Combatting Critical Infrastructure’s Security Flaws


The latest threat security research into operational technology and industrial systems has identified around 56 issues that cyber criminals could instigate cyberattacks against critical infrastructure.

Unfixable

The problem is not just in the number, but also in the fact that many of them are classed as unfixable. This is more due to insecure protocols and architectural designs. This highlights a much larger security problem with devices controlling electric grids and water supply.

Industrial control systems have these inherent vulnerabilities from the way they have been designed, without patches in the traditional sense. Forescout’s Vedere Labs unveiled 56 bugs in devices built by ten different vendors and gave the security flaws the collective name of OT:ICEFALL.

Many of the uncovered flaws are a direct result of OT product’s being built without even the most basic security controls. This comes only 10 years after Digital Bond’s Project Basecamp looked into OT devices and protocols that were labelled insecure by design. After a few hours passed since Forescout revealed its research findings, CISA issued their OT:ICEFALL vulnerability security warnings.

CVEs

CVEs were not generated for insecure-by-design things, mainly because it is bad for the industry. Once they are generated, a series of actions by industrial systems’ operators are put into motion – especially when it comes to heavily regulated industries such as electric utilities and the oil and gas sector.

They need to determine if the environment contains any affected products. In OT environments, everything is distributed – unlike the enterprise IT sector where centralised visibility and control over IT assets are key. Any products impacted by the vulnerability would trigger internal reviews and regulatory processes involving the response to CISA and the development of an improved security plan.

OT Protocols and Authentication

The recent analysis showcases 9 vulnerabilities related to unauthenticated protocols and disputes the balance against assigning a CVE ID to products with insecure OT protocols.

The belief is that CVE is a community-recognised marker aiding in vulnerability visibility and actionable motions in helping push vendors to fix issues and asset owners to assess risks and apply patches. Whilst this makes sense from an IT perspective, it becomes more unrealistic in an OT one – and fails to make critical infrastructure any further secure.

Many industrial controllers have similar problems that allow unauthorised code to run on the PLC, meaning one malicious logic transfer can permanently compromise the PLC. Because control logic is causing the change, it can happen outside of a normal firmware update.

For more information on enterprise security and any upcoming risk management events, check out the upcoming events from Whitehall Media.