The individual attacks showcased in R4IoT are not new, but the attack framework is novel for combining IoT, IT, and OT attacks under one umbrella. The development of this framework is simply following the trend for ransomware groups—especially politically-motivated groups—to continue to get more aggressive in their extortion through to its logical conclusion: holding companies’ building automation infrastructure and other OT systems hostage. Companies can expect attacks to be increasingly more damaging as these groups get more aggressive to successfully extort their ransoms.
As IoT devices become more common-place, vendors are making the devices easier to use out of the box, and therefore more easily accessible to both authorized and unauthorized users. Companies should explore a separate network segment for IoT devices with heavy access control, only allowing the bare minimum required connections. In order to determine bare minimum required connections, companies can log all connections to and from a sample device, create firewall rules allowing those connections and deny all others, and then start denying those connections one by one to see which ones break functionality of the device. These recommendations also apply to OT devices, especially ones that are exposed to the internet.
For devices that must be accessed from outside company networks, companies should require VPN access, ideally with Multi Factor Authentication, to ensure IoT and OT devices are not public-facing.
Companies should also implement PoCs for new IoT and OT devices prior to widespread implementation, when possible, to determine attack surface area. Choosing the right device can make securing those devices significantly easier.
The report from Vedere Labs has a full NIST Cybersecurity Framework matrix for the entire attack, which can be leveraged to develop remediations for every step in the process. The matrix is generalized to the type of attack rather than specific to R4IoT, extending its value.