Network & Perimeter
Network-Level Study Reveals Outdated ICS and SCADA Security
Remembering the days before mobile phones, the modern internet or even desktop PCs requires making a hazy, fuzzy leap into the past. But some technology sticks around for a long time, and for security reasons that’s not necessarily a good thing.
See Also: How to Scale Your Vendor Risk Management Program
Take industrial controls systems, which are the computers and logic controllers that run power plants, manufacturing operations, pharmaceutical factories and oil and gas systems.
The most common serial communications protocol used for these systems remains Modbus, which dates from 1979, when the most advanced technology in a home probably would have been an 8-bit Atari 400.
That finding comes from a new study from CyberX, a Framingham, Massachusetts-based company that specializes in developing defenses for industrial control systems and supervisory control and data acquisition systems, aka ICS and SCADA.
CyberX’s study looked at 375 organizations that use its software to find vulnerabilities or weak points in their systems. The research is compelling because it involved passive analysis of actual network traffic, revealing real-world findings into the state of industrial systems’ security.
CyberX says “although questionnaire-based surveys have been conducted in the past, this type of real-world network analysis has never been conducted before.”
Securing ICS and SCADA systems that run critical infrastructure are top priority for governments. Cyberattacks in 2015 and 2016 in Ukraine caused widespread blackouts after attackers infiltrated power stations. Experts have warned such attacks could be replicated elsewhere to devastating effect (see Ukraine Blackout Redux: Hacking Confirmed).
Riding the Modbus
For the study, CyberX mirrored the network traffic inside an organization, connecting to the SPAN port of a network switch. From there, it gathered information on network topology and figured out which devices are attached to the network.
It then used deep packet inspection and network traffic analysis algorithms to decode packets. That’s how it determined that 58 percent of organizations use Modbus.
Modbus’s “simplicity and efficiency caused it to become the most widely used network protocol in the industrial manufacturing environment,” writes Liron Benbenishti, an ICS/SCADA cybersecurity quality assurance engineer with the security vendor Cyberbit, in a blog post from April.
But numerous security weaknesses and vulnerabilities have been found in Modbus TCP – the version of Modbus that runs over TCP-IP – which should be no surprise given its age. Benbenishti writes that Modbus doesn’t have any security or encryption features, and he outlines several scenarios in which attackers could exploit those weaknesses to inject rogue commands.
CyberX also notes that it remains difficult for organizations to detect any such strange activity, as “monitoring tools designed for corporate IT networks are ‘blind’ to OT [operational technology]-specific protocols like Modbus TCP.”
Problem Area: Old Windows
Unsurprisingly, CyberX found that 76 percent of the industrial sites it studied are running outdated versions of Windows, including XP and 2000.
Microsoft no longer issues free security patches for those systems, and its advice is clear: Upgrade as quickly as possible to a supported OS. But the simple advice belies a much more complicated picture, where tight IT budgets and application compatibility issues often derail upgrade plans (see London Police Busted For Windows XP Possession).
Although Microsoft has been firm about not issuing free updates for older operating systems – without paying for pricy extended-support contracts – it did make an exception this year after the WannaCry ransomware outbreak. The malware spread using an exploit called EternalBlue that took advantage of a vulnerability in the Server Message Block version 1 protocol.
The NSA is suspected of developing EternalBlue. Somehow, a group calling itself The Shadow Brokers obtained the exploit along with other spy tools. Due to the rapid spread of WannaCry, Microsoft took the unprecedented step of issuing free patches for Windows XP, Windows 8 and Windows Server 2003, to fix the SMB_v1 flaw.
CyberX warns that the use of old Windows versions, however, remains a potential train wreck for ICS environments.
“There are still hundreds or thousands of known vulnerabilities for older versions of Windows that will never be patched, making these Windows boxes idea candidates for attackers to compromise,” it writes.
Air Gaps and Anti-Virus
CyberX’s report reveals a bevy of other alarming findings, none of which are good:
- Authentication: Nearly 60 percent of industrial sites have unencrypted, clear-text login credentials traveling across their networks. “These passwords can be easily sniffed by attackers performing reconnaissance,” CyberX says.
- Anti-virus: Close to half of organizations don’t use it on Windows endpoints. The reason? CyberX says it has heard vendors of ICS systems will void warranties if anti-virus is installed, and organizations worry that anti-virus will have impact on human-machine interface performance. As a result, CyberX says it found 10 percent of organizations were unaware that they were suffering active malware infections, including outbreaks of WannaCry, NotPetya and the Conficker worm, which has been around for nearly a decade and would be immediately spotted and blocked by all modern anti-virus tools.
- Remote access: More than 80 percent of organizations run remote access protocols such as RDP, VNC and SSH, CyberX says. If exploited, they would allow an attacker to gain access to an organization’s network then pivot to more legitimate systems. “As a result, remote access usage should be carefully monitored to ensure rapid detection of unauthorized or suspicious access,” it says.
- Air gaps: Although a good idea in theory, CyberX says air gaps don’t work well in practice. One-third of the industrial sites it studied still had internet-facing systems. The air gap barrier remains “permeable,” too: Attackers have stolen credentials from power station engineers, allow them to move from IT networks to operational ones.