There was an interesting blog post by Eric Byres over at TofinoSecurity.com describing a new way to use their Tofino Industrial Security Solution to address the problem of updating multiple control system devices as new security vulnerabilities are discovered and corrected. Now I am not qualified to evaluate how well this actually works, but the basic concept sounds so good that I just have to talk about it. WARNING: Technical errors in this post are mine alone, don’t blame Eric.
In an earlier blog post Eric wrote about a real scary problem with Microsoft updates/patches that pose a particular problem for control systems. But that isn’t the limit of the problems with patches. The most basic problem is that most organizations don’t want to interrupt their process to take their control system down to execute the appropriate patches, complete with the appropriate testing and validation required to ensure that there are now unintended interferences with their operations.
Next there is the problem with the apparently ever increasing number of patches that would have to be applied to the system. The increase in attention that is being directed at the vulnerabilities to be found in control systems has resulted in an ever larger number vulnerabilities being published. If you look at the large number and variety of smart devices connected to modern control systems it is easy to see that there could be any number of patches having to be made to the control system on a fairly routine basis.
The more patches that are required to be made to keep the system protected against attacks, the more likely it will be that the owner/operator will make the very reasonable decision not to do any patches. Rather than trying to guess which vulnerability might really pose a threat to their system, the practical decision is that there is no reasonable method of making that determination so why waste the time making the wrong patches.
There is one very common thing associated with a large percentage of the vulnerabilities reported by ICS-CERT; their remote exploit involves a very specific type of communication being made to the vulnerable device. These can be default passwords, specially crafted messages, or commands to specific ports on the devices.
What Tofino has is the ability to program these vulnerability signatures into their device which monitors control system communications. When it detects one of the signature events it blocks that communications, logs the event, and sends out an alarm so that humans can intercede. As new vulnerabilities are identified the signature library can be upgraded without any direct effect on the control system.
Okay, things are a bit more complicated than that, but this isn’t a Tofino sales presentation, contact Eric or one of his sales people if you want a more complete explanation of how their system works.
Now Eric doesn’t claim that this is a one-hundred percent answer to ICS security problems. Zero day vulnerabilities are obviously not covered; by definition there is no signature available for a 0-day. Spear phishing attacks that attempt to gain user credentials or insider attacks would not be directly affected by this system.
Tofino Security develops their signature list based on information provided by the vendors. Not all vendors are willing to work with them so not every device is covered. If you have one of these Tofino systems and one of your device vendors does not support it through Eric’s people you might want to ask pointed questions. Eric has mentioned that they have the capability to develop some signatures on their own based upon knowledge of known vulnerabilities, but I suspect that sort of service starts to get pricey.
This system monitors communications to and from the control system. If there is some sort of direct access to peripheral devices through physical connections, wireless access or whatever, this system cannot intercept/block that communications.
No one else has mentioned it, but one of my pet peeves doesn’t seem to be addressed by this system. If there are embedded systems, programs or subroutines from vendors that you are not aware of and those systems have vulnerabilities, it seems unlikely that signatures for those will be addressed by the system. You see, when this is installed you tell Tofino Security what systems you have and they program your device with the signatures for those systems. If you don’t tell them because you don’t know about the device, program, or subroutine, then they can’t help you.
The first suggestion is directed towards the vendors that aren’t currently working with Tofino; start. As this system is adopted by more owners the failure to be a supporting vendor is going to start to impact sales.
Second, it seems to me that for vendors that have been made aware of vulnerabilities, but have not yet had the chance to complete work on a distributable patch, this is a good way to provide some level of protection to your customers while you’re hard at work on the real fix. This would be especially true for those uncoordinated disclosures that put your customers at the most risk. Providing Eric’s team with vulnerability signatures as early in the process as possible would be an excellent selling point.
Finally, it seems to me that Tofino Security would benefit from having a team actively watching the uncoordinated disclosures being made and working with those researchers to develop signatures for those vulnerabilities. For vendors that they are working with, this would provide a valuable service. For their customers that have equipment from non-cooperative vendors it would provide them some level of protection while they wait out the replacement life-cycle of the equipment.