In fall 2019, 11 flaws in an obscure component of certain operating systems used to run everything from neonatal incubators to power plant controllers forced companies around the world to reexamine the security of their networked industrial control systems (ICS). These flaws in the Wind River VxWorks real-time operating system—dubbed the URGENT/11—spurred security researchers to examine network stacks in other devices for similar flaws. Since then, researchers have discovered Ripple20, AMNESIA:33, and other batches of vulnerabilities affecting millions of devices.
Most of these flaws affect devices using what we think of as internet protocols (e.g., HTTP, DNS, and ICMP), but many other devices communicate using specialized ICS protocols that run on top of the same type of vulnerable network stack. This means that, much as researchers have discovered dangerous network stack vulnerabilities in traditional internet-connected devices, attackers will likely find and exploit vulnerabilities in ICS devices, where organizations may not even know to look for such security issues.
Securing ICS Networks
Because ICS networks control machines performing mechanical actions, the potential consequences of a security breach go beyond the destruction or disclosure of data—they could include physical damage to materials, equipment, or even people. Thus, securing these networks is particularly important and challenging. Here are some key points to consider in keeping these networks safe.
- Go Beyond Segmentation: IT networks with different security needs are usually segmented with a firewall or gateway controlling the flow of traffic between them. Consider physically separating or “air gapping” ICS networks from other networks. That means ensuring that no device is connected to the ICS and IT networks simultaneously, thereby potentially acting as a bridge for intruders. USB drives and other devices transferring data between the networks should be restricted and subject to increased scrutiny.
- Watch for Abnormalities: One security advantage of ICS networks is that industrial processes and related network activity should generally be repetitive and highly predictable. Deploying network intrusion detection systems that analyze patterns in network traffic can help security personnel detect malicious activity early—even if the exploit or attack has never before been observed.
- Physically Protect: Many ICS devices have limited or no capacity for authentication beyond the requirement for physical access. This means that anyone who can reach the device can control it. Old-fashioned site security and physical access management is the only way to manage this risk. This is difficult, but all the more critical for ICS environments in remote areas with no human presence most of the time.
- Establish an Acquisition Lifecycle: Just as with IT equipment, keeping an ICS device’s full lifecycle in mind can help to reduce security risks. New equipment should be bought from trusted vendors with audited supply chains. Organizations should also determine in advance if and how the vendor provides security updates. Data about the supply chain and points of contact for each piece of equipment should be retained in case of a malfunction or suspected security issue. Organizations should also keep standard operation procedures for replacement and decommissioning.
Wild Cards in Network Stacks
Because of their limited computational resources, many ICS devices use proprietary serial interfaces for data transfer. However, an increasing number use ICS protocols built on top of TCP/IP, the protocol of the public internet. These “industrial ethernet” systems have advantages in terms of data throughput, network architecture, and convenience, especially over long distances. The ability to use the same network hardware for both ICS and IT networks can also reduce costs.
BACnet, IEC 61580, EtherCAT, PROFINET, and POWERLINK are among the ICS communication protocols that run on top of the TCP/IP stack. ICS devices communicating using these protocols must run code that’s similar to what’s used on the network stacks where security researchers have been finding more and more vulnerabilities.
Moreover, including network stacks in operating systems and completed devices—an increasingly common practice among original equipment manufacturers (OEM)—further cultivates a scenario where the network stack and similar software components are subject to little or no review. Generally, organizations purchase new devices directly from an OEM. The OEM licenses the operating system on the device from a developer. The developer could write the network stack for the operating system from scratch, but almost always licenses one from a different developer or open source.
ICS Networks Are Blind Spots for Defenders, Not Attackers
Why are network stacks home to such dangerous vulnerabilities in the first place? For starters, their ubiquity and the fact that they handle data supplied by attackers and other devices on the network mean that they are highly exposed. This makes them prime targets for vulnerability discovery and exploitation. Network stacks—particularly TCP/IP stacks—must implement many protocol and features requirements in order to process all the different types of network traffic that could exist on an IP network.
Among these features are ones that are obsolete or practically never used, even though they are still specified in the protocol standards. For example, the TCP “urgent” flag is virtually never used today, but is still part of the TCP specification. Network stacks still include code handling for obsolete features, even if the data is ultimately filtered or blocked. But because they are so rarely used, the code is less likely to be thoroughly tested in development or production, creating the possibility that flaws in the code will not be discovered and patched.
No cases of threat actor groups exploiting such vulnerabilities in the course of compromising a victim organization have been publicly reported. But many threat actors—both cybercriminal and state-sponsored—have targeted ICS environments in the past, including ransomware operators and nation-state actors.
Mitigating ICS Network Stack Vulnerabilities
Eventually, developers will need to redefine what is needed in network stacks for different operating environments, depending on what protocol features have legitimate use cases. Network data depending on obsolete protocol features will need to be dropped without any further processing in order to reduce the network attack surface.
For now, ICS network administrators can use network intrusion prevention systems to accomplish similar goals: dropping network traffic that uses unexpected features. Developers should also take the opportunity to review network stacks for coding oversights, much as security researchers are doing. Finally, proper monitoring of ICS environments and robust vulnerability management can help organizations stay ahead of future threat actor tactics.
