Category: Industrial Internet of Things

For as long as digital systems have exerted control over physical machines and their output, the need, and associated questions in how to proportionately secure them have existed. Manufacturing, agriculture, critical national infrastructure, and healthcare to name but a few, are all industrial verticals which now more than ever have a considered need for cybersecurity controls to protect their Operational Technology (OT) systems and equipment which interact and impact the physical environment.

Historically, in a simpler, less-connected world, industrial control and automation systems were designed to do a limited number of things, within a static decision-making framework. As such, these enabled systems to be isolated, self-contained, and easy to maintain and control.

However, as we have moved forward to integrating more sophisticated computer systems within a variety of industrial environments, extending network connectivity for communication, increasing automation, and applying dynamic data-driven decision making, the levels of interaction and interdependency between computers systems and physical machines, actuators and sensors has increased dramatically. Whilst this digital transformation brings many benefits, it also exposes traditionally isolated Cyber-Physical Systems, often designed without cybersecurity in mind, to a plethora of cybersecurity threats. In heed of the growing threat landscape to industrial OT environments, security incidents such as the Colonial Pipeline ransomware attack and the more recently reported threats to the Sellafield Nuclear facility outline the importance of such conversations across environments and industries which are rapidly digitalising.

Below is a Q&A from an IT Security Guru conversation with Dr Ryan Hartfield, CEO of Exalens, which will work as a guide for any organisations working to secure the cyber-physical.

Can you outline the seriousness of cyber-physical threats for our audience?

They are nothing short of existential. While nobody denies the seriousness of data breaches for an organisation, or the compromise of sensitive documents by a hostile nation state, this damage can pale in significance when compared with the potential physical impacts present in a cyber-physical environment.

The key word is physical. While the threats of many cybersecurity incidents fall into the categories of business, economic or geopolitical threats, these are simply some of the byproducts of a category 1 cyber-physical threat. If a major piece of key national infrastructure (such as the National grid, or key parts of the food supply chain) were to be compromised by a cyberattack, not only would we see widespread economic impacts and geopolitical effects, but we would also risk serious societal unrest and physical danger.

What are the cultural barriers that prevent the adequate securing of cyber physical systems?

The first thing to mention is that companies who need to care about this absolutely do care about cybersecurity, as it pertains directly to business risk. However, asking if they care about cybersecurity is probably the wrong way to approach such conversations.

The key thing to ask instead would be ‘how much would a day’s downtime cost?’. If you can speak to people in senior industrial, manufacturing, or critical infrastructure positions about downtime, and preventing downtime (and therefore the associated reputational and financial losses), and how cyber resilience is now a key aspect of that requirement,  then you are going to have a much more positive conversation.

An issue further down the chain of command is that when you go to the middle management of cybersecurity and IT professionals, and the plant managers of factories, operational friction appears. Cybersecurity teams are given a brief to lockdown and monitor systems to prevent unauthorised system access, and more often than not, this can run contrary and interfere with the needs of plant managers who ultimately are charged with keeping the factory up and running, as well as optimising processes and output. Somewhat paradoxically, engineers may even consider the introduction of increased cybersecurity controls across OT systems as a risk in and of itself to the safe and reliable operation of these systems.

As a result, whilst there are shades of grey in this argument, currently cybersecurity and industrial engineering teams view the same systems and environment through different lenses, one of enforcing security, and one of keeping the organisation moving – and crucially, profitable. The challenge here is to shape these lenses so that both sides see how they support each other in achieving their respective goals. This is not purely a technical challenge, but a cultural one between teams and evolving business process.

It is up to cybersecurity teams, and the wider leadership of organisations to ensure that these two strands of the business understand that they are pulling towards the same goal, and that a robust cybersecurity policy in the long term will actually enable and improve efficiency and output, while reducing everyone’s risk. In essence, it can be a simple and clear answer to the plant managers conundrum: “What’s in it for me?”.

What can governments and regulators do to improve cyber-physical security?

The conversations that vendors can have with organisations hoping to secure their cyber physical environments can only achieve so much. It is up to the government to incentivise OES providers (Operators of essential services) The alternative to this is that organisations are forced into making security a priority by their own supply chain, which places them on a reactive, not proactive footing.

Lots of legislation in the US has attempted to drive – arguably even force – some levels of security control in industrial sectors. The UK’s NCSC and Government know and understand this is a problem, and need to continue to build cybersecurity regulatory and compliance frameworks that detail areas of cybersecurity you need to comply with. In fact, this is what the NCSC Cyber Assessment Framework (CAF) and NIS Principles are all about. However, most of the time frameworks are advisory, rather than mandatory. I would love to see similar controls placed on cyber physical industrial systems as we see on financial systems, which mean that if organisation fail to comply with implementing and maintaining standard, best practice security controls and policies, not only will their systems, supply chain, and reputation be at risk, but they will be liable financially for the downstream societal and economic impact, should their environments being compromised and disrupted.

