Vulnerabilities in OT systems: how to deal with it?

The number of vulnerabilities disclosed in OT systems has been consistently growing in the past few years and is expected to continue to grow in the future

Vedere Labs, the research team of Forescout recently found and disclosed a set of 56 vulnerabilities affecting 10 major OT device manufacturers. These vulnerabilities are grouped in four main categories - insecure engineering protocols, weak cryptography or broken authentication, insecure firmware updates, and remote code execution. Majority of these vulnerabilities allow for compromise of credentials, where an attacker can obtain sensitive credentials to take over control of a device, but other impacts include remote code execution, where an attacker can inject malicious code to run on a device, denial of service, where an attacker can prevent a device from working as intended, and manipulation of files, logic, or firmware.

Attackers can exploit them in different ways, usually by having network access to a device and being able to either listen to ongoing network traffic or being able to send network packets targeting those devices.

Daniel dos Santos, Head of Research – Forescout Technologies tells the VARINDIA team more about these vulnerabilities -

Is it true that OT vulnerabilities occur due to lack of basic security controls (in legacy systems), encryption and proper authentication?

Daniel dos Santos: It is true in many cases, as operational technology (OT) devices and protocols frequently assume that anyone dealing with them is not an attacker. There are two main types of vulnerabilities - those that occur by mistakes in software development (such as buffer overflows and logic flaws that we disclosed in the past as part of Project Memoria) and those that occur by a lack of design considerations, such as missing encryption and authentication. These are much rarer in IT or IoT devices nowadays, but are still very common in OT.

What measures need to be taken by equipment manufacturers to avoid such vulnerabilities, since most of them were reported to have been a result of insecure design processes?

Daniel dos Santos: Many manufacturers have already started designing secure alternatives to existing insecure protocols and equipment by adding functions such as authentication, encryption and software integrity verification. The main problem is that because of the long lifecycles of OT equipment deployed at asset owner networks (which can be up to 20 years), this new equipment will take a long time to replace existing technology. In the meantime, some functionality can be fixed via patches (for instance, integrity verification) but others are more difficult (for instance, adding encryption to communications) because it would require changing an entire system with many devices to operate using a new protocol.

We always encourage equipment manufacturers to run a coordinated vulnerability disclosure program that collaborates with researchers and customers to investigate and resolve cybersecurity vulnerabilities efficiently. It is important that manufacturers are transparent about the risk sand share information with their customers and the larger security community, as these insights are crucial to managing the risks of industrial environments. Any remediation steps, such as disabling extra services on the vulnerable device or patching, should be quickly communicated so affected organizations can plan their response actions.

It is said that vulnerabilities in OT systems are set to grow to varying degrees in future. How far is it true?

Daniel dos Santos: With the rapid pace at which computing and communication tech is evolving and the increasing reliance we have on IT infrastructure to enable remote collaboration, we are seeing an increase in attacks.

Additionally, a new attack method path, known as Ransomware for IoT (or R4IoT) has emerged with the rise in connected devices in the organisation. Next-generation ransomware uses IoT devices as a means of initial entry and lateral movement to IT and OT systems with the intention of physically interrupting business operations. As OT systems are more connected and play an increasingly important role in our society (e.g., smart power grid, smart buildings) we will see an increase in OT and IoT device security scrutiny, leading to more vulnerabilities being discovered.

What is OT vulnerability management?

Daniel dos Santos: Vulnerability management is the process of identifying, classifying, prioritizing, remediating, and mitigating software vulnerabilities in an environment. OT vulnerability management is complicated by a few factors, such as long lifecycles of equipment, difficulty in patching when devices have to be taken offline, and safety considerations from potential cyberattacks, for instance. In the end, the main decision in vulnerability management is whether to patch now, later or never and in the latter two cases what can be done to mitigate risks while the vulnerabilities re not patched.