Hyland 160x1200

Hyland 160x1200

Hyland 705x108

Monday, 29 November 2021 10:37

Industrial safety, reliability—one CVE at a time

By Claroty

GUEST RESEARCH: White-hat researchers, including Claroty’s Team82, have made relatively quick work of finding vulnerabilities in the software, firmware, and communication protocols governing devices that keep shop floors running, the lights on, the water clean, and fuel pumped from refineries to homes around the world.

With a wide swathe of old, legacy technology still running reliably on OT networks, finding bugs in easily accessible automation products and network protocols has been a necessary—and elementary—first step in elevating the cybersecurity of industrial enterprises worldwide.

Along with that research—which to date has resulted in a milestone 250 CVEs disclosed for Team82—comes a responsibility to educate asset owners about their risk exposure, and explain how newly-connected ICS devices and OT networks are exposed to hackers like never before.

That has been Team82’s mission since its inception and today as we take this opportunity to recognise our achievement, it’s also important to recognise that OT cybersecurity research has miles to go before organisations can settle on a risk management strategy that adequately addresses today’s threats and exposures.

This report will reflect on Team82’s leadership in OT vulnerability research, and the initial inroads we’ve made helping vendors normalise vulnerability disclosures and coordination.

Transformation, convergence—and hackers
Team82’s focus on vulnerability discovery in ICS products filled a noticeable research gap within the domain. While it was widely understood that industrial networks were running largely on legacy equipment, some decades old, there were relatively few CVEs reported for software and firmware vulnerabilities.

It became clear that asset owners didn't have full visibility into the cybersecurity risks they were trying to manage. Coupled with the growing number of converged IT/OT environments and the prioritisation of digital transformation, Team82 had an opportunity not only to find and help fix a substantial number of unknown vulnerabilities, but also to educate a growing vendor and user market about the importance of secure development processes, and coordinated vulnerability disclosure and response.

Many of our engagements with automation partners such as Rockwell Automation and Siemens AG, and software vendors, including Codesys, Auvesy, and others, have resulted in improvements to security response, enhancements to vulnerability triage, and coordination as to how vulnerabilities are addressed. This level of cooperation also extends into how details are shared with customers and the community in a safe, responsible manner that lowers risk for all involved.

One dynamic that has emerged in full force is the existence of coordinated disclosure processes within OT. Once solely the purview of IT realms, disclosure processes are now also central to the core of ICS and OT security. As businesses embrace digital transformation and bring OT security management under IT teams, vulnerability and patch management of industrial equipment has been prioritised like never before. And with good reason.

Many process control systems today have links to the internet making them a ripe and rich target for threat actors. As we saw with Colonial Pipeline and JBS Foods attacks, cyber criminals interested in profit are leveraging ransomware and other extortion-based attacks to infiltrate large companies willing to pay out hefty ransom demands.

Team82 has also discovered new attack concepts that have been addressed before they’ve been abused by threat actors. We can point to our report, Top-Down, Bottom-Up: Exploiting Vulnerabilities in the OT Cloud Era, as one example. The relevance has never been more apparent as businesses use cloud-based management systems to manage and configure industrial control systems.

In our report, we explained how an attacker can not only attack field devices by taking over a cloud-based management console, but also how attacks targeting PLC platforms can also be used to climb the ladder, so to speak, and take over the console.

From Team82’s dataset of 250 CVEs, we can see how dangerous the top five vulnerability classes can be to field devices. Not only do the most prevalent vulnerabilities Team82 uncovered lead to code execution or denial of service attacks, but application data may be modified or read in many cases. Below is a look at the top 10 vulnerabilities by impact:

The current environment puts the onus on defenders of industrial networks to be vigilant about exploitable vulnerabilities and also to find a way to cooperatively work alongside researchers who are digging into these critical and sensitive systems. The work that Claroty’s Team82 are doing takes on exponential importance not only because of the impact of cyberattacks on heavy industry, manufacturing, and critical infrastructure, but also because many of these are legacy systems that are difficult or impossible to patch, and run in environments where downtime is unacceptable.

ICS and OT cybersecurity is very much in a similar time continuum as IT was in the early 2000s when Windows emerged as king of the desktop, yet had little in the way of discernable and coordinated cybersecurity processes built in to address vulnerabilities.

Attackers had a field day unleashing worms via connected Windows desktops and servers that caused severe interruptions to businesses worldwide. Eventually, introverted hackers found a way to emerge as profit-motivated criminals and exploit the landscape until Microsoft deployed Trustworthy Computing and extended the olive branch to white-hat researchers.

This should sound familiar to those intimately familiar with ICS and OT networks. Digital transformation and convergence have dragged industrial control systems into the world commodity attacks, and more than ever, researchers are a paramount piece of the cybersecurity puzzle. Large manufacturing organisations, food and beverage companies, and heavy industries cannot afford to have a contentious relationship with vulnerability researchers. The two sides are fighting the same fight and working toward similar goals, such as developing extensive vulnerability management programs that have at the forefront, standardised coordinated disclosure processes.

Finding and fixing bugs is one thing, a safer market is quite another
What began with a simple disclosure in a Schneider Electric engineering workstation software tool has evolved to the ICS security industry’s most prolific team. Team82 has disclosed 250 vulnerabilities to the leading providers in the ICS domain, including Rockwell Automation, Siemens, ABB, GE, and dozens of other companies, working closely with these leaders to patch vulnerabilities or provide mitigations whenever possible.

