Skip to content ↓ | Skip to navigation ↓

In today’s interconnected world, malicious actors take no issue in targeting industrial control systems (ICS). Just look at what’s happened in the past two years alone.

Actors have sent spear-phishing emails to a number of industrial organizations in the Middle East; gained unauthorized access to a dam in upstate New York; leveraged BlackEnergy malware to cause a power outage and attack an airport in Ukraine; inflicted ‘massive’ damage at a German steel mill by manipulating some of its control systems; and caused ‘some disruption’ at an unnamed nuclear power plant. And let’s not forget what Stuxnet did back in 2010.

All industrial organizations now confront the threat of a digital attack. To help defend against bad actors, many enterprises have set up notification systems through which end-users receive alerts and important information. Some organizations rely on mobile phone technology for their systems, but given others’ remote location, a cellular alert isn’t always the most reliable and straightforward means of communication.

In those situations, enterprises oftentimes turn to pagers – technology which allows for the exchange of SMS messages and short emails.

But there’s a problem. Pager messages are typically unencrypted, which allows attackers to eavesdrop on pages exchanged between employees. Depending on the content of those pages, actors could use passive intelligence to learn about an industrial organization and plan an attack.

Is that even possible? Just what types of information do pages exchanged in an industrial environment typically contain?

To find out, researchers at Trend Micro purchased a dongle for $20 and leveraged their knowledge of software-defined radio (SDR) to collect pages from industrial organizations. They then analyzed their data to determine the types of information that beepers used in ICS environments might be leaking to the outside world.

Harvesting the Pages

Between January 25, 2016, and April 25, 2016, the researchers picked up 54,976,553 records of pages. Approximately one-third of those (18,368,210) were alphanumeric.

screen-shot-2016-11-02-at-12-19-32-pm
Source: Trend Micro

Trend Micro explains what types of information those pages contained:

“During four months of observation, we saw messages containing information on contact persons, locations inside manufacturers and electricity plants, thresholds set in industrial control systems, field engineers who were flooded by too many messages, possible unreported restricted events, intranet IP address, intranet hostnames, Structured Query Language (SQL) table names and queries.”

For instance, in one nuclear power plant, Trend Micro observed that most unencrypted messages were written by humans and used to relate information about important incidents, such as reduced pump rate, fire accident, and nuclear contamination without personal damage.

Meanwhile, the researchers found that attackers could learn about a power company’s infrastructure by eavesdropping on pages exchanged at a substation.

screen-shot-2016-11-02-at-1-14-37-pm
Source: Trend Micro

Possible Attack Scenarios

Once attackers gain access to that data, they could do a variety of things with it.

First, if the pages contained personal information, such as email addresses, project codes and employee names, bad actors could go online and conduct social engineering attacks with the purpose of directly connecting to the organization’s network. If they succeeded, they could conduct industrial espionage or potentially sabotage some of the enterprise’s critical systems.

Second, the attackers could use the leaked information to simply break into an industrial organization at an opportune moment. Trend Micro confirms that point:

“Potential abuse of this information leaking out would involve malicious actors who want to break into a facility. To get in, they could monitor the building’s temperature settings, lighting settings, and other sensors and then alter those settings when no one is inside the building.”

Third, malicious actors could inject their own pages into an organization if they understand what type of page format it uses. As part of their analysis, Trend Micro’s researchers successfully proved that they could send a message to any pager as long as they have the right information and adequate radio/antenna power.

Attackers can exploit capability as the foundation for a number of secondary attacks, including data theft, social engineering, and creating false alarm emergency scenarios that could affect the operations of the enterprise.

Protecting the Pages

To prevent attackers from abusing unencrypted pages, Trend Micro recommends that industrial organizations do a variety of things:

  1. Encrypt the pager communication, even if it’s just with a simple pre-shared key.
  2. Authenticate the source of the page’s sender to prevent attackers from spoofing communication.
  3. Audit possible leakage when using an email-to-pager gateway.

Those measures will help to ensure the pages as a reliable form of communication in industrial environments.

For more findings from Trend Micro’s study, please click here.