As more and more industrial control systems are being protected by a variety of security devices the security of these devices becomes an issue. Shawn Merdinger posted an interesting Tweet® yesterday about a Shodan search for security devices from Check Point Software: “49K+ Check Point security devices via #Shodan” and he provided a link to a sample output from the search.
Now ICS-CERT does not list any vulnerabilities for Check Point devices but that is because they do not produce control devices. The folks at OSVDG.org, on the other hand have a list of advisories that covers three pages. More disturbingly three of the five advisories that I picked at random did not have any patches or updates listed to mitigate the vulnerabilities.
From the basic Shodan search that Shawn conducted there is no way to tell which of these devices protected control systems and no quick way to determine which of the 49,000+ devices have known, unmitigated vulnerabilities. What is almost certain, however, is that some number of the 49,000 systems identifiable from Shodan protect industrial control systems and some number of those have known vulnerabilities that are not corrected, either due to vendor inaction on the vulnerabilities or owner/operators failing to update systems with available mitigation tools.
We are seeing more and more industrial control systems being protected by add on devices. This is certainly a good thing considering the large number of ICS devices and systems that are insecure by design; without add-on security devices limiting access to these systems they would be completely vulnerable to attack.
That being said, it is obvious from Shawn’s work and the OSVDB listing that owners also need to be concerned about the security of their security devices. A security device with an known exploitable vulnerability is like a perimeter fence with large holes. It provides some protection, but a determined attacker will find the holes and waltz directly into the ‘protected’ system. This is the reason that defense in depth is so important. Holes in one point in the perimeter will be backed up by other devices and protections.
It also reinforces a point made frequently by Dale Peterson, we need to correct the huge security deficiencies in our control system devices. They need to be an integral part of the defense in depth. There should be no place in the security program where an attacker gets a free shot at a portion of the installation just because he made it through the outer layers of defenses.
Nasty Question - Who is going to be responsible for tracking security of security devices? ICS-CERT?