Research teams such as Claroty’s face an uphill battle given the sheer volume of legacy systems still in operation, and the lack of standardisation between vendors and products that must communicate on shop floors. Combining that with the intolerance of downtime, and remediating software and firmware vulnerabilities is a demanding challenge.

Patching software is much more straightforward with shorter updates and distribution cycles. Firmware updates are much more difficult because of the complexity involved in developing and implementing updates. Often, because firmware update cycles are so much longer than software, vendors are forced to provide temporary mitigation solutions until a fix is available. This extends the window of opportunity available to attackers to target and exploit these flaws.

In Team82’s Biannual ICS Risk & Vulnerability Report for the 1H 2021, 26% of vulnerabilities across the ICS domain were not patched, or only partial remediation such as mitigation advice was made available. Of the vulnerabilities with no fix or partial remediation, 62% were firmware vulnerabilities. More than half of those flaws enabled either remote code execution or denial of service conditions, both of which are likely to shut down or affect the integrity of industrial processes.

Nonetheless, Team82 has observed a steady transformation among its automation partners. Large organisations such as Rockwell and Siemens, for example, have mature vulnerability disclosure processes that not only include bug triage and remediation, but also close coordination with research teams such as Team82.

While industry standards—developed largely for IT vulnerability management—dictate that vendors have 90 days to respond with a patch or mitigation advice, that approach may not always be enforceable within OT. Business software has much quicker turnover cycles, while control systems and field devices were designed to last for decades. As a result, vendors scramble to address vulnerabilities in legacy systems and are often forced to recommend mitigations and defence-in-depth strategies, such as network segmentation and secure remote access solutions, to make vulnerabilities more difficult to exploit.

This year, Team82 has enjoyed a number of successfully coordinated disclosure efforts with affected vendors, including Rockwell, Siemens, and smaller partners such as Auvesy.

In each case, researchers not only securely shared vulnerability details with the vendor, but provided proof-of-concept code triggering the flaws, collaborated on fixes, and confirmed they were effective. In some cases, both sides worked on coordinated disclosures to industry groups such as Ics-Cert, customer advisories, and public notifications depending on the severity and impact of the flaw, and scope of affected customers.

This is maturity in a discipline that’s relatively new to industrial enterprises. To those that are lagging behind, the US government may soon stir them to action. Prompted by the Colonial Pipeline and JBS Foods attacks, numerous bills have been introduced to Congress that essentially mandate reporting incidents—largely within a 72-hour timeframe—to Cybersecurity and Infrastructure Security Agency (CISA).

CISA is likely to be established as the vulnerability clearinghouse for attacks and incidents affecting privately owned and publicly maintained critical infrastructure. Some bills also mandate that ransom payments be reported to the government in an effort to understand and curb the threat posed by extortion attacks to critical industries.

Team82 vulnerability data
The impact of ICS and OT vulnerability research is being felt across industries, primarily as it makes this a safer and more reliable domain for plants and critical infrastructure. We took a look at Team82’s vulnerability dataset, and wanted to illustrate some numbers and trends that decision makers can use in conversations with the board or champions within their four walls.

Since 2019, Team82 has disclosed 250 vulnerabilities, a milestone number, affecting 40 vendors.

Of those 250, close to 71% have a network attack vector, indicating they can be attacked remotely.

Decision makers require context as to the severity of exploitable vulnerabilities. Of the 250 vulnerabilities disclosed by Team82, eight of 10 are either rated critical or high severity.

Team82 has focused on some of the leading automation vendors, working closely with them to improve the safety and reliability of their products. The chart below illustrates the number of vulnerabilities in Team82’s dataset ranked by vendor; note that this should not indicate a lack of secure software or firmware development among these vendors. Instead, these numbers indicate a willingness to work with researchers, address vulnerabilities before they’re exploited, and improve all-around security response efforts.

Where do we go from here?
Team82 will continue to lead the way in innovative ICS and OT cybersecurity research, and more importantly, contribute to the overall safety, resilience, and reliability of the market by ensuring that vulnerabilities are discovered, patched, or mitigated.

Our work also extends out to vendor partners, and asset owners. Vulnerability research and disclosures help vendors grow and mature product security and internal response procedures. Asset owners, meanwhile, get an accurate picture of their inventory from partners such as Claroty, and may prioritise how to best lock down patch and vulnerability management processes.

Two hundred and fifty disclosures are our first milestone. While it’s a number to be proud of, it’s just the beginning, and we grow our team and influence, and establish ourselves as a most trusted partner to the community.


Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here
BACK TO LATEST NEWS here

PROMOTE YOUR WEBINAR ON ITWIRE

It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site itwire.com and prominent Newsletter promotion https://itwire.com/itwire-update.html and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV https://www.youtube.com/c/iTWireTV/videos which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinatrs and campaigns and assassistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.

MORE INFO HERE!

INTRODUCING ITWIRE TV

iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the iTWire.com site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.

SEE WHAT'S ON ITWIRE TV NOW!

BACK TO HOME PAGE
Share News tips for the iTWire Journalists? Your tip will be anonymous

WEBINARS ONLINE & ON-DEMAND

GUEST ARTICLES

VENDOR NEWS

Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News

Comments