S4x23 — Miami — As IT and operational technology (OT) network lines continue to blur in the rapidly digitalized industrial sector, new vulnerabilities and threats imperil conventional OT security measures that once isolated and guarded physical processes from cyberattacks.
Two new separate sets of research released this month underscore real, hidden dangers to physical operations in today's OT networks from wireless devices, cloud-based applications, and nested networks of programmable logic controllers (PLCs) — effectively further dispelling conventional wisdom about the security of network segmentation as well as third-party connections to the network.
In one set of findings, a research team from Forescout Technologies was able to bypass safety and functional guardrails in an OT network and move laterally across different network segments at the lowest levels of the network: the controller level (aka Purdue level 1), where PLCs live and run the physical operations of an industrial plant. The researchers used two newly disclosed Schneider Modicon M340 PLC vulnerabilities that they found — a remote code execution (RCE) flaw and an authentication bypass vulnerability — to breach the PLC and take the attack to the next level by pivoting from the PLC to its connected devices in order to manipulate them to perform nefarious physical operations.
"We are trying to dispel the notion that you hear among asset owners and other parties that Level 1 devices and Level 1 networks are somehow different from regular Ethernet networks and Windows [machines] and that you cannot move through them in very similar ways," says Jos Wetzels, security researcher with Forescout. "These systems are reachable, and you can bypass safety checks if you have the right level of control. We are showing how to do this."
The highly complex attack sequence that the researchers demonstrated with a proof-of-concept (PoC) — and that they acknowledge would require the technical chops and resources of nation-state attackers — stands in stark contrast to a relatively simple new hack that another group of researchers pulled off that exposes plants via wireless network devices. Both of these separate sets of OT attack findings poke holes in traditional assumptions of inherent security at the lower layers of OT networks, and the two teams of researchers behind them shared their findings here this week at the S4x23 ICS/OT conference.
Wireless Threat "Got Our Attention"
In the second batch of research, a team at ICS security provider Otorio found some 38 vulnerabilities in products including cellular routers from Sierra Wireless and InHand Networks, and a remote access server for machines from ETIC Telecom. A dozen other bugs remain in the disclosure process with the affected vendors and were not named in the report.
The flaws include two dozen Web interface bugs that could give an attacker a direct line of access to OT networks.
Matan Dobrushin, vice president of research at Otorio, says his team used the open source WiGLE tool, a Shodan-style search app that locates and maps wireless access points around the world. WiGLE collects SSID or network names, encryption types (such as WEP or WPA), and the geolocation of a wireless access point. The team was able to locate various OT sites via those geolocated Aps that WiGL spotted, including an oil well with weak authentication to its wireless device.
The team discovered relatively simple ways for an attack to hack industrial Wi-Fi access points and cellular gateways and wage man-in-the-middle attacks to manipulate or sabotage physical machinery in production sites. In one attack scenario, the researchers pose, an attacker armed with a laptop could find and drive to a plant location and connect to the operational network.
"You don't have to go through all of the layers of the enterprise IT network or firewalls. In this example, someone can just come with a laptop and connect directly to the most sensitive physical part of that network," Dobrushin says. "This is what got our attention."
Physical proximity is just one of three attack scenarios the team discovered when they found the vulns in these wireless devices. They also could reach the plant wireless devices via oft-exposed IP addresses inadvertently open to the public Internet. But the third and most surprising attack scenario they found: They could reach the OT networks via blatantly insecure cloud-based management interfaces on the wireless access points.
Many of the devices that come with cloud-based management also contain interfaces with either very weak authentication, or no authentication at all. InHand Networks' InRouter302 and InRouter615, for example, use an unsecured communications link to the cloud platform by default, sending information in cleartext.
"It's a single point of security and failure," Dobrushin says of the weak management interfaces, and "the main attack surface" for plant wireless access points.
