Cybersecurity for Rural Telecom and Broadband Sites

Greetings and welcome back.  This week, we continue our series on Cyber and Physical Security for Remote Telecom sites with our blog: Cybersecurity for Rural Telecom and Broadband Sites.  In our last blog, we discussed the availability of open network ports that are used by cybercriminals as back doors to steal data and destroy your equipment.  This week, we look at the ability of hackers to penetrate the front door of your network to wreak havoc with your operations.

To begin with, its important to realize that, whether you have a rural or urban telecom site, you’re a key target of hackers and data thieves.  Hackers get paid for disrupting your operations and data thieves get paid by stealing your customer’s data and selling it on the black market.  All the data that passes from your customers to and then from the Internet flows through your remote sites and for this reason, the bad guys put high value on your sites.

How Hackers can Attack Rural Telecom Sites

To give you an example of how hackers can target your rural sites, please look at this article of a hacker who brought-down hundreds of thousands of Deutche Telecom customers.  In this case, a hacker was paid $10,000 by a middle eastern company in order to take down the DT customer network.  The hacker modified the Mirai Botnet to attack the port 7547 – the port for Simple Online Access Protocol (SOAP) which is used to remotely manage a number of routers.  By using this port to overload the routers and then the network, the hacker was able to bring down the DT network.  The key thing here is that there are always people willing to pay to harm companies or their customers and you must consider that you are a potential attack candidate.

In making a scan of rural telecom sites via the Shodan Search Engine, I found a significant number of routers that have open ports that could be used to bring down their networks.  For obvious reasons, the names of those organizations will not be named but, it is clear that rural telecom sites are vulnerable to similar and perhaps much more destructive attacks.

How Data Thieves can Steal Data at Rural Telecom Sites

Stealing of data through a remote site is surprisingly easy.  To do so, one only need gain physical or virtual access to any remote telecom site.  From there, permissions can be created to allow selected packets of information to be duplicated and then sent to a cyber-thief’s awaiting server.  For security reasons, the particulars of this hack will not be shared but, I can say that I was able to find innumerable rural telecom site network systems online using Shodan.  Thousands of sites presented the option to remotely configure a switch at these sites and, once done, a data thief would be in control of that network site. This leaves those sites wide open to data thieves and leaves open huge liability to the telecom service provider.

What Can be Done to Protect Rural Sites?

Its imperative that the open ports of these systems be secured.  In terms of remote management, simply placing a firewall on that port is of little value.  The reason for this is that the firewall must decide to let those whom it believes to be “good guys” to have access to the units.  The problem with this is that its all-too-easy to spoof a good guy and take over the site.

What needs to be done is to completely lock down all remote management ports and to send all data from those ports into a secure location, accessible only by privileged individuals.  This is exactly what our RackGuardian product does.  It creates a stealth shield around any device that it monitors while it sends all monitoring data with respect to that device to our secure cloud portal.  The result is that you can remotely monitor and manage your critical network equipment while keeping its presence hidden from all Internet traffic.

Please think about this and give us a call if you would like assistance at your remote sites.  We would be happy to have a confidential discussion with you about your security options.

Until Next Time,

Be Well!

 

 

Cyber and Physical Security for Rural Telecom Sites

Greetings and welcome back.  This week we begin a study of the Cyber and Physical Security for Rural Telecom Sites. If you are a provider of telecom and broadband services to rural areas, you know that cybersecurity and physical security are large and growing concerns.  The huge geographic areas that your network covers and the relatively few personnel to cover them makes for serious security challenges and we will address the cyber and physical challenges of these sites during this blog series.

To begin with, there are roughly 1000 companies in the United States who are classified as rural telecom providers.  Having spent a good deal of my life in rural country, I have an appreciation for the companies who serve these large areas of our country and understand that the growing threats of cybersecurity and continuing threats to physical security are likely to increase over time.  In fact, several cyberattacks on rural municipalities and utilities show that rural operations are increasingly becoming cyber targets.  When you add to that the damage from physical attacks – such as this highly destructive cable cutting in rural Northern California – its clear that bad guys are targeting rural utilities and that these are not isolated instances.

In this first part of the blog series, we’re going to look at cybersecurity backdoors in your remote plant and equipment as well as in your head-end sites.    If we want to address this subject in a practical way, we must first ask: “What network ports within my sites could be used by a hacker as a back door?”

