The Triton/Trisis attack, made public in August of 2017, was a major wake-up call for the industrial sector to take cybersecurity risk to industrial operations even more seriously. What was initially thought to be an equipment failure on an emergency shut down (ESD) system, turned out to be a complex, well-engineered cyber attack. This attack was believed to have compromised two separate engineering systems, however, further investigation later revealed six systems were infected and, not one, but two separate sites.
Now, 11 significant vulnerabilities, named URGENT/11, have been identified in VxWorks, a highly-popular operating system used in everything from firewalls and routers, to industrial control systems, and medical equipment. Estimates are that more than 2 billion devices may be impacted, including hundreds of thousands of operational technology (OT) systems. While the Triton/Trisis attack revealed previous cyber defense strategies of “air gapping”, “last line of defense” (also known as the Safety Instrumented System or SIS), and “security by obscurity” were no longer valid, if they ever were, the URGENT/11 vulnerabilities clearly demonstrate just how widespread the security risk to OT systems still is, in 2019.
Leveraging network defenses, such as firewalls, IDPS, or anomaly detection, remain useful as part of a broader “defense in depth” strategy, however, their use in isolation is insufficient to addressing the risks associated with VxWorks URGENT/11 and other vulnerabilities. Of critical importance is not just knowing what vulnerabilities exist that may affect industrial control systems (ICS), but, more importantly, does a particular site use VxWorks, are those vulnerabilities present, and which industrial processes might be at risk? Deploying network signatures is a powerful detective control to understanding if you are being attacked or have been attacked, but preventative controls need to be applied is well. For it is those preventative controls that will help reduce the threat to industrial processes when, not if, your network is compromised. They also help to avoid the noise of false positives inherent in network defenses. Let’s take a closer look.
The nature and complexity of software and hardware design leaves significant opportunities for vulnerabilities to occur in OT systems. This risk continues to grow as the scale of applications and systems has exploded over the last 50 years. Whether a zero-day attack, exploit in the wild, or well-documented attack, one thing is certain, the defenders in the cyber security conflict are always in catch up mode to the attackers. They have to be effective 100% of the time to keep the bad actors out, whilst the attacker just needs one exploit to work. Traditionally, cyber risk has been the perennial headache of the CIO and IT, however, with increasing interconnectivity of OT and IT networks in support of digitalization and Industrie 4.0 initiatives, OT environments are now high-interest and high-risk targets.
Developing an effective response to these increasing threats requires a mix of capabilities, including active detection, passive analysis, and a foundation of deep inventory data about your ICS environment. Network detection, or deep packet inspection (DPI), is capable for active detection and passive analysis, but it is more powerful if you link it to an understanding of your ICS configurations. This enables you to focus on alerts that matter most and reduce false positives when they appear as a result of the continual rhythm of change in OT.
The need for a holistic approach that encompasses detection and prevention is more pressing in an environment where safety is the primary driver. Given the average age of ICS equipment is somewhere between 18-20 years and patching is a complex challenge, reliance on DPI alone opens up challenges to getting effective data over the ‘wire’ and understanding the context of it both quickly and accurately. This is because network packet inspection approaches generally rely on passive monitoring capabilities, which require time to observe communications among devices. Active polling can also be used, but this puts additional traffic on often bandwidth-constrained OT networks, can disrupt other industrial process communications leading to a safety incident, and may be frowned upon by your ICS providers. This is why building your inventory off of configuration data, sourced from system back-ups, is a more effective approach – because it can build your inventory more completely at a faster rate without the risk of active network packet inspection.
Whether VxWorks or something else, it is highly likely vulnerabilities not only exist in your OT environment, but that there is a less than effective plan to apply remediation patches. This is likely for a number of reasons including the use of proprietary control systems, a lack of visibility to how they are configured, lack of understanding on how a patch could cause an OT failure, and the sheer volume of the tens of thousands of devices in OT environments. However, you can improve your OT patch management process if you can determine which patches, on which devices, reduce the most risk. We might not be able to patch 5000 devices, but If we can identify the 50 most critical devices, and which of those contain exploitable vulnerabilities, we can concentrate our patch deployment efforts to those devices. Build a risk assessment process into your patch management process – you’ll likely spend a lot less time and money on your patching efforts, and reduce more risk. Patch smarter, not harder.
With a detailed inventory in place, you will be able to take preventative action to identify known vulnerabilities and patch devices used in critical industrial processes first. When the next VxWorks URGENT/11 is announced, you will also be able to understand quickly if that vulnerability resides in your OT environment, where, and which industrial processes are at risk. Armed with that knowledge, you can focus your efforts to patch the most critical systems immediately with the others to be addressed during turnover and maintenance windows.
Securing OT presents unique challenges beyond what it takes to secure IT systems. Network signatures are an important detective control, however, assuming a continuous state of compromise is also key. In OT cybersecurity, understanding how your industrial control systems are configured and which processes they support is a foundational requirement. Ultimately, where digital meets physical is where bad things happen, and a detailed understanding of the configuration of your OT environment is the crown jewel that you need to reduce cyber risk and speed recovery efforts.
To get more perspective, read how 20 OT professionals are working to make their industrial operations more secure in our complimentary ebook.
- Looking to network defences (firewall, IDPS, anomaly detection) in isolation is insufficient to address OT cyber risk, including the high-risk VxWorks URGENT/11 vulnerabilities
- Detailed ICS inventory will help you understand quickly: 1) Do I have it? 2) Where? and 3) crucially, Which of your processes are at risk?
- Deploying signatures is a powerful detective control, but preventative controls need to be applied as well