The problem of security in industrial control systems will undoubtedly be receiving even more attention as a study finding 56 vulnerabilities in OT devices from 10 vendors begins to circulate.
The study from Forescout’s Vedere Labs follows up on similar research conducted 10 years ago, which coined the concept of “insecure by design” models that contain features that open doors for attackers to take over industrial control systems. Exploitable features are the favored means by which to penetrate OT devices, and the current research finds that they continue to be an issue in models created since the previous research was published.
OT devices continue to include features that aid hackers
Attackers often craft malware to exploit features that make OT devices vulnerable. Some examples include Industroyer, which was unleashed on the power grid of Ukraine in 2016, the follow-up Industroyer 2 that was discovered sitting dormant on Ukrainian systems during the current war, and the INCONTROLLER malware found to target a variety of Schneider and OMRON industrial control systems earlier this year.
Vedere Labs worked with the Cybersecurity and Infrastructure Security Agency (CISA) to issue a warning based on this research, advising all operators of industrial control systems to take remediation and mitigation measures with these equipment. While in many cases these particular feature-abuse issues cannot be patched out, there are practices to address the weaknesses such as segmentation and specific monitoring of network traffic. The research was given the name of a waystation for Mount Everest climbers, “Icefall,” in acknowledgment of the mountainous task of addressing vulnerabilities of this sort in industrial control systems.
“Insecure by design” vulnerabilities in OT devices can be broken into four general categories: insecure engineering protocols, weak cryptography and authentication schemes, insecure firmware updates, and native functionality creating the possibility for remote code execution.
About 35% of the documented vulnerabilities allow for firmware manipulation or remote code execution, and 38% allow attackers to compromise credentials. In one case, a protocol was transmitting credentials in plaintext. Even without complete control of the device, attackers can abuse feature weaknesses to cause denial of service or the stoppage or misuse of certain functions of OT devices.
The list of impacted products are those that are very frequently used in critical infrastructure operations, and are often sold to companies with a “secure by design” designation or some sort of security certification (74% of the listed products carry some guarantee of this nature). Impacted OT devices include condition monitors from Bently Nevada, a variety of products from Emerson, Honeywell and Motorola, programmable logic controllers from JTEKT, Omron and Yokogawa, logic runtime components from Phoenix Contract, and supervisory control and data acquisition (SCADA) equipment from Siemens.
James McQuiggan, Security Awareness Advocate for KnowBe4, notes that vulnerable OT devices are also not difficult for remote attackers to locate: “Conducting a Shodan search (the Google of internet-connected devices), it’s been discovered that almost 6,000 vulnerable devices related to the Icefall report are exposed to the internet with little to no protection. Organizations want to isolate devices they cannot patch or update and consider moving them behind additional firewalls. Consider using jump systems for remote access or having any machine data sent to somewhere else internally in their organization for data collection.”
Durable nature of industrial control systems a double-edged sword when internet-connected
OT devices are specifically made to last for decades and to have simple purpose-oriented computing hardware. While advantageous for daily operations, these factors also open doors for hackers as the same devices remain available without security patching for long periods.
Another issue is a general lack of CVE reporting for industrial control systems; feature abuse issues are generally not assigned CVEs even after they have been made public in some way. Vulnerabilities in supply chain components also do not have a great track record of being reported by affected manufacturers.
The report points out some common issues in the security certifications that accompany most OT devices and industrial control systems. These certifications often only provide guarantees for a limited period, such as up to the first change in hardware or software version. They then require a recertification audit, which often creates substantial added cost. Also, the testing requirements are sometimes limited to functional verification of features rather than stress testing of defensive capability; as long as the feature is present, it is assumed that it is secure.
Product certifications also sometimes overstate the sophistication of attacker that they are designed to repel, with some billed as being able to repel the most advanced state-backed threat groups really only meeting the requirements to prevent “unintentional misuse.” As Ron Fabela (CTO & co-founder at SynSaber) notes, the vulnerabilities listed in this report focus on the easiest-to-access security holes in the world of industrial control systems: “Hardcoded passwords and lack of authentication may be known knowns within OT security circles but the OT ICEFALL report lists them out in black and white for all to see. Like Project Basecamp, OT ICEFALL focuses on the low hanging exploitation fruit of ICS, where exploitation isn’t really necessary at all in most cases. Simply sending the correct command, knowing how to run strings against firmware, or oftentimes just reading the manual will yield the necessary information for attacking these systems.”
The report concludes that developers of industrial control systems and OT devices need to step up security design and controls, given that a “small but skilled team” can be reasonably expected to penetrate their equipment “at surprisingly reasonable cost.” In addition to keeping up with any available manufacturer patches, mitigation recommendations include enforcing segmentation controls, using monitoring solutions with DPI capabilities, and making use of native hardening capabilities such as switches that require physical on-site interaction.