An analogy I like to use often is that of driving a car; we require that our cars are fitted with and have functioning security and safety controls, like door locks, and brakes. And when we drive our cars, we continuously monitor the integrity of these controls, whilst keeping an eye out for threats on the road. In addition, we are required to pass a test proving that we can carry out these activities to a certain standard. Now, we get certified, and carry out best practices when driving, because the risks associated with not doing so are too great. I think it’s crucial that we get to this stage in terms of how we think about investing in and applying cybersecurity measures for cyber-physical systems that keep our critical industrial sectors running, especially as organisations continue to connect and automate these systems to achieve digital transformation across industrial operations.

To find out more about bridging the cyber physical gap, visit: https://www.exalens.com/

The post Q&A – Dr. Ryan Heartfield: 3 things to remember when securing your Industrial OT environment first appeared on IT Security Guru.

The post Q&A – Dr. Ryan Heartfield: 3 things to remember when securing your Industrial OT environment appeared first on IT Security Guru.

Researchers have discovered 8000 exposed Virtual Network Computing instances, which could put numerous global organisations at risk of remote compromise. As a matter of fact, the instances were managed by critical infrastructure (CNI) organisations, who are responsible for water treatment plants, manufacturing plants and research facilities.

With disabled authentication, malicious actors have the ability to hijack certain endpoints and with it, the industrial control systems these may be connected to. This is because VNC is a cross-platform screen-sharing system, which allows users to remotely control another computer.

Etay Maor, Senior Director of Security Strategy at Cato Networks, comments; “VNCs are fundamentally appliances and each appliance needs to be carefully maintained, upgraded, and patched. It’s the same problem IT has long faced. Moving to a cloud-native SASE service allows critical infrastructure organisations to protect the infrastructure without compromising service delivery. They can apply virtual patches protecting internal infrastructure without having to actually update that infrastructure.”

The researchers warned that exposed VNC deployments could be exploited by malicious actors to sabotage, as well as to steal data, extort their victims and deploy ransomware. As such, all firms running VNC should work to immediately improve their security awareness training, review their access policies and ensure that appropriate firewalls are in place. Most importantly, all devices must be patched and continuously monitored in order to avoid falling victim to this particular attack.

The post Over 8000 VNC instances left exposed, researchers find appeared first on IT Security Guru.

 

Armis, the unified asset visibility and security platform, disclosed five critical vulnerabilities, known as TLStorm 2.0, in the implementation of TLS communications in multiple models of network switches. The vulnerabilities stem from a similar design flaw identified in the TLStorm vulnerabilities (discovered earlier this year by Armis), expanding the reach of TLStorm to millions of additional enterprise-grade network infrastructure devices.

 

In March 2022, Armis first disclosed TLStorm—three critical vulnerabilities in APC Smart-UPS devices. The vulnerabilities allow an attacker to gain control of Smart-UPS devices from the internet with no user interaction, resulting in the UPS overloading and eventually destroying itself in a cloud of smoke. The root cause for these vulnerabilities was a misuse of NanoSSL, a popular TLS library by Mocana. Using the Armis knowledgebase—a database of more than two billion assets—researchers identified dozens of devices using the Mocana NanoSSL library. The findings include not only the APC Smart-UPS devices but also two popular network switch vendors that are affected by a similar implementation flaw of the library. While UPS devices and network switches differ in function and levels of trust within the network, the underlying TLS implementation issues allow for what the company calls “devastating consequences.”

 

The new TLStorm 2.0 research exposes vulnerabilities that could allow an attacker to take full control over network switches used in airports, hospitals, hotels, and other organisations worldwide. The affected vendors are Aruba (acquired by HPE) and Avaya Networking (acquired by ExtremeNetworks). We have found that both vendors have switches vulnerable to remote code execution (RCE) vulnerabilities that can be exploited over the network, leading to:

 

  • Breaking of network segmentation, allowing lateral movement to additional devices by changing the behaviour of the switch
  • Data exfiltration of corporate network traffic or sensitive information from the internal network to the Internet
  • Captive portal escape

 

Armis says that these research findings are significant as they highlight that the network infrastructure itself is at risk and exploitable by attackers, meaning that network segmentation alone is no longer sufficient as a security measure. 

 

Barak Hadad, Head of Research at Armis said: “The TLStorm set of vulnerabilities are a prime example of threats to assets that were previously not visible to most security solutions, showing that network segmentation is no longer a sufficient mitigation and proactive network monitoring is essential. Armis researchers will continue to explore assets across all environments to make sure our knowledgebase of more than two billion assets is sharing the latest threat mitigations to all of our partners and customers.”