Security for Rural Telecom

We have done a thorough scan of rural telecom and broadband sites throughout the U.S. to find out the correct answer to this question.  While we will not release the total number of ports involved for security reasons, we can say that open ports with minimal security on rural utility networks total in the hundreds of thousands. The avenues most commonly used in attacks by the bad guys are remote management ports which see little traffic but, which are most often left open for the convenience of the user.  The ports which we found to be open in large numbers in rural telecom sites are:

  • Port 21 – FTP – File Transfer Protocol: an unencrypted protocol used for downloading firmware and other updates
  • Port 22 – SSH – Secure Shell: a well-secured means for remote login and command-line system changes
  • Port 23 – Telnet – an unencrypted protocol used for remote login and command-line system changes
  • Port 69 – TFTP – Trivial File Transfer Protocol: an unencrypted and non-passworded protocol for updates
  • Port 80 – HTTP – Hyper Text Transfer Protocol: an unencrypted protocol used for web-page access and system changes
  • Port 161 – SNMP – Simple Network Management Protocol: a modestly encrypted protocol used for remote management
  • Port 443 – HTTPS – the encrypted version of HTTP that allows for the encrypted transmission of web-page access
  • Port 502 – Modbus – an unencrypted protocol designed for remote management of power and cooling systems
  • Port 47808 – BACnet – a lightly encrypted protocol designed for mechanical and electrical systems

Looking at this list, the first thing that comes to mind is: That’s a LOT of open ports and a LOT of options for hackers to target!  Granted, each device typically only has 2-4 ports open but, as the thief says: “I only need one…”

In studying open ports that can be seen directly on the Internet through the Shodan Search Engine, the most numerous systems on your network are NOT computers but, rather:

  • Routers
  • Network Switches
  • Power Distribution Units
  • Backup Power Systems
  • Telecom Systems

Because open ports on these systems have minimal security, they are not a challenge for even a hacker of modest skill to gain access.  Once a cybercriminal accesses one of these ports, they can then take control of that system and can then begin to hop from one system to the next until a value-rich-target system is penetrated.  When they arrive at their high-value target destination, they can then:

  • Harm, shutdown or destroy one or more of your systems directly
  • Place Malware into your systems that can constantly scan and steal interesting data over long periods of time
  • Place Ransomware on your system to force you to pay Ransom of his choosing and in his timing
  • Steal data immediately from a data source such as a server or desktop computer and then cover their steps

OK – that’s a lot of information to absorb for now so, at this point, its time to summarize this first blog about rural telecom security.  The first point is that your remote and local sites have many types of systems, each which likely has at least one open port with little or no security.   These systems are, therefore, easily penetrated by a cybercriminal and can be used to harm your systems and to steal data from your our customers.

The question to be asked is: “What can be done to stop this?”  Our RackGaurdian and CyberGuardian products are unique in this field because they block the cybercriminals from even be able to see your systems while, at the same time, allowing you to securely manage your systems from any location.  They create a stealth-shield around your systems making them invisible on a network but, provide you with a secure, encrypted channel of communications with those units.  All of this power is tied-together with our secure cloud-based system, meaning that there is no limit to the number of devices that you can protect and manage.

Please think about these things and, if you would like to have a confidential discussion about your security needs, please feel free to give us a call.  We’re here to help and we understand the needs of rural utility providers.

Until Next Time,

Be Well!

 

 

New York Cybersecurity Law & Your Rack Systems

Greetings and welcome back!  This week we continue our series on the effect of the New York Cybersecurity Law for Financial Services Companies on the need to protect Information Technology (IT) systems as well as Industrial Internet of Things (IIoT) systems.  Specifically, we look at the New York Cybersecurity Law & Your Rack Systems.

New York State authorities took significant input from experts in IT security and IIoT security in formulating this Law.  As we discussed last week the key thing to remember about this law is the following:

Under the New York Cybersecurity Law, “Information Systems” are defined to include all IT systems as well as all IIoT power, cooling and security systems that support them.

Many notable examples of cyberattacks have already taken place through IIoT power and environmental control systems including:

  • Ukrainian Power Plant Cyberattack – an Uninterruptible Power Supply (UPS) system used in combination with switchgear caused a massive blackout throughout much of the Ukraine.
  • Staminus Cloud System Cyberattack – a rack-mounted Power Distribution Unit (PDU) used to enter the cloud-based servers in a rack, stealing millions of dollars-worth of data records.
  • SCADA/BMS Cyberattacks – case studies of 5 attacks on industrial systems and the results on the affected businesses

The ease with which UPS, PDU and Environmental Control Systems is well documented by the related links. In addition, a thorough review of attack vectors against UPS, PDU and Air Conditioning Systems was well documented fully 5 years ago in a White Paper written by Dr. Patrick Traynor of the Georgia Institute of Technology.  In this paper, the vulnerability of the SNMPv3 communication protocol is thoroughly discussed.  SNMPv3 is the latest version of SNMP and was largely believed by users to be secure.

Other possible attack sequences on various types of IIoT systems have also been proven to be possible.  A number of government and university studies that have documented vulnerabilities to such attack sequences as shown below:

Because actual attacks are taking place and because new vulnerabilities to attacks are continually being discovered, the US Government has launched a branch of the Department of Homeland Security to provide information in this area.  This organization is known as the Industrial Control System Computer Emergency Response Team (ICS-CERT) and it publishes alerts, advisories and regular reports on the latest products which have been found to have cyber or physical vulnerabilities.  The ICS-CERT website contains a searchable database for present and historical reports written on IIoT power, cooling and control systems.

