Security

Research

What to do about inherent security flaws in critical infrastructure?

Industrial systems' security got 99 problems and CVEs are one. Or more


The latest threat security research into operational technology (OT) and industrial systems identified a bunch of issues — 56 to be exact — that criminals could use to launch cyberattacks against critical infrastructure. 

But many of them are unfixable, due to insecure protocols and architectural designs. And this highlights a larger security problem with devices that control electric grids and keep clean water flowing through faucets, according to some industrial cybersecurity experts.

"Industrial control systems have these inherent vulnerabilities," Ron Fabela, CTO of OT cybersecurity firm SynSaber told The Register. "That's just the way they were designed. They don't have patches in the traditional sense like, oh, Windows has a vulnerability, apply this KB."

In research published last week, Forescout's Vedere Labs detailed 56 bugs in devices built by ten vendors and collectively named the security flaws OT:ICEFALL. 

As the report authors acknowledged, many of these holes are a result of OT products' being built with no basic security controls. Indeed, Forescout's analysis comes ten years after Digital Bond's Project Basecamp that also looked at OT devices and protocols and deemed them "insecure by design."

A few hours after Forescout published its research, CISA issued its own security warnings related to the OT:ICEFALL vulnerabilities.

CVEs: The problem? Or the fix?

"Up until this point, CVEs haven't been generated for these insecure-by-design-things, and there's a reason for that," Fabela said. "It's bad for the industry."

Once a CVE is generated, it sets into motion a series of actions by industrial systems' operators, especially in heavily regulated industries like electric utilities and oil and gas pipelines. 

First, they have to determine if the environment contains any affected products. But unlike enterprise IT, which usually has centralized visibility and control over IT assets, in OT environments, "everything is distributed," Fabela noted.

If industrial and manufacturing environments do have any products impacted by the vulnerability, that triggers an internal review and regulatory process that involves responding to CISA and developing a plan to improve security.

One SynSaber customer sarcastically described OT:ICEFALL as "the gift that keeps on giving," Fabela said. "He said, 'Now I have this on top of all my other like, the real vulnerabilities'," which present a slew of other problems when it comes to patching — such as having to wait until a planned maintenance outage that may be months out — if the manufacturer has a patch at all.

OT protocols don't use authentication

For example: The current Modbus protocol, which is very commonly used in industrial environments, does not have authentication. 

Forescout's analysis details nine vulnerabilities related to unauthenticated protocols and disputes the argument that against assigning a CVE ID to a product with an insecurity OT protocol.

"On the contrary, we believe a CVE is a community recognized marker that aids in vulnerability visibility and actionability by helping push vendors to fix issues and asset owners to assess risks and apply patches," the authors wrote.

While this makes sense from an IT security perspective, Fabela said it's unrealistic from an OT perspective, and ultimately doesn't make critical infrastructure any more secure.

Modbus, as a protocol that does not use authentication, could generate "thousands" of CVEs that "affect every product line in the world," he Fabela. "You're tying up the product security teams with the OEMs and you're tying up the customers, the asset owners with CVE that they can't do anything about." 

Basecamp researcher weighs in

Reid Wightman is a senior vulnerability researcher with OT security shop Dragos' threat intel team. He's also one of the original Project Basecamp researchers, and, more recently has done work on the ProConOs and MultiProg software vulnerabilities.

Forescout cited some of his research, and dedicated a section of the ICEFALL analysis to security flaws with the ProConOS runtime in PLCs.

In an email to The Register, Wightman noted that a lot of industrial controllers have the same set of problems that isn't going away: "they allow unauthenticated code to run on the PLC." 

"This means that one malicious logic transfer to the PLC may permanently compromise the PLC," he added, noting that, because the control logic is causing the change, it can happen outside of a normal firmware update. "It's kind of a thing I've harped on since the Basecamp days, but may be worth repeating. Over and over again. Until the sun burns out, probably."

Lately, one of Wightman's "big, personal concerns" is that some vendors say they can use TLS and client certificates to secure controllers, presumably to avoid. In reality, this would just make the traffic more difficult to inspect, Wightman said.

"If an attacker gets onto the engineering system, they may load a malicious payload using CVE-2022-31800/CVE-2022-31801 (or any of the similar problems that exist in almost every logic runtime) into the controller," he added. "Only, now we have no way of telling whether they did it because the traffic is encrypted."

So how do we fix the problem? 

"I guess my answer would be: if your engineering system is compromised, throw away all of the controllers that it was allowed to talk to," Wightman said. "And I doubt most end users would go to that level of paranoia."

Which, again, points to the insecure-by-design nature of how these systems are engineered.

"Thankfully, we see no signs of any widespread abuse of these protocols or 'features' in spite of some of the bugs being well-known for years," Wightman added. "I really do hope it stays that way." ®

Send us news
46 Comments

Nvidia's newborn ChatRTX bot patched for security bugs

Flaws enable privilege escalation and remote code execution

March Patch Tuesday sees Hyper-V join the guest-host escape club

Critical bugs galore among 61 Microsoft fixes, 56 from Adobe, a dozen from SAP, and a fistful from Fortinet

Font security 'still a Helvetica of a problem' says Australian graphics outfit Canva

Who knew that unzipping a font archive could unleash a malicious file

Row breaks out over true severity of two DNSSEC flaws

Some of us would be happy being rated 7.5 out of 10, just sayin'

JetBrains keeps mum on 26 'security problems' fixed after Rapid7 spat

Vendor takes hardline approach to patch disclosure to new levels

Microsoft Copilot for Security prepares for April liftoff

Automated AI helper intended to make security more manageable

In the rush to build AI apps, please, please don't leave security behind

Supply-chain attacks are definitely possible and could lead to data theft, system hijacking, and more

More than 133,000 Fortinet appliances still vulnerable to month-old critical bug

A huge attack surface for a vulnerability with various PoCs available

US critical infrastructure cyberattack reporting rules inch closer to reality

After all, it's only about keeping the essentials on – no rush

Miscreants are exploiting enterprise tech zero days more and more, Google warns

Crooks know where the big bucks are

Uncle Sam's had it up to here with 'unforgivable' SQL injection flaws

Software slackers urged to up their game

Microsoft confirms memory leak in March Windows Server security update

ALSO: Viasat hack wiper malware is back, users are the number one cause of data loss, and critical vulns