The Living Dead: Securing Legacy Industrial Systems

Image

I’ve spent a lot of time in the depths of aging industrial power plants and the control houses of transmission substations. I’ve walked the aisles of countless steel cabinets taking inventory of the gear used to protect and control what’s been described as the most complex system on earth. Within these cabinets can be found a smattering of equipment both new and very old, sharing the same space. Interspersed between the modern switch and routing gear can be found what are typically referred to as Intelligent Electronic Devices (IEDs) of varying age. Some name plates have manufacture dates from the 70s, while others have one that falls within any era in-between then and now. Meticulous cable management indicates to me that a lot of care went into the construction of these critical facilities but it’s obvious that much of the infrastructure goes untouched for long periods of time. A typical best case refresh rate for IT departments varies between two and four years for end-user equipment like workstations and printers, and similarly four to six years for core network infrastructure like servers, switches, routers and firewalls. This is a far cry from what is typical for Industrial Control Systems (ICS) whose network components and IEDs (which are made up of programmable logic controllers, relays, sensors, etc.) are often not replaced until they fail (which is rare) or a forklift upgrade occurs (equally rare). These systems flew under the radar of would-be attackers for many years until these systems began to be interconnected to external networks; they are more commonly no longer “air-gapped.” This newly established connectivity allows for convenience to facilitate remote access by engineers and telemetry data to be shared amongst partners either voluntarily or by requirement. This, of course, exposes these once-disconnected networks to the internet in some form or fashion, and we, of course, all know that the internet is the playground for nefarious individuals. This now-vulnerable aging fleet of IEDs has become a clear target for not only nation-states with vast resources but also your average attacker. The age-old mentality adopted by teams managing the technology behind ICS that there was no need to upgrade firmware of their devices has not aged well. It’s not uncommon for even the most obscure IED to have had a security patch released over its lifetime. Once these vulnerabilities are made public, tools to easily exploit them become available in short order. Attacks on control systems are on the rise – over the past 10 years, we’ve seen an exponential increase in ICS targeted attacks. Using a vulnerability discovery and management tool like Tripwire’s IP360 can help discover unknown weak targets (with outdated firmware, for example) in your environment. Tripwire IP360, in conjunction with Tripwire Enterprise or Tripwire Configuration Compliance Manager, can help prioritize which systems require immediate attention by correlating discovered vulnerabilities to common misconfigurations on endpoints. This deep visibility can give insight into systems that were previously very difficult to obtain. Now that I’ve laid the groundwork for you, it’s easy to see how our most important systems are becoming an easy target. Securing ICS is a daunting task, but leveraging tools like Tripwire to learn more about your environment (like what firmware is my fleet of PLCs running and which are most vulnerable) can be a great starting point in prioritizing your action plan and reducing your attack surface. The next time you find yourself taking inventory of your systems, ask yourself “Am I aware of all external connectivity to this device?” and “When is the last time someone has checked for the availability of a patch for it?” You might be unpleasantly surprised.