A new report from FireEye examines the attack surfaces shared by a number of industrial enterprise operations, including electric utilities, petroleum companies, and manufacturing organizations.
The report's author, Sean McBride, points to a number of problems with the processes and technologies used in the industrial space, which some organizations might overlook when considering risk. The six weaknesses outlined by the report center on protocols, hardware, authentication, relationships, file integrity, and operating systems.
The harsh reality though, considering the state of things in many industrial environments, is that many of the problems highlighted by the report aren't easily fixed.
While the report doesn't mention or reference this point, the topic itself is interesting considering FireEye has done plenty of engagements in the industrial space. It's possible many of the points made are examples of problems that have cropped up over the years.
FireEye starts by talking about the protocols used to communicate between sensor/actuator and the I/O of the PLC (e.g. Modbus, HART, CAN, Foundation Fieldbus, PROFIBUS), as well as the protocols used to communicate between PLCs and the management computers (e.g. DNP3, Modbus/TCP, BACnet, EtherNet/IP, etc.)
"When an ICS protocol lacks authentication, any computer on the network can send commands that alter the physical process, such as changing the set point or sending an inaccurate measurement value to the Human Machine Interface (HMI). This may lead to incorrect process operation, which damages goods, destroys plant equipment, harms personnel, or degrades the environment," the report explains.
Industrial hardware can be expensive, and the idea is that it will last decades - if not longer. However, many industrial enterprises are using hardware that wasn't designed with the security or even the technical considerations of today.
"This hardware, such as PLCs, RTUs, VFDs, protective relays, flow computers, and gateway communicators, may operate too simplistically or lack the processing power and memory to handle the threat environment presented by modern network technology," the report says.
Older hardware can cause a number of problems, the report explains, including malfunctions related to excessive network traffic at Browns Ferry Nuclear Generating Station, and PLCs crashing due to scans.
The authentication problem in the industrial sector is bad, but it's slowly getting better due to the focus this problem has received over the years. However, legacy systems are the serious risk.
Default passwords and hard-coded passwords are common, and lists containing both are easily obtained on the internet. Another risk includes passwords that are easily cracked, or stored in formats that can recovered with little effort.
The recommendation made by McBride is that organizations should match internal device inventory against lists of default and/or hard-coded ICS passwords and monitor device logs for exploit attempts.
File Integrity Checks
McBride goes into detail on integrity checks, including certificates, firmware, and control logic.
For control logic and certificates, the most widely-known example of an attack targeting these flaws is Stuxnet. In 2009, Stuxnet modified logic sent to target Siemens PLCs, and replaced a legitimate driver DLL with a malicious copy – taking advantage of the lack of integrity checking.
The report cites six examples of firmware problems, including one from 2015 where weak firmware integrity checks enabled the Sandworm Team to prolong a power outage in Ukraine.
"Engineering workstations and HMIs often run outdated and unpatched Microsoft Windows operating systems, leaving them exposed to known vulnerabilities. In some cases, this means that adversaries may access industrial systems without needing control systems specific knowledge," McBride wrote.
Windows is sometimes the punching bag for InfoSec, and while it has plenty of problems, it isn't anywhere as bad as it used to be. But the point made by FireEye and other ICS experts is that most industrial organizations are still using outdated versions of Microsoft's flagship offering.
If it can't be updated or patched, FireEye stresses that organizations need to deploy some sort of compensating control. Otherwise, the system will continue to be a sitting duck.
"In our experience, ICS asset owners seldom document and track third-party dependencies in ICS software they operate. Many ICS vendors may not immediately know the third-party components they use, making it difficult for them to inform their customers of the vulnerabilities. Adversaries who understand these dependencies can target software the industrial firm may not even know it has," McBride explained.
The report says organizations need to request (or require) that ICS vendors provide a list of third-party software and versions used in their products – including open source software. The should also be requiring that vendors provide timely notifications surrounding vulnerabilities that impact their products.
When it came to Heartbleed and Poodle, a number of ICS products were impacted, but many vendors didn't release advisories until months after the vulnerabilities were publicized.
The topic of industrial security is an important one, mostly because the equipment found in these environments isn't easily upgraded or replaced. This makes securing such environments a challenge, as there are no easy solutions.
The full report from FireEye will be available on their website later this morning.