PoS attack means manufacturers should remain vigilant

Recent data breaches and hacks in the retail industry should be seem as warning signs to manufacturers. Security professionals in the industry should remain vigilant and know an attack is just a click away.

By Gregory Hale, ISSSource October 23, 2014

It wasn’t too long ago when industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems were in the scope of the bad guys. These systems, sometimes close to 30 years old and considered easy pickings, were suffering hacks, or threatened hacks, on a fairly regular basis.

The thing is, they still are.

When you looked at the headlines a year or two ago, they talked about Stuxnet, Night Dragon, Shamoon, Saudi Aramco, RasGas, ExxonMobil, Shell, just to name a few. Now the news still talks about hack attacks, but they are of a different kind. This time the retail sector is in the crosshairs. Just look at Target, Neiman Marcus, and most recently Home Depot.

Home Depot is the latest retailer to suffer a major credit card data breach that may have started in late April or early May. The Atlanta-based home improvement retailer is now working with banks and law enforcement to investigate "unusual activity" that would point to a hack.

It is easy to say this is just the retail sector and it doesn’t affect manufacturing, but that is not true. Just how should the manufacturing industry react to the point of sale (PoS) attacks going on in the retail sector?

The main thing is, security professionals in the industry should remain vigilant and keep their mind in the game and know an attack is just a click away. "I have been watching the PoS issues, including several notifications from the National Cybersecurity and Communications Integration Center (NCCIC), said Joel Langill, ICS cyber security consultant and founder of SCADAhacker.com. "I believe that this is ‘the retail industry’s Stuxnet.’ The recent Target and Neiman Marcus breach put these systems on the front page of the mainstream media, so all of those researchers shifted focus and are now having fun finding problems throughout these systems," Langill said.

Researchers, however are finding similarities between retail systems and ICS/SCADA systems.

"I think there is a lot of comparisons between the attacks hitting the PoS terminals and the manufacturing world," said Graham Speake, vice president and chief product architect at NexDefense, Inc. "While the attackers are obviously after credit card information in these attacks, it does show the sophistication of the attackers. Like an industrial control system, the PoS network is normally a separate network with links to the main business network. The lack of attention to the PoS network in terms of what communications are occurring and egress monitoring, a fairly static network with real time devices on it and devices that are not updated/upgraded frequently are also characteristics of industrial control networks."

In the dynamic and evolving security environment, bad guys continue to find new ways to get into systems, but these attackers are not moving from industry to industry like a bunch of 7-year-olds chasing a ball while playing a soccer game. In most cases, these are professional attackers on a very specific mission going after their target.

"I don’t believe that it is the same set of threat actors, so manufacturing should not lower their guard thinking that the bad guys have shifted targets — it is a new set of bad guys with the same ones still targeting manufacturing," Langill said. "Havex (Dragonfly, Energetic Bear, Crouching Yeti) should have shown this, and should have opened everyone’s eyes to the new tactics of exploiting ‘trusted relationships.’"

"Owners of PoS networks had put in defenses to protect that data, even regulated with PCI standards, but the lack of visibility allowed multiple breaches (even after the Target warnings)," Speake said. "Attackers could turn their attention to ICS networks and, using similar attack tools and methods, gain access to these networks, not for credit card scraping but for extortion or disruption."

Gregory Hale is the editor and founder of Industrial Safety and Security Source (ISSSource.com), a news and information website covering safety and security issues in the manufacturing automation sector. This content originally appeared on the ISSSource website. Edited by Joy Chang, Digital Project Manager, CFE Media, jchang@cfemedia.com