Last week, I had the distinct pleasure of addressing the Industrial Control Systems Joint Working Group (ICSJWG) in Cincinnati, Ohio. I commend the National Cybersecurity and Communications Integration Cell (NCCIC) for hosting another productive event, and thought I’d offer a summary of my remarks for those who were unable to venture out to Ohio.
By way of brief background, twice a year the Department of Homeland Security convenes the ICSJWG for two days of meetings with government, industry, and academic stakeholders. For their different professional affiliations, all attendees share a common interest and passion in securing our critical infrastructure.
My session was titled “Tales from the Field: Dissecting Recent ICS Network Assessments” and I began my remarks with a macro-level discussion of the most common risks that Claroty encounters across the OT ecosystem — a vantage point that spans six continents and nine vertical segments. I then delved into the micro-level details. For the purpose of this blog post, I’ll focus on the latter.
Below are the “top five observations” of risks that Claroty has encountered in the course of our field engagements. These observations are industry and sector agnostic — that is to say, we see them frequently across all the networks we monitor.
1. Unpatched Vulnerabilities- This first observation should come as no surprise to anyone, even the casual follower of ICS security. Patch management is extremely difficult for ICS asset owners and operators because there is often little appetite for taking down production systems. Of note, the vulnerabilities extend beyond just Windows-based Human-Machine Interfaces (HMI). In fact, we discover a lot of PLCs with fully matched Common Vulnerabilities and Exposures (CVE). In some cases, between 5-10% and up to 20% of assets have unmatched vulnerabilities. Again, asset operators are often aware of these bugs, but unwilling or unable to risk downtime by patching.
2. External Communications- Another common observation when evaluating ICS networks is the volume and type of external communications. For networks that are, in theory, “air gapped”, this revelation is often an unwelcome one. It’s important to note, as someone on Twitter reminded me after my talk, not all external communications are bad, and in some cases, they are necessary. This is true. What is not necessary, however, is when OT assets communicate directly with “ghosts”, or devices that do not communicate back. We observe this type of anomalous behavior all the time — and it happens over a variety of protocols (e.g., SYSLOG, MODBUS, RPC, DNS, SMB, HTTP, UDP, etc.). Usually it is simply the result of a misconfiguration, but it can also be indicative of an attacker hijacking the communication of a compromised asset.
3. Insecure Protocols- Unfortunately, the use of insecure protocols is far too common across ICS networks, especially among engineering workstations and PLCs. Among the most commonly observed protocols are TELNET, SNMP, SMTP, SMB, and FTP. In some cases, Claroty discovers virtually all traffic using these insecure protocols. The risks are well known: data and credentials are exposed in plain text, crypto is weakened, and the proliferation of exploits like the one used in WannaCry.
4. Abnormal Write Operations- In IT circles we often hear about the principle of least privilege as it relates to access. In OT circles, however, equally important is the principle of least privilege as it relates to write operations — specifically data acquisition write operations. It is not uncommon for us to encounter a scenario in which the number of assets that perform data acquisition write operations exceeds the minimum required to control a process. Limiting these permissions is critical to managing risk in an environment where a malicious operator with access to a PLC can manipulate a physical process without any malware whatsoever.
5. Open Ports- Finally, the last of our “top five observations” is the voluminous number of open ports we encounter during our ICS network assessments. Open ports are the gateway to applications and services in an OT environment. Don’t get me wrong, open ports are not inherently bad. However, unnecessarily open ports introduce unnecessary risk. It’s not unusual to discover that about half of the assets at an industrial site are open. In these cases, it’s important to scrutinize each asset and determine if the ports must be open to perform critical business or operational functions. If the answer is “no”, then it’s usually best to make a change.
Aside from these “top five observations”, I also noted that for nearly every site we’ve ever visited, the number of assets we discover exceeds the number of assets inventoried. In other words, most organizations lack basic visibility into how many OT assets are on their network. At Claroty we believe strongly that you can’t protect what you can’t see. Good asset management isn’t going to thwart a sophisticated ICS attack, but it is a fundamental component of ICS risk reduction.
Overall, I concede that none of these observations are earth-shattering or new, yet we continue to see them time and again. I believe it is important to embrace the collective experience of the industry in order to raise the level of security across all critical infrastructure sectors. The good news is asset owners, operators, and manufacturers, along with the commercial cybersecurity vendors and the government, are working in tandem to raise barriers to entry for those who threaten the integrity and availability of our industrial control systems. In this respect, the ICSJWG is an indispensable public-private forum and I look forward to attending the next meeting.