The onus is on the wireless device vendors to better secure their Web interfaces. "I think the biggest fail point here is not wireless itself, not the cloud itself: It's the integration point between the cloud and modern Web-based world, to the old industrial world. These integration points are not strong enough."
For example, an RCE vulnerability in the Sierra Wireless Airlink's AceManager Web interface could let an attacker inject malicious commands. The vulnerability actually bypasses a previous patch Sierra had issued in April of 2019 for another bug, according to Otorio.
Lateral Movement Research
Forescout's research, meanwhile, also shows how Purdue Level 1 of an OT network security is not as airtight as many industrial organizations believe. The company's findings demonstrate how a threat actor could spread an attack across various network segments and types of networks at the Purdue Level 1/controller level of the OT network.
In their proof-of-concept attack, the researchers first hacked a Wago coupler device in order to reach the Schneider M340 PLC. Once they got to the PLC, they employed two newly disclosed vulnerabilities they first found last year as part of the OT:ICEFALL set of vulns but were unable to reveal until Schneider had patched them, CVE-2022-45788 (remote code execution) and CVE-2022-45789 (authentication bypass). That allowed them to bypass the PLC's internal authentication protocol and move through the PLC to other connected devices, including an Allen-Bradley GuardLogix safety control system that protects plant systems by ensuring they operate in a safe physical state. Then they were able to manipulate the safety systems on the GuardLogix backplane.
What sets their findings apart is that it looks at lateral movement not just between Level 1 devices in the same network segment or to Layer 2 SCADA systems but spreading across nested devices and networks at Layer 1. And unlike previous PLC research, Wetzels and Daniel dos Santos, head of security research at Forescout, didn't just hack a PLC via an inherent vulnerability. They instead pivoted from the PLC to other systems connected to it in order to bypass the security and physical safety checks within the OT systems.
"We're not just talking directly [to] one of the PLCs. We're moving to all devices existing behind it to bypass the functional and safety constraints" of the PLC that would cause the device to halt or shut down the process, Wetzels says. "Or I can manipulate the PLC and cause physical damage."
Wetzels says some vendors provide incorrect guidance to OT operators that states that "nesting" PLCs via serial links or nonroutable OT protocols provides secure segmentation for those devices and the OT network. "We're demonstrating this is a faulty line of reasoning against a certain type of attacker," he says. The researchers show that all devices — valve controllers and sensors, for example — that reside under the PLC in other networks behind it also can be exposed and provide an attacker more detailed control of the systems.
"If you want to manipulate [the physical processes] at a deep level, you move deep into those networks," he says.
Another weak and often-overlooked link are network connections to third-party maintenance providers, for HVAC or water treatment plant work, for example. The maintenance contractor often has a remote connection to their packaged system, which then interfaces with the OT network. "The perimeter to the outside that exists at Level 1 is not hardened or monitored," Wetzels explains.
How to Defend Against These Threats to OT
Forescout's Wetzels and dos Santos recommend that OT operators re-evaluate the state of their Level 1 devices and interconnectivity. "Make sure nothing can be disabled by cyber means," Wetzels advises.
He also recommends that plants with Ethernet links that are not firewalled should add a firewall. And at the least, ensure visibility of the traffic with an intrusion detection system, he says. If the PLCs include IP-based access control list (ACL) and forensics inspection functions, deploy them to harden the devices, he says.
"Likely there's a lot of network crawlspace not on your radar," Wetzels said today in his presentation here. "At Level 1, between different [network] segments needs a perimeter security profile."
As for the wireless access point vulnerabilities and attacks Otorio revealed, the researchers recommend disabling weak encryption in wireless access devices, masking wireless devices publicly or at least whitelisting authorized devices, and ensuring strong authentication for IP-based devices.
They also advise disabling unused cloud-based services, which typically are on by default, and firewalling and/or adding virtual private network (VPN) tunnels among the connections.
Tom Winston, director of intelligence content at Dragos, says wireless access points in the industrial network should use multifactor authentication. "Access control is always a concern."