S4x23
—
Miami
—
As
IT
and
operational
technology
(OT)
network
lines
continue
to
blur
in
the
rapidly
digitalized
industrial
sector,
new
vulnerabilities
and
threats
imperil
conventional
OT
security
measures
that
once
isolated
and
guarded
physical
processes
from
cyberattacks.
Two
new
separate
sets
of
research
released
this
month
underscore
real,
hidden
dangers
to
physical
operations
in
today’s
OT
networks
from
wireless
devices,
cloud-based
applications,
and
nested
networks
of
programmable
logic
controllers
(PLCs)
—
effectively
further
dispelling
conventional
wisdom
about
the
security
of
network
segmentation
as
well
as
third-party
connections
to
the
network.
In
one
set
of
findings,
a
research
team
from
Forescout
Technologies
was
able
to
bypass
safety
and
functional
guardrails
in
an
OT
network
and
move
laterally
across
different
network
segments
at
the
lowest
levels
of
the
network:
the
controller
level
(aka
Purdue
level
1),
where
PLCs
live
and
run
the
physical
operations
of
an
industrial
plant.
The
researchers
used
two
newly
disclosed
Schneider
Modicon
M340
PLC
vulnerabilities
that
they
found
—
a
remote
code
execution
(RCE)
flaw
and
an
authentication
bypass
vulnerability
—
to
breach
the
PLC
and
take
the
attack
to
the
next
level
by
pivoting
from
the
PLC
to
its
connected
devices
in
order
to
manipulate
them
to
perform
nefarious
physical
operations.
“We
are
trying
to
dispel
the
notion
that
you
hear
among
asset
owners
and
other
parties
that
Level
1
devices
and
Level
1
networks
are
somehow
different
from
regular
Ethernet
networks
and
Windows
[machines]
and
that
you
cannot
move
through
them
in
very
similar
ways,”
says
Jos
Wetzels,
security
researcher
with
Forescout.
“These
systems
are
reachable,
and
you
can
bypass
safety
checks
if
you
have
the
right
level
of
control.
We
are
showing
how
to
do
this.”
The
highly
complex
attack
sequence
that
the
researchers
demonstrated
with
a
proof-of-concept
(PoC)
—
and
that
they
acknowledge
would
require
the
technical
chops
and
resources
of
nation-state
attackers
—
stands
in
stark
contrast
to
a
relatively
simple
new
hack
that
another
group
of
researchers
pulled
off
that
exposes
plants
via
wireless
network
devices.
Both
of
these
separate
sets
of
OT
attack
findings
poke
holes
in
traditional
assumptions
of
inherent
security
at
the
lower
layers
of
OT
networks,
and
the
two
teams
of
researchers
behind
them
shared
their
findings
here
this
week
at
the
S4x23
ICS/OT
conference.
Wireless
Threat
“Got
Our
Attention”
In
the
second
batch
of
research,
a
team
at
ICS
security
provider
Otorio
found
some
38
vulnerabilities
in
products
including
cellular
routers
from
Sierra
Wireless
and
InHand
Networks,
and
a
remote
access
server
for
machines
from
ETIC
Telecom.
A
dozen
other
bugs
remain
in
the
disclosure
process
with
the
affected
vendors
and
were
not
named
in
the
report.
The
flaws
include
two
dozen
Web
interface
bugs
that
could
give
an
attacker
a
direct
line
of
access
to
OT
networks.
Matan
Dobrushin,
vice
president
of
research
at
Otorio,
says
his
team
used
the
open
source
WiGLE
tool,
a
Shodan-style
search
app
that
locates
and
maps
wireless
access
points
around
the
world.
WiGLE
collects
SSID
or
network
names,
encryption
types
(such
as
WEP
or
WPA),
and
the
geolocation
of
a
wireless
access
point.
The
team
was
able
to
locate
various
OT
sites
via
those
geolocated
Aps
that
WiGL
spotted,
including
an
oil
well
with
weak
authentication
to
its
wireless
device.
