Heartbleed, Internet Explorer 0-Day Bug, and Why Should This Matter to the ICS / SCADA Community

Are you getting a headache from all of the news about heartbleed?  If you are plugged into the constant flow of cyber threat intelligence, then you know that the number of products affected by this vulnerability continues to grow by the day. The ICS-CERT team has released an advisory warning that several products from Siemens, Innominate, and other Industrial Control System vendors are vulnerable to the heartbleed attack. Since OpenSSL is deployed on more than half of the SSL-protected web servers worldwide, and the same library is also used in embedded devices, it is easy to see why the list of affected Industrial Control product will only continue to increase.

I have talked to several of our ICS / SCADA asset owner clients about Heartbleed, and the typical first response that I get is apathy. Automation and control engineers are under the mindset that since these embedded devices, hardware, and software are deployed behind one or more firewalls, they do not have to worry so much about keeping them up to date with the latest patches and firmware.  They tend to view these security bulletins and advisories as something that their “Corporate IT or Security groups need to worry about.”  They often do not understand how cyber security vulnerabilities relate to operational risk. This a really big issue in our community, and why we are addressing it in this month’s technical briefing.

Just as we were getting our systems all patched up from the heartbleed issues, we then had to deal with the Internet Explorer 0-day vulnerability (CVE-2014-1776). It allows malicious or compromised websites to execute a script giving a hacker the same rights on a computer as the current user. If the user logs in to their computer under the administrator account or an account with administrative priviledges, it gives the hacker full control over the PC. Microsoft thought that this was such a nasty vulnerability that they released a patch out of their typical patch cycle.  When I asked several of our industrial control clients if they were scrambling to get their SCADA and DCS systems all patched up, many said that their vendors had not approved the out of cycle Microsoft patch.  I thought that they would have a bit more concern about this issue, but again most were not concerned at all. One engineer told me: “Our SCADA environment does not have routable access out to the Internet, so we really don’t have to worry about these Internet Explorer issues”.

I am seeing a trend across the board that most SCADA, DCS, and ICS support teams are just not concerned about cyber security vulnerabilities. Even the nasty 0-day vulnerabilities that Microsoft admits requires an immediate patch seems to get brushed to the side, and SCADA teams are not making an aggressive remediation plan for addressing these issues. I think the source of this mindset lies in the belief that these cyber threats come from the Internet, and thus only affect Internet-connected systems. What most fail to understand is that while this particular vulnerability is most easily exploited by accessing compromised Internet web sites, the vulnerability can also be exploited by malware that is routed into the environment or brought into the environment on usb sticks, laptops, and other localized media. SCADA, DCS, and industrial control systems are not typically isolated, and even the ones that are air gapped still require technicians to bridge that air gap to bring in updates across to the protected side.

Simply having vulnerable devices, hardware, and software that are not patched is an operational risk regardless of the architecture or layers of security placed in front of them. It has been about 4 years since the Stuxnet virus went public, and you would think that our community would have learned from that lesson. Their was no patch for Stuxnet when it hit, and it affected isolated air-gapped systems.

Now that we have patches for vulnerabilities, it is much more important to apply the updates for these vulnerabilities for the following reason. When a vulnerability is not well known or public, the number of threat actors that can make use of the vulnerability is small, thus making the likelihood of an incident also very small. Usually this only affects the specific targeted victim.  Once a vulnerability goes public, then it starts a global cyber race for compromised systems. All of the exploit creators rush to try to embed the vulnerability into their root kits, viruses, trojans, and malware, and each compromised victim grows the number of their bonnet armies that are under their command and control. The exploit code morphs as copy cat versions take prior work and add their own twist to the exploitation process. Soon…often as early as a few days from the initial public disclosure, there are already hundreds of variants of the exploit that are in the wild.

While I agree that strong perimeter protection and a layered defense approach can reduce operational risk, this does not mean that we can rest our feet on the table and never apply security updates to those devices behind the SCADA firewalls. Here are a few practical tips for our iCS / SCADA community:

1. Make sure that someone with security responsibility of the ICS / SCADA environment is plugged into live 24-hr cyber threat intelligence

2. Remember that not all cyber threats have an impact on your particular control system vendors deployed at your facility, so ensure that you have an up to date inventory so that as new threat intelligence is analyzed, someone can compare these threats to an accurate inventory and know if further action is required.

3. Develop and exercise a threat remediation plan on an ongoing basis. If a cyber security threat advisory does effect your control system, then who should be contacted? Who takes the action plan to remediate the threat? Usually this is different for each type of equipment, so ensure that you build an organizational sheet with contact names for each system layer. This should include specific contacts for the historians, HMI consoles, engineering workstations, communications infrastructure, protocols, and field devices.

4. Make sure that you have built a good relationship with your control system vendors, and know who to contact within each of your major vendors when a vulnerability is discovered that requires a patch or update.

5. Make sure you know what procedures should be followed when applying an update to a live operational system.

6. Ensure that Roles, Responsibilities, and the Governance model for cyber security of the ICS and SCADA infrastructure is documented and well understood by all involved.

7. Produce monthly reports showing the threats each month that impacted the ICS / SCADA systems, what remediation plans were followed, and what systems have been updated and which systems are still vulnerable.

8. Use this information to build statistics that can measure your support teams effectiveness and ability to react to new cyber threats.

9. Give visibility to this process by involving the appropriate senior management within the company.
10. Raise the awareness of cyber security threats so that security can become an integral part of the company culture, just like safety.

If we all practiced the above 10 steps, I know that we would be collectively much better at responding to cyber security threats.  Use these recent two examples of Heartbleed and the Internet Explorer 0-day vulnerability to test your own organization’s readiness.

As always, please forward the link to this briefing onto those that can benefit from these tips, and stay tuned for more technical briefings each month. Also keep in mind that our 5-day SCADA Security Training course is being ordered in Houston in July, so think about what people within your company would benefit from a strong 5-day boot camp in ICS / SCADA Security.

Thanks!

Jonathan