Pagers Used in ICS Attacks

Monday, October 31, 2016 @ 05:10 PM gHale


Yes, people and companies still use pagers. What is interesting is attackers can use the ancient devices to launch an attack against a chosen victim.

After analyzing the use of pagers in the healthcare industry, Trend Micro researchers are now looking at any kind of risk pagers pose to industrial environments, particularly critical infrastructure.

RELATED STORIES
Strengthening Energy Security Posture
New Approach to Secure Networks
ICS Security: Threats, Visibility, Convergence
Defense in Depth: DNP3

Industrial environments are becoming increasingly modern. ICS’s and building automation systems (BAS) end up used by industrial sectors to automate various plant and peripheral operations. ICS’s are built with more robust systems that can handle industrial processes that directly impacts manufacture or operations. BAS, on the other hand, have simpler controls that manage some aspects of a facility such as heating or ventilation. However, both are capable of sending out notifications which we will see in the case studies in the Passive Intelligence section, said Trend Micro researchers in a blog post.

An ICS consists of devices, systems, networks, and controls used to operate and/or automate industrial processes. These devices, which are specific to an industry, often found in almost every industry today – from the vehicle manufacturing and transportation segment to the energy and water treatment segment.

Industrial control systems (ICS) often rely on pagers to transmit information crucial for the operation of a facility. Pagers end up used as backup communication systems and also where cellular coverage is weak.

What is at issue is messages sent to these devices are typically unencrypted, allowing anyone with the technical savvy and some inexpensive equipment to intercept the information.

Over a 4-month period, Trend Micro captured nearly 55 million messages sent to pagers in the United States and Canada, roughly one-third of which contained alphanumeric data. This is a high quality source of passive intelligence since the data can include alarm or event notifications, diagnostics information, facility-related status updates, names, email addresses, phone numbers, project codes, and IP addresses.

This type of information can be highly useful for social engineering attacks, and even for lateral movement once the targeted network has been compromised.

Researchers analyzed messages sent by nuclear plants, power substations, chemical companies and defense contractors. Firms specializing in semiconductors, commercial printing and HVAC have also been found to leak potentially sensitive data via pagers.

Information from pages, which often end up sent via email-to-pager or SMS-to-pager gateways, can end up used for various purposes, as explained by Trend Micro in a whitepaper:

“Knowledge of issues within the plant, like minor mechanical failures, etc. can be creatively used by determined attackers to craft social engineering attacks that will appear highly believable because of prior reconnaissance. Depending on the attacker’s goal, one possible way for an attacker to get in is by scheduling a delivery that is timed with the scheduled arrival of a replacement part. Another way is to simply send an email containing a remote access Trojan to the maintenance department with relevant word tokens.

“Information about a company’s high-ranking employees, like names, email addresses and phone numbers, can be used to directly craft social engineering attacks.

“While some information types are the same across more than one sector, the possible applications of a planned attack may be different depending on the nature of the sector involved. Less likely but also plausible, would be for highly skilled attackers to make use of the specific issues inside, for instance, a nuclear plant, to trigger some form of sabotage, after they have gained physical access.”



Leave a Reply

You must be logged in to post a comment.