48 hours to compromise: why your shields need to stay up
Brand new industrial security researchers find a zero day in an industrial device just 48 hours. If they can find it, so can attackers. Here's what that means for your security program.
Are you at threat level orange? Are your Shields Up? Are they still up? EVEN MOAR UP?
It's expensive and exhausting. Does it even make sense?
Unfortunately – and it pains me to say this – the answer is yes. Yet another new vulnerability advisory from CISA helps explain why this is the new normal for critical infrastructure.
Within 48 hours, two young researchers with little experience in the OT/ICS world found a zero day in a Moxa Ethernet-to-serial converter with the newest firmware. Three days later, they found another zero day in the same device, a device used in industrial facilities around the world --- the same device that malicious hackers abused in the 2015 Ukraine power cyberattack that left almost 250,000 without electricity in winter.
"Successful exploitation of these vulnerabilities could allow an attacker to change memory values and/or cause the device to become unresponsive," the CISA advisory says. "The affected product is vulnerable to an out-of-bounds write that may allow an attacker to overwrite values in memory, causing a denial-of-service condition or potentially bricking the device.”
Attackers using these new vulnerabilities could take out visibility and communications, as attackers did in Ukraine in 2015. In combination with other tactics, these new vulnerabilities could be useful to nation-states looking to cause trouble to critical infrastructure. The attack has low complexity, is exploitable remotely, and in some cases, it will brick the device and/or cause a physical re-set (as in “go power cycle the device in person”) to continue operations. If you check, you will find plenty of these devices attached to the Internet.
"The findings suggested that that the combination of the two vulnerabilities could enable an attacker to duplicate the [2015 Ukraine] attack, but on the latest current software available," said Mikael Vingaard, who hired the researchers to work on his newly minted ICS Range, an online training platform for industrial security.
These vulnerabilities alone would not necessarily be able to stop operations or do something catastrophic like causing an explosion, according to the information in the CISA advisory. But they are an example of how easily attackers can cause trouble in critical infrastructure, of how vulnerable we are, and why we can't put "shields down." And this is just one example of many vulnerabilities on industrial devices that are found every year.
Yes, it's frustrating to keep shields up. We all have vulnerability, patching, threat analysis, and information sharing fatigue. But the consequences of failure are severe – especially for critical infrastructure.
We didn’t budget or resource for this new normal of perpetual shields up. Our security programs weren’t designed for this load. They should be. Finding a way to be comfortable with this new baseline is necessary. Soon, you will be asked to raise the shields even higher.
Lastly, kudos to Moxa for working with researchers, patching, and issuing new firmware.
