Smart City

Smart City Sentinel

When A Ransomware Attack Took over Cameras, Where Was the Last Line of Defense?

By Special Guest
Matt Henson, General Manager, Ultra Electronics, 3eTI

Video surveillance cameras used every day to survey the streets of Washington DC and keep the people safe – hacked! We are familiar with data hacks, but this incident received noteworthy press coverage because it was one of the first high profile public examples of operational technology (OT) being impacted by ransomware.

The Romanian hackers took control of 123 of the Washington, DC police department's 187 outdoor surveillance cameras in January of 2017 – rendering them unable to record between January 12 through January 15 - just eight days before President Trump's inauguration.

Operational technology is comprised of the hardware and software used to control and monitor industrial processes — processing lines, utilities and the packaging equipment involved in producing products – which are not designed with security in mind. As OT systems become increasingly controlled by hardware and software they become more complex and more vulnerable.

To date, ransomware has been known mainly to effect enterprise IT networks. The fact that it is now attacking operational technology devices and facilities is a significant change that can have real impacts on cyber-physical concerns. With OT it is not just data that is being held for ransom, it could be a real threat to human life.

To resolve the problem, DC police took each of the compromised devices offline, removed all software, then reinstalled new video recording software and restarted each system individually. This process caused great loss in terms of time and money to fix the problem, not to mention the inability to monitor the streets of our capital city while the CCTV cameras were off line.

Because the intrusion affected a finite number of the CCTV cameras that police use to watch over public areas, identifying the cause became a top priority because of the potential impact on the Secret Service's ability to secure the 2017 Presidential Inauguration.

The DC Police detected the attack on January 12th when they learned that several cameras were malfunctioning. They discovered two separate forms of ransomware in four of their video recording devices and commenced a citywide examination of the network to find the remaining infected sites; 70% of their video storage devices were found to be infected.

Ransomware infects computers and can be triggered by something as seemingly innocuous as opening an attachment or clicking a link in an email message. This type of cyberweapon encrypts files and locks out users until they pay the ransom. No ransom was paid to the hackers in this case.

The suspects, Eveline Cismaru and Mihai Alexandru Isvanca, were also accused of using the computers they gained control of to distribute ransomware through spam emails. Law enforcement officials believe that Cismaru and Isvanca were part of a large extortionist group and have charged both of the Romanian nationals in DC Federal Court with fraud and computer crimes.

According to an affidavit by Secret Service Special Agent, James Graham, the hackers intended to lock victims' computers and then extort users for payments in order to release their data. In the affidavit, Cismaru and Isvanca are accused of "intent to extort from persons money and other things of value, to transmit in interstate and foreign commerce communications containing threats to cause damage to protected computers." It is not yet clear if they knew that they had hacked into a DC Police Dept. network.

The affidavit also states that the hackers were found through their registered email addresses and were arrested in Romania in January of 2017 along with three other suspects who will face prosecution in Europe.

Could This Attack Have Been Averted?
These CCTV cameras and the computers that operate them could have been spared this calamity altogether had a “last line of defense” solution been in-place.

A last line of defense is a cybersecurity device placed in front of any operational technology endpoint to validate all incoming commands and communications. In the case of DC’s CCTV devices, the last line of defense would have recognized the shut-off command as fraudulent, blocked it, and immediately notified authorities of the attempted breach. This command could have been validated in real-time.

Empowered with these resources, an organization’s IT department can create a whitelist of allowed commands for any device, while preventing and/or alerting authorities on any commands that fall outside of what is allowed.

This solution should easily fit right into the control environment, to shield critical infrastructure against cyberattacks without interruption. It should augment the traditional firewall, perimeter and signature-based defense, extending protection to networked system endpoints using protocol-specific parsing and whitelisting to assure data integrity.

3eTI’s CyberFence CIP series acts as a last line of defense to protect industrial devices like CCTVs and their computer controllers that are also quite vulnerable. It sits in front of them and validates all of the commands going to that controller.

This type of last line of defense should be incorporated into an end-to-end, robust and layered cyber-physical defense. A complete end-to-end solution must be employed for all computers and devices, including CCTVs.

It is very important to realize that OT isn’t the same thing as enterprise IT. OT needs its own special last line of defense that goes beyond what is required to protect an enterprise’s front office systems such as accounting, ERP and CRM, etc.

The hackers who were arrested for this incident learned first-hand that it doesn’t pay to hack into a police department. And with a layered security ecosystem, complete with a line of defense strategy, it won’t pay to hack into any organization. 

About the author: Matt Henson is General Manager for Ultra Electronics, 3eTI. Henson a highly accomplished executive with more than 13 years of Department of Defense (DoD) experience, an active DoD SECRET clearance, and advanced expertise in all facets of project, program and portfolio management from pursuit to close out. 

Edited by Ken Briodagh

Related Articles

Velodyne Joins Nvidia Metropolis Project

By: Maurice Nagle    7/15/2021

This week, Nvidia announced Velodyne Lidar is joining the Nvidia Metropolis program with the Velodyne Intelligent Infrastructure Solution (IIS) for tr…

Read More

Will Mid-Tech Products Drive IoT Innovation in 2021? This CEO Thinks So

By: Arti Loftus    11/12/2020

As we head into the New Year, it is that time of year for planning and predictions, and this year, creating strategies in the midst of what could be a…

Read More

IoT Award-Wining Saepio Solution from Leads Industry in Social Impact

By: Ken Briodagh    11/11/2020

In a recent announcement, was given a 2020 IoT Evolution Community Impact Award for its Saepio solution, which is designed to facilitate sa…

Read More

ORBCOMM's New Communication Device Enables Providers to Add Satellite to IoT

By: Ken Briodagh    11/11/2020

Offers cost-effective, two-way satellite communications and reliable dual-mode coverage in remote areas around the world with limited cellular connect…

Read More

IoT Time Podcast S.5 Ep.40 Quantela

By: Ken Briodagh    11/5/2020

In this episode of IoT Time Podcast, Ken Briodagh, Editorial Director at IoT Evolution, sits down with Ed Olsen, VP, Business Development and Outcome …

Read More