Nominally IT-focused threats such as the recent series of wormable, disruptive malware variants from WannaCry through OlympicDestroyer will increasingly impact Internet-of-Things environments. The combination of rapid, automated propagation with multiple capabilities for accessing vulnerable systems – whether through exploit or credential capture – provide adversaries with multiple routes to spread through a target network to reach IoT devices typically not exposed to direct attacks. This significant increase in attack surface will make previously isolated IoT systems – especially critical IoT devices such as Industrial Control Systems (ICS) and medical devices – more readily accessible to infection events. By adopting a whole-network, defense-in-depth approach, asset owners and defenders can reduce their threat surface from such attacks. Examples include greater segmentation of networks to limit automated malware propagation, and identifying critical nodes required to access IoT deployments as candidates for extra security hardening. Through this approach, the problem of increasingly virulent, self-propagating malware impacting IoT devices will not go away, but defenders can appropriately shape the environment to reduce risk.
The public conception of Internet-of-Things (IoT) related malware typically starts and ends at low-level worms such as Mirai and BrickerBot. While certainly a cause of concern and a source for some disruption, defenders and asset owners assume that more sensitive systems in the IoT space – industrial control system (ICS) equipment, medical devices, and other operational technology – are immune to such attacks for various reasons: the systems are simply more robust, and they are assumed to be ‘unreachable’ from typical infection vectors. Unfortunately, current events prove these assumptions to not only be false, but dangerously misleading. More specifically, recent malicious worm variants possess the capability to bridge alleged ‘airgaps’ to reach sensitive IoT systems, and further retain the functionality to cause significant damage and disruption.
This paper will review the current threat landscape with respect to self-propagating malware with the potential to impact critical IoT systems. Special attention will be provided to the underlying methodologies on what makes these threats uniquely worrisome for high-value IoT networks, such as ICS environments, and the root vulnerabilities that enable such activity. After providing an overview of the threat environment, the discussion will conclude with examples and advice on how to secure these environments and mitigate the risk posed by wormable malware in the IoT environment.