World’s Most Common Industrial Control Protocol Dates From 1979

Gigacycle > Information & Guidance  > World’s Most Common Industrial Control Protocol Dates From 1979

World’s Most Common Industrial Control Protocol Dates From 1979

Breach Preparedness
Data Breach
Network & Perimeter

Network-Level Study Reveals Outdated ICS and SCADA Security

World's Most Common Industrial Control Protocol Dates From 1979

Remembering the days before mobile phones, the modern internet or even desktop PCs requires making a hazy, fuzzy leap into the past. But some technology sticks around for a long time, and for security reasons that’s not necessarily a good thing.

See Also: How to Scale Your Vendor Risk Management Program

Take industrial controls systems, which are the computers and logic controllers that run power plants, manufacturing operations, pharmaceutical factories and oil and gas systems.

The most common serial communications protocol used for these systems remains Modbus, which dates from 1979, when the most advanced technology in a home probably would have been an 8-bit Atari 400.

That finding comes from a new study from CyberX, a Framingham, Massachusetts-based company that specializes in developing defenses for industrial control systems and supervisory control and data acquisition systems, aka ICS and SCADA.

CyberX’s study looked at 375 organizations that use its software to find vulnerabilities or weak points in their systems. The research is compelling because it involved passive analysis of actual network traffic, revealing real-world findings into the state of industrial systems’ security.

CyberX says “although questionnaire-based surveys have been conducted in the past, this type of real-world network analysis has never been conducted before.”

Securing ICS and SCADA systems that run critical infrastructure are top priority for governments. Cyberattacks in 2015 and 2016 in Ukraine caused widespread blackouts after attackers infiltrated power stations. Experts have warned such attacks could be replicated elsewhere to devastating effect (see Ukraine Blackout Redux: Hacking Confirmed).

Riding the Modbus

For the study, CyberX mirrored the network traffic inside an organization, connecting to the SPAN port of a network switch. From there, it gathered information on network topology and figured out which devices are attached to the network.

It then used deep packet inspection and network traffic analysis algorithms to decode packets. That’s how it determined that 58 percent of organizations use Modbus.

Modbus’s “simplicity and efficiency caused it to become the most widely used network protocol in the industrial manufacturing environment,” writes Liron Benbenishti, an ICS/SCADA cybersecurity quality assurance engineer with the security vendor Cyberbit, in a blog post from April.

But numerous security weaknesses and vulnerabilities have been found in Modbus TCP – the version of Modbus that runs over TCP-IP – which should be no surprise given its age. Benbenishti writes that Modbus doesn’t have any security or encryption features, and he outlines several scenarios in which attackers could exploit those weaknesses to inject rogue commands.

CyberX also notes that it remains difficult for organizations to detect any such strange activity, as “monitoring tools designed for corporate IT networks are ‘blind’ to OT [operational technology]-specific protocols like Modbus TCP.”

Problem Area: Old Windows

Unsurprisingly, CyberX found that 76 percent of the industrial sites it studied are running outdated versions of Windows, including XP and 2000.

Microsoft no longer issues free security patches for those systems, and its advice is clear: Upgrade as quickly as possible to a supported OS. But the simple advice belies a much more complicated picture, where tight IT budgets and application compatibility issues often derail upgrade plans (see London Police Busted For Windows XP Possession).

Although Microsoft has been firm about not issuing free updates for older operating systems – without paying for pricy extended-support contracts – it did make an exception this year after the WannaCry ransomware outbreak. The malware spread using an exploit called EternalBlue that took advantage of a vulnerability in the Server Message Block version 1 protocol.

The NSA is suspected of developing EternalBlue. Somehow, a group calling itself The Shadow Brokers obtained the exploit along with other spy tools. Due to the rapid spread of WannaCry, Microsoft took the unprecedented step of issuing free patches for Windows XP, Windows 8 and Windows Server 2003, to fix the SMB_v1 flaw.

CyberX warns that the use of old Windows versions, however, remains a potential train wreck for ICS environments.

“There are still hundreds or thousands of known vulnerabilities for older versions of Windows that will never be patched, making these Windows boxes idea candidates for attackers to compromise,” it writes.

Air Gaps and Anti-Virus

CyberX’s report reveals a bevy of other alarming findings, none of which are good:

Go to Source

No Comments

Sorry, the comment form is closed at this time.