What is the Darknet?
We all use the Internet every day, at home and at work, relying on search engines to find whatever we want within seconds. We plug in USB drives and jump on public Wi-Fi networks all over the world without a second thought. We enter credit card numbers and personal information on forms from websites that we trust to keep our data secure. And, most of the time, it is secure. But when it comes to the Internet, there is more to it than meets the eye – literally.
Most consumer transactions and data searches take place on the surface net, which is open and visible to everyone. Major search engines crawl and index website information, which enables the web to deliver those fast results we depend on. But beneath this public layer, there is another network that is largely underground – the “dark web” or Darknet.
To understand the layers of the Internet, let’s start with the “deep net” (or deep web). Deep net servers are accessible using standard Internet browsers, but they are not indexed by search engines. The “dark web” is a portion of the deep net that is not accessible using standard Internet browsers. Its content is further obscured by the overlay of another network (e.g., TOR or I2P), which cannot be penetrated without special access rights.
The “Darknet” is a portion of the dark web that uses a certain overlay network, such as TOR, to restrict user access. Darknet sites are a collection of discussion communities, hacker forums and file sharing services only accessible by invitation or special access. Many of these sites exist on the dark web, but the TOR network is generally considered to be the most successful. Incidentally, if you are using a virtual private network (VPN), you are using a kind of Darknet technology, because VPN masks the sites you visit and hides the content you view from snoopers.
The Business of Buying and Selling – Including Control Systems Access
The Darknet isn’t necessarily evil and does have some legitimate and good uses. However, it has become a home for “hackers for hire” and is a hotbed of activity for those looking to monetize stolen information and privileged system access. Hackers work for the highest bidder, and they accept payment in Bitcoins, Euros and other untraceable cryptocurrencies.
In this “hidden market” where illegal activity is difficult to trace, it’s possible to buy everything from drugs to weapons, to fake IDs, ransomware, hacker services, spam, money laundering services and worse. The common denominator is the monetization of whatever data can be stolen or accessed. If you’ve ever received a notification from a vendor that their systems had been hacked and your credit card information might have been compromised, that information was likely offered for sale on the Darknet.
There are now Darknet forums where cybercriminals sell access to supervisory control and data acquisition (SCADA) and industrial control systems (ICSs). Imagine if cybercriminals gained access to the control systems for nuclear power plants, chemical plants, oil and gas facilities, hospitals, electrical and power generation stations, water/wastewater plants, food and beverage or pharmaceutical facilities. The results could be disastrous.
The expertise necessary to gain access to an ICS differs from the knowledge needed to create an effect within the control layers of the enterprise. Hackers who gain access to your business and to your ICS may lack the background or training to use it effectively, so they offer system credentials for sale anonymously on the Darknet. Your enterprise might now fall victim to intruders who don’t need to be sophisticated enough to hack it themselves. Their motives could be anything from terrorism to revenge to malicious mischief to profit.
Wonder why this underground market for stolen information is tolerated? The fact is, selling elevated or privileged access to a control system or a business is not a crime. Buyers can purchase everything they need to know about accessing or hurting your system but until they do, they have not broken the law. This makes the selling of privileged information difficult to criminalize, especially when transactions are anonymous.
ICS Vulnerability: The Truth about the Consequences
Perhaps the most famous industrial cyber breach was the Stuxnet attack on Iranian nuclear plants, ostensibly introduced using a USB flash drive. This cyber worm destroyed around 1,000 fuel enrichment centrifuges by programming them to spin at varying speeds. Today, there are many more of these tools aimed at accessing or controlling SCADA systems.
A motivated individual, state or organization could buy access to the control systems that run our infrastructure and cause disruptions even worse than Stuxnet. They could shut down an entire system, hold an operating database for ransom, change or steal valuable mixtures or formulae, obtain confidential CAD/CAM drawings of patented parts or designs important to national security, open or close valves or relays, or even cause explosions. With worker safety always the highest priority, it is prudent to secure not only their physical work areas from intruders but the cyber landscape as well.
Consider a completely different scenario, one in which a bad actor gains access to a power grid or an influential business concern and causes a major disruption affecting stock prices. Stock could then be sold short and the criminal could simply take the money and run. This may already have happened and is difficult to prove, but it’s a very real possibility.
Is Your Control System Vulnerable?
If your ICS network is connected to the surface Internet (even inadvertently), it’s much easier for hackers to find an access point to your control network. It’s often the case that an ICS, especially a legacy control system, is not configured with the best authentication mechanisms, making it easier for hackers to get in and do some damage.
