Calibration Lab Vectors of Vulnerability

by Marcus Vickers

No, I am not talking about RF & Microwave calibration! In this context I am talking about the Vectors of Vulnerability through the calibration lab as it relates to Information Technology (IT) and cyber security. We all know that metrology touches everything. But what most of us don’t know is Target® didn’t get hacked; one of their service providers got hacked—specifically their HVAC vendor. And though that hack was an outside entity, it was able to gain access to many of Target’s systems, including your credit card information.

Keep in mind, I spent much of my early career as a calibration technician, and now I work as a operations manager for a cyber security and vulnerability assessment company. It is my team’s job to discover new ways to infiltrate and exploit systems, then engineer countermeasures to prevent it from happening in the first place.

Most cyber attacks follow a seven step “kill chain.” But for the calibration lab, the first three are of particular interest because they fit the model of how Target was infiltrated. A threat actor would follow the same pattern of attack to exploit calibration equipment:

  1. Reconnaissance
  2. Weaponize
  3. Deliver
  4. Exploit
  5. Install
  6. Command & Control
  7. Attack

For the most part, the systems and data inside the calibration lab are of little value to the average hacker beyond a few bitcoins from a ransom-ware attack. Hack a calibration lab and you can download a ton of calibration certificates or maybe learn the accuracy of a Fluke 5730A—not something that has any monetary value or anything that the hacker community would see as a real achievement.

But calibration labs make tempting pivot targets. Pivoting refers to a method used by hackers that uses the compromised system to attack other systems on the same network to avoid restrictions such as firewall configurations, which may prohibit direct access to all machines. Calibration labs make very tempting targets from a pivot attack perspective. A pivot attack of a calibration lab could allow the hackers to bridge air gapped networks, conduct reconnaissance, deliver malware, or collect proprietary or confidential data from the calibration lab customer sites.

Typically, IT combats hackers with updates, patches, and security assessments. Many of these updates are for security reasons. New computer and operating systems are key tools in the never ending fight to keep hackers out of our systems.

Turning our attention to the calibration lab, we find many systems that have not been updated in years. We have oscilloscopes running Windows 95, calibration systems written in DOS and Windows 3.1. All of these operating systems fell out of support years ago. In addition, if a patch existed, the process of patching an embedded OS is generally more complicated than what the corporate IT staff is used to supporting.

Many labs are running legacy software packages that are likely riddled with security issues. These vulnerabilities mixed with a little knowledge could be a recipe for disaster.

Often the threat actors with the capability to execute this type of attack will not be interested in advertising their findings. They will be more interested in keeping thier discovered zero day vulnerabilities to themselves in order to support a broader Advanced Persistent Threat (APT). An APT is an attack in which an unauthorized person gains access to a network and stays there undetected for a long period of time. The intention of an APT attack is to steal data rather than to cause damage to the network or organization. APT attacks target organizations in sectors with high-value information, such as national defense, manufacturing and the financial industry (http://searchsecurity.techtarget.com/definition/advanced-persistent-threat-APT).

At this point in time there is only circumstantial evidence that support/test equipment has been used or could be used as an attack vector. But all the warning signs are there, so metrology is going to have to add IT security to the growing list of job skills.