Wednesday, February 24, 2021

Detecting 3rd Party Vulnerabilities

I recently read a research report by Claroty on their work detecting vulnerabilities in various OPC protocol stacks. The vulnerabilities were disclosed and ‘corrected’ last year by the vendors identified in the report. It is an interesting report, though perhaps a little to cyber geek for my level of expertise, but certainly a worthwhile contribution to the cybersecurity literature. It does, however, leave an important question unanswered.

The vendors identified in this report, like those that have been recently reported in TCP/IP stack vulnerabilities, are not vendors (or at least the affected products) that control system owner/operators typically deal with on their plant floors. The vulnerable products are used, however, as third-party components of many of those products in everyday industrial control system settings. We have seen only a limited number of advisories about these vulnerabilities in vendor products that are being bought by industry. Does that mean that these vulnerabilities do not impact the actual owner/operators of control systems? That is the $64 million question.

In some unknown number of cases, vendors may have already included in their equipment design programming ‘fixes’ that mitigate these third-party vulnerabilities. They may not even have known that they were mitigating vulnerabilities. Unrelated design decisions and program utilizations may have already taken care of the problems.

In an equally unknown number of cases, vendors are working hard at correcting the problems caused by these vulnerabilities by either incorporating the updated third-party software or specifically reworking their programming to neutralize the effects of the vulnerabilities.

Unfortunately, the third case, again in an unknown number of cases, the vendor is quietly holding their breath and hoping that no one will notice that their equipment is vulnerable to these third-party vulnerabilities.

How is an owner/operator of a control system to know which case applies to the systems in use on their production floor? There is not a good answer to that question. Aside from taking the proof-of-concept code available in research reports like those in the Claroty UPA paper and crafting a test of their own equipment (and how many owner/operators have that level of engineering support on hand?) there is not currently a good way to know.

The researchers who report these vulnerabilities do not have the time, and most certainly not the resources, to test every possible control system device to see if it is affected by these third-party type vulnerabilities. What they could do, with some unknown level of additional effort, is to provide code testing protocols for owner/operators to use to test their systems to see if they would be impacted by the vulnerabilities. This could even be a product that they could sell to help compensate them for the extra work.

1 comment:

Jake Brodsky said...

Your lament dovetails very much toward what many call a software "bill of materials." The existence of OPC software is usually a good guess, but it gets worse. If someone publishes Ripple20 or Amnesia:33 regarding flaws in a TCP/IP stack, how is some hapless end user with no OT staff supposed to know to look for these vulnerabilities?

The only answer is to have a list of libraries and software components required to build the embedded systems or the application software. This is no different than lists of ingredients in food, footnotes and references in a scholarly paper, or schematics on user-serviceable electronics.

For example, a recent vulnerability regarding the node.js library would probably not be noticed by most of industry. Do they have this? Well, unfortunately, they probably do. The node.js library is often used for Web-based HMI software.

Problems with cryptographic systems can also be a headache. Again, most end users have no idea if they have the software and if so, where it may be.

This is one instance where legislation and regulation should be carefully crafted to inform end-users. We worry about peanuts in lists of ingredients. Why aren't we worried about toxic protocol drivers?

 
/* Use this with templates/template-twocol.html */