The
team
discovered
relatively
simple
ways
for
an
attack
to
hack
industrial
Wi-Fi
access
points
and
cellular
gateways
and
wage
man-in-the-middle
attacks
to
manipulate
or
sabotage
physical
machinery
in
production
sites.
In
one
attack
scenario,
the
researchers
pose,
an
attacker
armed
with
a
laptop
could
find
and
drive
to
a
plant
location
and
connect
to
the
operational
network.
“You
don’t
have
to
go
through
all
of
the
layers
of
the
enterprise
IT
network
or
firewalls.
In
this
example,
someone
can
just
come
with
a
laptop
and
connect
directly
to
the
most
sensitive
physical
part
of
that
network,”
Dobrushin
says.
“This
is
what
got
our
attention.”
Physical
proximity
is
just
one
of
three
attack
scenarios
the
team
discovered
when
they
found
the
vulns
in
these
wireless
devices.
They
also
could
reach
the
plant
wireless
devices
via
oft-exposed
IP
addresses
inadvertently
open
to
the
public
Internet.
But
the
third
and
most
surprising
attack
scenario
they
found:
They
could
reach
the
OT
networks
via
blatantly
insecure
cloud-based
management
interfaces
on
the
wireless
access
points.
Many
of
the
devices
that
come
with
cloud-based
management
also
contain
interfaces
with
either
very
weak
authentication,
or
no
authentication
at
all.
InHand
Networks’
InRouter302
and
InRouter615,
for
example,
use
an
unsecured
communications
link
to
the
cloud
platform
by
default,
sending
information
in
cleartext.
“It’s
a
single
point
of
security
and
failure,”
Dobrushin
says
of
the
weak
management
interfaces,
and
“the
main
attack
surface”
for
plant
wireless
access
points.
The
onus
is
on
the
wireless
device
vendors
to
better
secure
their
Web
interfaces.
“I
think
the
biggest
fail
point
here
is
not
wireless
itself,
not
the
cloud
itself:
It’s
the
integration
point
between
the
cloud
and
modern
Web-based
world,
to
the
old
industrial
world.
These
integration
points
are
not
strong
enough.”
For
example,
an
RCE
vulnerability
in
the
Sierra
Wireless
Airlink’s
AceManager
Web
interface
could
let
an
attacker
inject
malicious
commands.
The
vulnerability
actually
bypasses
a
previous
patch
Sierra
had
issued
in
April
of
2019
for
another
bug,
according
to
Otorio.
Lateral
Movement
Research
Forescout’s
research,
meanwhile,
also
shows
how
Purdue
Level
1
of
an
OT
network
security
is
not
as
airtight
as
many
industrial
organizations
believe.
The
company’s
findings
demonstrate
how
a
threat
actor
could
spread
an
attack
across
various
network
segments
and
types
of
networks
at
the
Purdue
Level
1/controller
level
of
the
OT
network.
In
their
proof-of-concept
attack,
the
researchers
first
hacked
a
Wago
coupler
device
in
order
to
reach
the
Schneider
M340
PLC.
Once
they
got
to
the
PLC,
they
employed
two
newly
disclosed
vulnerabilities
they
first
found
last
year
as
part
of
the
OT:ICEFALL
set
of
vulns
but
were
unable
to
reveal
until
Schneider
had
patched
them,
CVE-2022-45788
(remote
code
execution)
and
CVE-2022-45789
(authentication
bypass).
That
allowed
them
to
bypass
the
PLC’s
internal
authentication
protocol
and
move
through
the
PLC
to
other
connected
devices,
including
an
Allen-Bradley
GuardLogix
safety
control
system
that
protects
plant
systems
by
ensuring
they
operate
in
a
safe
physical
state.
Then
they
were
able
to
manipulate
the
safety
systems
on
the
GuardLogix
backplane.