So what does this mean for securing your rack systems?  The New York Cybersecurity Law says the following:

you must secure all IT and IIoT support systems from each of the following threats:

  • Confidentiality – protecting the cyber and physical security of all data. This includes both data that is at rest and data that is in transit
  • Integrity – protecting the intended state of the data from being compromised by cyber or physical means or altered in any way
  • Availabilityensuring uninterrupted operations of all systems that support the continuous access to data for all hours and times in which it is needed on a continuous basis

This means that you Must secure all communications to and from each of the following rack IIoT systems:

  • Rack Power Distribution Units (PDUs)
  • Rack Uninterruptible Power Supplies (UPS)
  • Rack Cooling Systems 

It is clear from the attacks that have already taken place through these types of systems that they must be protected with a firewall that is specifically suited to protect the confidentiality of their communications and the integrity of the systems themselves.  It is also clear that these power and cooling systems must be monitored to protect their availability to ensure the uptime of all IT systems.

RackGuardian stands alone in the market as the only product to include the ability to protect and monitor any type of rack IIoT system.  This insures the security and availability of the IT systems that these IIoT systems support.  RackGuardian is simple to install and use and affordable for all budgets.  Please feel free to call one of our experts to see how RackGuardian can protect your rack systems, whether you have one rack or hundreds.

Until Next Week,

Be Well!

 

 

TFTP Vulnerabilities for Rack UPS and PDUs

Hello and welcome back! In this week’s blog, we look at a very critical security flaw that exists in many SNMP Cards.  Specifically, we address TFTP Vulnerabilities for Rack UPS and PDUs.

TFTP Vulnerabilities Rack UPS PDU

To begin with, let’s talk about what FTP and its cousin, TFTP is, and why TFTP poses a great security risk to any card with that protocol enabled. FTP stands for File Transfer Protocol, it is a standard means of use by an SNMP Ccommunications card to upgrade its firmware. FTP normally has a basic layer of 1 security password that, while it represents a fairly easy possess to sniff and capture, offers at least some form of security. Unlike FTP, TFTP – or Trivial File Transfer Protocol – has absolutely no login or password options and, hence, anyone with access to the TFTP port on a communications card can gain access to that unit. Here is an excellent overview of TFTP put together by the computer department at the University of Maryland.

This good article from the University of Maryland notes that the only form of security TFTP is to use a setup parameter to limit the origin or type of files that it accepts. Unfortunately, this is of very little help against a hacker of even medium skill level. What makes TFTP so dangerous is that it is normally used for the purpose of upgrading firmware of a communications card. That means that a skilled hacker can download their own code onto your communications card and that card can become a stealth backdoor for surveying and stealing information from your network.

To gauge how easily this could be done, we hired a college intern and gave him the task to create his own version of firmware that would lockout the existing users from a brand-name Uninterruptible Power Supply and give him sole control of that unit. The SNMP card of this unit had TFTP fully functioning and he used that as the key part of his strategy. Here is his quick summary of what he did.

I created a configuration file with new passwords known only to me which gave me authority over all aspects of control of the UPS

Once the configuration file was prepared, it was then added to the home directory of the assigned TFTP server.

The configuration file was then confirmed to have been successfully downloaded using the mfiletransferControlInitiateFileTransfer.

The device then restarted with the new settings applied and at that point, only I was able to communicate and control the UPS. All other users were locked out.

All-in-all, this college intern was able to complete this entire task in just a few hours, without having any knowledge of SNMP cards or similar systems. After studying this, we then saw that there are two very damaging things that a hacker can do to a UPS, a Power Distribution Unit (PDU) or a Computer Room Air Handler/Air Conditioner. These are as follows:

Place a backdoor to feed data to a hacker about all data center equipment, their operating conditions, maintenance, etc.

Place a backdoor to use in gathering and stealing data from servers on the same or adjacent network

I can say that we are aware of specific instances when one of these two items has been done through a UPS SNMP card in a mission critical data facility. Because of this, we have little doubt that this is a tool used by hackers – including nation states and rogue foreign companies – to gain valuable insights on the operations and secrets of various companies and organizations. Because of these facts, we urge the readers of this blog to check and see if you have TFTP enabled on ANY of the communications cards in your data centers, server rooms, network closets or telecom rooms. Please remember that a hacker only needs to enter ONE unit to ultimately have the tools he needs to spy and steal from your organization.

TFTP Vulnerabilities for Rack UPS and PDUs are a widespread problem. A quick survey of major UPS and PDU manufacturers show that ALL of them use TFTP on at least some of their cards. If you have TFTP on any of your communications cards, we would recommend that you place either a RackGuardian (for rack based PDU, UPS and cooling systems) in front of these units to securely monitor them and to firewall the bad guys from every gaining access. If one of your cards has already been compromised, CyberGuardian and RackGuardian are the only two units on the market that will not only keep the bad guys from getting into your systems but, they also keep any malware that has already been implanted from communicating outbound.

Please think about these things this week and, if you would like to have a confidential conversation about protecting your critical power and cooling systems, please feel free to give us a call.

Until Next Time,

Be Well!