 

Captive Portals 

A captive portal is the web page displayed to newly-connected users of a Wi-Fi or wired network before they are granted broader access to network resources. Captive portals are commonly used to present a login page that may require authentication, payment, or other valid credentials that both the host and user agree upon. Captive portals provide access to a broad range of mobile and pedestrian broadband services, including cable and commercially provided Wi-Fi and home hotspots, and enterprise or residential wired networks, such as apartment complexes, hotel rooms, and business centers.

 

Using the TLStorm 2.0 vulnerabilities, an attacker can abuse the captive portal and gain remote code execution over the switch with no need for authentication. Once the attacker has control over the switch, they can disable the captive portal altogether and move laterally to the corporate network. 

 

Vulnerability Details and Affected Devices

 

Aruba

  • CVE-2022-23677 (9.0 CVSS score) – NanoSSL misuse on multiple interfaces (RCE)
    • The NanoSSL library mentioned above is used throughout the firmware of Aruba switches for multiple purposes. The two main use cases for which the TLS connection made using the NanoSSL library is not secure and can lead to RCE:
      • Captive portal – A user of the captive portal can take control of the switch prior to authentication.
      • RADIUS authentication client – A vulnerability in the RADIUS connection handling could allow an attacker that is able to intercept the RADIUS connection via a man in the middle attack to gain RCE over the switch with no user interaction.
  • CVE-2022-23676 (9.1 CVSS score) – RADIUS client memory corruption vulnerabilities
    • RADIUS is an authentication, authorisation, accounting (AAA) client/server protocol that allows central authentication for users who attempt to access a network service. The RADIUS server responds to access requests from network services that act as clients. The RADIUS server checks the information in the access request and responds with authorization of the access attempt, a rejection, or a challenge for more information. 
    • There are two memory corruption vulnerabilities in the RADIUS client implementation of the switch;  they lead to heap overflows of attacker-controlled data. This can allow a malicious RADIUS server, or an attacker with access to the RADIUS shared secret, to remotely execute code on the switch.

Aruba devices affected by TLStorm 2.0:

  • Aruba 5400R Series
  • Aruba 3810 Series
  • Aruba 2920 Series
  • Aruba 2930F Series
  • Aruba 2930M Series
  • Aruba 2530 Series
  • Aruba 2540 Series

Avaya management interface pre-auth vulnerabilities

The attack surface for all three vulnerabilities of the Avaya switches is the web management portal and none of the vulnerabilities require any type of authentication, making it a zero-click vulnerability group.

  • CVE-2022-29860 (CVSS 9.8) – TLS reassembly heap overflow
  • This is a similar vulnerability to CVE-2022-22805 that Armis found in APC Smart-UPS devices. The process handling POST requests on the webserver does not properly validate the NanoSSL return values, resulting in a heap overflow that can lead to remote code execution.
  • CVE-2022-29861 (CVSS 9.8) – HTTP header parsing stack overflow
  • An improper boundary check in the handling of multipart form data combined with a string that is not null-terminated leads to attacker-controlled stack overflow that may lead to RCE.
  • HTTP POST request handling heap overflow
  • A vulnerability in the handling of HTTP POST requests due to missing error checks of the Mocana NanoSSL library leads to a heap overflow of attacker-controlled length, which may lead to RCE. This vulnerability has no CVE because it was found in a discontinued product line of Avaya meaning no patch will be issued to fix this vulnerability, though Armis data shows these devices can still be found in the wild.

 

Avaya devices affected by TLStorm 2.0:

  • ERS3500 Series
  • ERS3600 Series 
  • ERS4900 Series
  • ERS5900 Series

 

Updates and Mitigations

Aruba and Avaya collaborated with Armis on this matter, and customers were notified and issued patches to address most of the vulnerabilities. To the best of our knowledge, there is no indication the TLStorm 2.0 vulnerabilities have been exploited.

Organisations deploying impacted Aruba devices should patch impacted devices immediately with patches in the Aruba Support Portal here

 

Organisations deploying impacted Avaya devices should check security advisories immediately in the Avaya Support Portal here

 

Armis customers can immediately identify devices that are vulnerable in their environments and begin remediation. To speak with an Armis expert and experience our award-winning unified asset visibility and security platform, click here

 

Armis experts will discuss the TLStorm research during Black Hat Asia 2022 (May 10-13, 2022) – Like Lightning From the Cloud: Finding RCEs in an Embedded TLS Library and Toasting a Popular Cloud-connected UPS 

 

The post TLStorm 2.0 – Airports, hospitals, hotels and enterprises at risk to new vulnerabilities appeared first on IT Security Guru.