What
sets
their
findings
apart
is
that
it
looks
at
lateral
movement
not
just
between
Level
1
devices
in
the
same
network
segment
or
to
Layer
2
SCADA
systems
but
spreading
across
nested
devices
and
networks
at
Layer
1.
And
unlike
previous
PLC
research,
Wetzels
and
Daniel
dos
Santos,
head
of
security
research
at
Forescout,
didn’t
just
hack
a
PLC
via
an
inherent
vulnerability.
They
instead
pivoted
from
the
PLC
to
other
systems
connected
to
it
in
order
to
bypass
the
security
and
physical
safety
checks
within
the
OT
systems.
“We’re
not
just
talking
directly
[to]
one
of
the
PLCs.
We’re
moving
to
all
devices
existing
behind
it
to
bypass
the
functional
and
safety
constraints”
of
the
PLC
that
would
cause
the
device
to
halt
or
shut
down
the
process,
Wetzels
says.
“Or
I
can
manipulate
the
PLC
and
cause
physical
damage.”
Wetzels
says
some
vendors
provide
incorrect
guidance
to
OT
operators
that
states
that
“nesting”
PLCs
via
serial
links
or
nonroutable
OT
protocols
provides
secure
segmentation
for
those
devices
and
the
OT
network.
“We’re
demonstrating
this
is
a
faulty
line
of
reasoning
against
a
certain
type
of
attacker,”
he
says.
The
researchers
show
that
all
devices
—
valve
controllers
and
sensors,
for
example
—
that
reside
under
the
PLC
in
other
networks
behind
it
also
can
be
exposed
and
provide
an
attacker
more
detailed
control
of
the
systems.
“If
you
want
to
manipulate
[the
physical
processes]
at
a
deep
level,
you
move
deep
into
those
networks,”
he
says.
Another
weak
and
often-overlooked
link
are
network
connections
to
third-party
maintenance
providers,
for
HVAC
or
water
treatment
plant
work,
for
example.
The
maintenance
contractor
often
has
a
remote
connection
to
their
packaged
system,
which
then
interfaces
with
the
OT
network.
“The
perimeter
to
the
outside
that
exists
at
Level
1
is
not
hardened
or
monitored,”
Wetzels
explains.
How
to
Defend
Against
These
Threats
to
OT
Forescout’s
Wetzels
and
dos
Santos
recommend
that
OT
operators
re-evaluate
the
state
of
their
Level
1
devices
and
interconnectivity.
“Make
sure
nothing
can
be
disabled
by
cyber
means,”
Wetzels
advises.
He
also
recommends
that
plants
with
Ethernet
links
that
are
not
firewalled
should
add
a
firewall.
And
at
the
least,
ensure
visibility
of
the
traffic
with
an
intrusion
detection
system,
he
says.
If
the
PLCs
include
IP-based
access
control
list
(ACL)
and
forensics
inspection
functions,
deploy
them
to
harden
the
devices,
he
says.
“Likely
there’s
a
lot
of
network
crawlspace
not
on
your
radar,”
Wetzels
said
today
in
his
presentation
here.
“At
Level
1,
between
different
[network]
segments
needs
a
perimeter
security
profile.”
As
for
the
wireless
access
point
vulnerabilities
and
attacks
Otorio
revealed,
the
researchers
recommend
disabling
weak
encryption
in
wireless
access
devices,
masking
wireless
devices
publicly
or
at
least
whitelisting
authorized
devices,
and
ensuring
strong
authentication
for
IP-based
devices.
They
also
advise
disabling
unused
cloud-based
services,
which
typically
are
on
by
default,
and
firewalling
and/or
adding
virtual
private
network
(VPN)
tunnels
among
the
connections.
Tom
Winston,
director
of
intelligence
content
at
Dragos,
says
wireless
access
points
in
the
industrial
network
should
use
multifactor
authentication.
“Access
control
is
always
a
concern.”
About Author
