On March 5th, 2019, a Denial of Service (DoS) cyberattack impacted a US power company. Although the event did not have any dramatic outcomes on the company, it highlighted a critical purpose of DoS attacks that is not often discussed.
A Denial-of-Service (DoS) is a type of attack which floods its target with a massive number of requests or data. By overloading the network or computing resources, it attempts to crash the target or prevent legitimate users from accessing company assets and systems.
An attacker may utilize multiple sources (numerous attacking hosts) in order to enhance the effectiveness of the attack. This adds a “distributed” factor to the attack, which is referred to as “DDoS”.
In certain cases, the goal of a DoS attack is not only to affect system availability but to act as a smoke screen or as an additional measure to infiltrate a company. DoS is used to shut down the company's defenses and systems, thus exposing it to dangers such as the injection of malicious traffic and activities which accompany the DoS attack.
During the aforementioned event, the company's perimeter network devices (i.e. firewalls) were rebooted through an exploit of a vulnerability that exists within the devices. These unplanned reboots resulted in brief losses of communication between field devices and the company’s control center.
Potentially, there could be more to this incident than a DoS attack. To identify possible attack vectors that may accompany a DoS attack, security teams need to analyze it at a broader level.
These sorts of events can lead to major availability and safety issues to operations and production in industrial companies. Much of the impact can be minimized or prevented by following several important guidelines.
The guiding principle to protecting an Industrial organization from a DoS attack is to minimize exposure to the Internet and to publicly accessible sources. The following checklist highlights the main topics that industrial companies should address in order to defend themselves against IT-OT DDoS attacks and additional malicious activities:
Define which controls are controlled by the organization and which by external parties. To be sure, contact the Internet Service Provider (ISP) and inquire which DDoS mitigation controls it offers and which are already in place.
Understanding the baseline will make detecting attacks and anomalies easier.
Playbooks make it clearer and easier for teams that are involved in the process to respond. Including OT teams, IT teams, cybersecurity teams, ISP, law enforcement (if relevant), etc.
Verify that Business Continuity and Disaster Recovery plans are in place.
Verify that active accounts employ multi-factor authentication and complex passwords. Change passwords when needed.
This includes countries that may be “hostile” countries that may be involved in an upcoming attack, proxies that can be used for malicious purposes, etc.
Include the relevant corporate systems (external/internal), customers, critical partners, and 3rd parties, etc.
As DDoS attacks may affect other company assets besides system availability, strategic penetration testing sessions are also recommended.
This will help to compensate for the potential loss of revenue due to downtime, disclosure of data, extortion, legal fees, and PR fees.
For additional information or assistance implementing these types of controls, contact our security specialists.