The easiest and most common way for a hacker to gain access is through so-called spear-phishing. People with privileged access to the control system – including those higher up in the organization – still tend to get spoofed by emails that look legitimate or a flash drive that comes from a “trusted” source. Once they engage with the bad actor, they open the door to the control system and to confidential intellectual property (IP), such as CAD/CAM drawings, formulae, recipes, proprietary control algorithms and other sensitive information.
Ransomware? Yes, You Should Worry.
Ransomware – for sale 24 / 7 on the Darknet – is easy to introduce to a system through a USB drive, an email or Internet link, or by spoofing a legitimate access credential.
We tend to think of ransomware as an annoyance that locks up our home laptop or attacks the business side of an enterprise. But ransomware searches a network indiscriminately for database files and encrypts them. It doesn’t know or care whether these are transaction files, credit card files, or an ICS database. These files all look the same to a ransomware program and once it is introduced to your system, it will encrypt any database it finds.
Control systems typically do not have the proper defenses against this type of invasion. ICS operators may be working from a single database so if it is corrupted or locked, it is difficult to diagnose the problem. The “ransom” message may not even pop up on the control monitor because it is hidden behind the operator workstation graphics. Operators may see a system message that the database is corrupted and may opt to replace it with backup files, but the ransomware program will simply re-encrypt the new files. The ransom, usually paid in Bitcoin, completes the monetization of the hacker’s access to your system.
Blockchain – The Future of ICS Cybersecurity
Blockchain is the underlying technology that allows cryptocurrencies like Bitcoin to exist. Dollar bills are an illustration of block chain theory because they are hard to counterfeit, can’t be double-spent and can be used anonymously. Bitcoin is the electronic equivalent, allowing public digital transactions without needing a third party (such as a bank or credit card company) to verify the transactions.
If you’re in a conversation with others using blockchain-based communication and someone tries to join or interject something, they would be unsuccessful because they are outside the blockchain. This allows for secure but public communication because intruders are easily spotted, and public transactions cannot be spoofed. In the future, there may be no need for secret passwords or logins. Users would be authenticated through their block chain.
Blockchain is a multi-point public electronic ledger with the potential to provide ICS security, but it has not yet been applied to industrial control systems. In the future, blockchain could be used to validate transactions between controllers and/or devices. In that case, an intruder who gains system access could see everything going on in the controls system but would be unable to access or change it.
Get “Cyber Ready” Now
Control systems that are “cybersecurity ready” can help you in your vigilance against cyber-crime. You may not be ready or able to implement all cybersecurity standards, policies and protection layers today with legacy equipment still in place. However, when upgrading and modernizing your ICS, employ a cybersecurity-ready design so that when you do deploy standards policies and updated cybersecurity measures, the hardware is cyber-ready. This includes backups, backup testing stations, hardening of workstations (USB locks, etc.) and more. Whenever possible, it is a best practice to engage with an unbiased automation services provider that has expertise on your current and planned control platforms to help you prepare your system to meet current and future cyber threats.
Fight Darknet Criminals: Shine a Light on Cybersecurity
The fight against those who would steal the keys to your ICS and sell them on the Darknet starts with cybersecurity awareness. Keeping cybersecurity top of mind entails educating your workforce and closely managing consultants and vendors. Ensure that everyone who touches the enterprise and control systems is aware of the risks and in compliance with company cybersecurity policies and measures. Even a small lapse in vigilance could compromise the entire system – whether the lapse occurs on the business side of the enterprise or on the controls network. Think outside the controller!
Cybersecurity teams, headed by the Chief Information Security Officer (CISO), typically drive cyber policies and procedures. The team should consist of IT representatives from both the business and controls networks and often includes an outside consultant with cybersecurity and controls systems platform knowledge.
This group will deploy and manage overall cybersecurity policy and employ tactics such as:
- Strong password management
- Robust user authentication mechanisms
- Properly tested backup systems
- Restricted system access, especially elevated or privileged access
- Cybersecurity training, keeping users updated on the latest phishing attempts and what steps to take when they encounter a security breach
- Compliance audits and patches
- Cybersecurity standards implementation (e.g., ISA-99, IEC 62443)
- Cyber readiness – modernize and upgrade to implement future cybersecurity measures easily
Stay in Control
Making cybersecurity a priority and understanding the Darknet’s role in allowing others to access your control system will help keep your facility up and running without intruders running it for you.
Understanding some of the most common cyber vulnerabilities can help you Keep Your Systems Secure – One Patch At A Time.