New security flaws in automated industrial controllers and in common software used to program millions of smart devices in critical infrastructures can lead to production downtime. Networked industrial controllers and industrial control systems are exposed to special threats because the components are often not designed to be integrated in networks. Network analysis and management must meet special requirements, but then can be very helpful in detecting security problems. This year, it-sa showed several new applications for SCADA systems.
Security deficits in operational technology (OT) easily lead to attacks with serious consequences. According to various media reports, security vulnerabilities were recently discovered at two German manufacturers of industrial control systems (ICS). For example, SC-Magazin writes that "Festo automated controls and the Codesys software environment, with which developers can program control systems, are affected. In both cases, the cause is inadequate or missing encryption of communication protocols. This security gap can be used by attackers to manipulate controllers or even completely take over and control these devices - with unforeseeable consequences.
Research project searches for security gaps
The vulnerabilities were discovered as part of the research project "OT Icefall" which aims to uncover security vulnerabilities in ICS technologies responsible for controlling machines. The focus of this project is on systems that drive much of the critical infrastructure, from manufacturing equipment and telecommunications to water and power supplies. These are mostly so-called SCADA systems, i.e. systems or software for monitoring and controlling technical processes. As part of the project, around 60 vulnerabilities were already uncovered since the beginning of this year. The most common problems include access to OT functions without authentication, unencrypted network traffic or deficiencies in the cryptography used.
The lack of security in the OT world has reasons. In the OT sector, devices and machines are used that have been in operation unchanged for decades and were often never intended for networking. Accordingly, they often have security deficiencies when they are subsequently integrated into OT networks. Cyber criminals know this and various groups have already specialised in attacks on SCADA systems. Many ICS targets are not only easy prey, but these attacks cause great damage with massive consequences, for example when critical infrastructure systems fail.
In the meantime, specialised providers of security technologies are dedicating themselves to the specific problems of the OT world. Of the numerous exhibitors at this year's it-sa trade fair, three are presented as examples.
Automated analysis of OT networks detects security problems
These include the German start-up Rhebo, which specialises primarily in network monitoring for OT networks. Rhebo's solution understands OT protocols and can analyse their data traffic. But manufacturers of ICS components usually do not allow customers to install software on their devices. Rhebo therefore pursues a different path: its own appliance can read data via mirror ports of the network switches. SCADA protocols can be analysed and, for example, deviations from standard values can be detected. It also detects when data communication occurs between components that were not previously in contact with each other. Deep packet inspection (DPI) is used to analyse the contents of data packets. If something unusual appears, an alarm can be triggered. In this way, unauthorised updates are also detected.
A Silicon Valley company, Armis, also concentrates on scanning OT networks. However, the focus here is on asset management. This means identifying new or unknown devices, managing device properties, tracking changes and the like. Furthermore, Armis can even read and analyse configurations of programmable logic controllers (PLC). The aim is to improve the visibility of the network and help IT and OT specialists to identify threats. Problematic devices can then be taken off the network or put into quarantine so that they do not cause any damage. But this never happens automatically, otherwise production might be interrupted, which could have massive impacts on the company. Because all this is done by network analysis, the system does not need agents on the components. This is a common requirement in OT.
The US company Venafi is also active in the field of OT security, but takes a different approach. Venafi wants to secure communication between machines (M2M) in production environments. Typically, machine identities are used in M2M communication. These are often based on certificates or also SSH keys or simply access rights. Depending on the size of the environment and the number of components, managing these certificates can be very time-consuming, because certificates expire at some point and have to be renewed and redistributed. This can be done fully automatically with Venafi. This is refined by additional analyses based on scans. This not only increases security, but also minimises failures and reduces the administrative effort.
Serious incidents with severe consequences in the US, such as the attack on the petrol station supplier Colonial Pipeline and the meat manufacturing company JBS, have focused attention on utilities and OT sectors. IT security will become increasingly important in these industries in the future. Numerous providers with expertise in the field of industrial IT security can be found at it-sa 365.
Author: Uwe Sievers