Vulnerable Historian Servers Imperil OT Networks

Databases are a common point of attack by threat actors, but an uncommon type of database is gaining attention as a potentially critical target: data historian servers.

On Jan. 17, the US Cybersecurity and Infrastructure Security Agency (CISA) warned that a set of five vulnerabilities found in the the GE Proficy Historian server could leave unpatched servers vulnerable to exploitation of poor access controls and the upload of dangerous files. GE is not alone: In the past, security researchers have found security issues in Schneider Electric's Vijeo Historian Web server and Siemens' SIMATIC Process Historian.

The servers could be used as a bridge between an organization's information technology (IT) network and its operational technology (OT) network, Uri Katz, a security researcher for cybersecurity firm Claroty's Team82 stated in its advisory on the GE Proficy vulnerabilities. 

"[D]ue to its unique position in between the IT and OT networks, attackers are targeting the historian, and could use it as a pivot point into the OT network," Katz said, adding that "historians often contain valuable data about industrial processes, including data about process control, performance, and maintenance."

Data historian servers — also called operational historians or process historians — give companies the ability to monitor and analyze data from their industrial control systems and physical-device networks. Essentially a data lake to store time-series data in an industrial setting, historians collect real-time information on critical infrastructure, manufacturing, and operations. 

For attackers, however, the historian server represents an opportunistic bridge between the IT and OT segments of a network because it is typically a centralized database connected to both. Because of this, historian servers have been identified as a likely target of attack in ICS networks, including adversary-in-the-middle attacks and database injection attacks, according to the US Cybersecurity and Infrastructure Security Agency (CISA).

DMZ

While combining IT and OT networks can make industrial technology more agile and cost effective, "multi-network integration strategies often lead to vulnerabilities that greatly reduce the security of an organization, and can expose mission-critical control systems to cyber threats," CISA stated in its Control Systems Cyber Security Defense in Depth Strategies document.

While only one of the four advisories for industrial control systems published by the agency on Jan. 17 had to do with historian servers, CISA has warned in the past about vulnerable historian servers, such as Siemens SIMATIC Process Historian in 2021. In its previous incarnation as the ICS-CERT, the organization also warned about default passwords in Schneider Electric's Wonderware Historian in 2017 and vulnerabilities in Schneider Electric's Vijeo Historian Web Server in 2013.

Claroty's Team 82 research group installed the historian software, enumerated the structure of the messages it uses to communication, and looked for authentication bypasses to compromise the server. It found vulnerabilities that could allow an attacker to bypass authentication, delete a code library, replace the library with malicious code, and then run that code.

So far, no attack using a historian server has caused a publicized breach, Claroty's Katz said in an email interview. Yet historian servers do represent an interconnection between operational and information networks that will likely be exploited in the future, he added.

"Historian servers are generally not Internet-facing, but they are often located in the DMZ layer between the enterprise network and OT network," he said. "Some of the vulnerabilities can be chained to bypass authentication and gain pre-authentication remote code execution."

History Lessons

Industrial and critical-infrastructure organizations should include historian servers in their cybersecurity planning, experts say. In a list of five scenarios that companies should perform as industrial control system (ICS) tabletop exercises, the SANS Institute's Dean Parsons included a breach that uses a data historian to gather data on sensitive devices and controls.

"A set of compromised IT Active Directory credentials [could be] used to access the Data Historian, then pivot into the industrial control environment," said Parsons, who is also CEO and a principal consultant of ICS Defense Force. "It is critical that ICS networks be segmented from the Internet and from the IT business network."

Organizations should ensure historian servers are up to date and separated from other parts of the network, Claroty's Katz said. "Network segmentation is ... a mitigation that could help against these vulnerabilities and keep attackers from using them as a pivot point from IT to OT," he says.

Some ICS cybersecurity vendors, such as Waterfall Security and Clarify, limit access to the historian servers. They instead clone the system in the IT network segment or offer an intermediary service, allowing engineers and technicians to access the data while preventing attackers from executing code or changing data.