Most in this business know who Brian Krebs is. He is well known for looking in the dark corners of the Internet for all sorts of obnoxious evil and documenting it.
In the last day or two, he encountered what appear to be record levels of traffic aimed against his web site. His host, Akamai, had been defending against onslaughts in excess of 600 GBPS. They were getting concerned that even they couldn’t continue at this rate.
And where did a lot of that activity come from? IoT. Yes, the Internet of Thingies: cameras, thermostats, refrigerators, toasters, and the like. It also included unsecured DNS and NTP servers, and basically anything that plays UDP or TCP poorly.
Ladies and Gentlemen, this is a classic example of how the assets in a control system can be used against us by amplifying traffic using UDP (and poorly designed TCP) reflection attacks.
How can we defend against this sort of thing? We need to isolate networks; we need to control addresses, and even consider hard-wiring ARP caches at various firewalls.
We can do this because our networks are NOT public. We CAN lock them down to where these sorts of attacks are largely ineffective.
But we will need educated staff to pull this off. In most utilities, you’re lucky if anyone in the IT department understands this, let alone the OT engineers.