Rockwell on the Cyber Rocks

Last July, Rockwell Automation reported a security vulnerability in one of its products. So far, not a big deal as this happens to all device manufacturers at one time or another.

Collaborating with the U.S. government, the company identified a state-backed hacking operation with the capability to run malicious code on industrial controller communication modules. While issuing an advisory urging its customers to patch, Rockwell neglected to disclose the hacking group’s identity. Nor did it confirm any known exploit, knowledge of which is vital to the user community since this type of vulnerability is usually not detected until it is exploited. Perplexingly, this was also the stance of the US Cybersecurity and Infrastructure Security Agency (CISA).

While offering some insight into the targeting of its threatened industrial controller, Rockwell’s advisory seemed to hint at the existence of additional, unacknowledged vulnerabilities by issuing a subsequent advisory and patch for the same controller, obviously targeting additional unpublished vulnerabilities.

Complete and Timely Disclosure
The lack of support information regarding discovered vulnerabilities is problem enough for users of targeted devices. But this case exemplifies a much bigger problem than a mere vulnerability in a critical OT component.

While it is true that many serious security vulnerabilities become known only after successful attacks have already been carried out or when cyber researchers stumble upon them, something here is wrong.

Formal processes and procedures have been developed to provide responsible disclosure to the user community upon a cyber incident in the wild. We can all understand that the equipment manufacturer requires some reasonable period of time to uncover the nature of a vulnerability in its device and the method to mitigate it. We can even accept a certain degree of discretion by the manufacturer who wants to prevent threat actors from learning about the hack and attempting to exploit it elsewhere. But while they are oblivious to the danger and the method to respond to it, users of the vulnerable equipment remain at risk – especially when the vulnerability impacts critical infrastructure. But what happens when the manufacturer along with the supervising government agency are reluctant to provide adequate and timely information?

In this specific case, Rockwell eventually addressed the security gaps, but did not address which specific components were affected nor what should be done to protect them. Operators of the Rockwell controllers were left in the dark for an unacceptable, risky, period of time.

Researchers to the Rescue

Upon noticing that insufficient information was forthcoming from Rockwell and CISA that would enable industrial security practitioners to verify the vulnerabilities and their possible impacts, independent security researchers conducted forensics by studying the differences between the pre- and post-patched devices, enabling them to discern the root cause and potential impact of the vulnerability. As a result, effective resolution, in the form of several patches, was determined, but no additional formal comment was released from Rockwell, leaving critical-infra operators in the dark.

Safeguarding the Future
The public depends on operators of critical infrastructure to operate the devices in their ICS networks securely. In turn, operators rely on device manufacturers. They require, at the very least, enough information from device manufacturers to be able to assess whether and to what extent their operations are affected by a vulnerability and what options for response are available. Furthermore, security researchers should not have to invest their own resources to verify what is already known to the manufacturer just because of the latter’s fear of potential attackers who could also use the information – especially when hacker groups probably already have the relevant information before the vulnerability is published or the necessary resources to obtain it.

Practical Steps for Manufacturers and Operators

We recommend these two steps to manufacturers:

1. Critical cyber threat intelligence must be distributed via timely reports on industrial control system vulnerabilities with emphasis on which devices are implicated.
2. Timely information on potential risks to these devices along with patches/mitigating controls will allow us to reduce that risk.

We recommend these two important steps to operators:

1. Implement a strong threat detection system that

• • • Provides visibility across the entire OT estate including all of its devices
    • Detects anomalous behavior to protect against unknown as well as known vulnerabilities

2. Implement a risk management program that unobtrusively

• • • Simulates actual network behavior
    • Calculates overall, per-zone, and per-device risk
    • And calculates the effect of specific mitigation measures on that risk

Let’s work toward a cyber-safer tomorrow!

Contact Radiflow to learn more about iSID, CIARA, and OT cybersecurity services.