As more and more industrial control systems are being
protected by a variety of security devices the security of these devices
becomes an issue. Shawn Merdinger posted an interesting Tweet®
yesterday about a Shodan search for security devices from Check Point Software:
“49K+ Check Point security devices via #Shodan” and he provided a link to a sample output from
the search.
Now ICS-CERT does not list any
vulnerabilities for Check Point devices but that is because they do not produce
control devices. The folks at OSVDG.org, on the other hand have a list of
advisories that covers three pages. More disturbingly three of the five
advisories that I picked at random did not have any patches or updates listed
to mitigate the vulnerabilities.
From the basic Shodan search that Shawn conducted there is
no way to tell which of these devices protected control systems and no quick
way to determine which of the 49,000+ devices have known, unmitigated
vulnerabilities. What is almost certain, however, is that some number of the
49,000 systems identifiable from Shodan protect industrial control systems and
some number of those have known vulnerabilities that are not corrected, either
due to vendor inaction on the vulnerabilities or owner/operators failing to
update systems with available mitigation tools.
We are seeing more and more industrial control systems being
protected by add on devices. This is certainly a good thing considering the
large number of ICS devices and systems that are insecure by design; without
add-on security devices limiting access to these systems they would be
completely vulnerable to attack.
That being said, it is obvious from Shawn’s work and the
OSVDB listing that owners also need to be concerned about the security of their
security devices. A security device with an known exploitable vulnerability is
like a perimeter fence with large holes. It provides some protection, but a
determined attacker will find the holes and waltz directly into the ‘protected’
system. This is the reason that defense in depth is so important. Holes in one
point in the perimeter will be backed up by other devices and protections.
It also reinforces a point made frequently by Dale Peterson,
we need to correct the huge security deficiencies in our control system
devices. They need to be an integral part of the defense in depth. There should
be no place in the security program where an attacker gets a free shot at a
portion of the installation just because he made it through the outer layers of
defenses.
Nasty Question - Who is going to be responsible for tracking security of security devices? ICS-CERT?
Posts
No comments:
Post a Comment