not let administrators limit access to the system; They did not employ multifactor authentication; They did not log clients’ actions; They contained vulnerabilities — and not only yet-undiscovered ones (in other words, companies aren’t updating their RATs); They used relay servers that made the circumvention of NAT and local firewall restrictions possible; They typically used default passwords or had hardcoded credentials; In some cases, security teams did not even know that RATs were in use, so they didn’t know they had to consider this attack vector. But the main problem is that RAT attacks are very difficult to differentiate from normal activity. While investigating ICS incidents our CERT experts have seen many cases when malefactors used remote access tools for attacks. How to minimize risks To lower the risk of cyberincidents, Kaspersky Lab ICS CERT recommends taking the following steps: Conduct a thorough audit of remote administration tools used in your technological network, with an emphasis on VNC, RDP, TeamViewer, RMS/Remote Utilities; Get rid of all RATs that cannot be justified by operational needs; Analyze and disable any nonessential remote administration software integrated with automated control system software; In cases when RATs are needed for operations, disable unconditional access. Unconditional access should be enabled only upon a documented request — and only for a limited time; Establish thorough control and event logging for each remote administration session. You can find the complete report on this study on the Securelist blog. More ICS-related researches, alerts and advisories can be found on Kaspersky Lab ICS CERT website.
Read next What’s a guest Wi-Fi network, and why do you need one? We explain what a guest Wi-Fi network is, how to set one up, and what video game consoles and other IoT devices have to do with it.
Tips How to set up security and privacy in Strava Want to keep your runs, rides, and hikes private on Strava? This guide will walk you through the essential privacy settings in this popular fitness app.
Tips Run for your data: Privacy settings in jogging apps Running apps know a lot about their users, so it’s worth setting them up to ensure your data doesn’t fall into the wrong hands. Here’s how.
Tips When you get a login code for an account you don’t have What to do if you receive a text with a two-factor authentication code from a service you’ve never registered for.
Tips School and cyberthreats Why cybersecurity in education is critical, and how to protect schools from attacks.