In the race to move operational technology (OT) and industrial control systems (ICS) to the cloud, critical vulnerabilities in popular cloud management software from CODESYS and programmable logic controllers (PLCs) made by WAGO Corp. have been uncovered.
The report, from Claroty research arm Team82, uncovered seven new CVEs, three affecting CODESYS software and four affecting WAGO PLCs. The vulnerabilities can be leveraged remotely and let an attacker break into a cloud management console via a single compromised field device, or take over multiple PLCs and OT devices using a single compromised workstation. According to Team82, the vulnerabilities could even allow an attacker to cause physical damage to machines and devices on a compromised network.
SEE: Security incident response policy (TechRepublic Premium)
The nature of the attacks is, in essence, the same as other traditional attacks on cloud-based platforms, said Team82. Web apps can be attacked via SQL injection, path-transversal vulnerabilities and zero-day exploits. Unfortunately for organizations moving their OT to the cloud, none of these exploits were possible when systems were located on site without any internet-facing elements.
In addition to using attacks that all cloud platforms are vulnerable to, Team82 said one of its approaches involves gaining unauthorized access to an operator account “using different methods.” Again, these different methods are likely similar to other attacks used to steal credentials, like phishing, which has been on the rise as more organizations move to cloud-based models to enable remote work.
Team82 detailed two different approaches to gaining access to OT networks and hardware: A top-down approach that involves gaining access to a privileged account and thus a cloud dashboard, and a bottom-up approach that starts by attacking an endpoint device like a PLC from which they can execute malicious remote code.
Regardless of the method, the end result for the attacker is the same: Access to, and control of, an OT cloud management platform and the ability to disrupt devices and businesses. “An attacker could stop a PLC program responsible for temperature regulation of the production line, or change centrifuge speeds as was the case with Stuxnet. These types of attacks could lead to real-life damage and affect production times and availability,” Team82 senior researcher Uri Katz said.
It’s also worth noting that all of the CVEs exposed by Team82 have been patched by CODESYS and WAGO. Be sure to check for updates if your organization uses software or hardware from either company.
Protecting OT networks
There are a lot of good reasons to move OT and ICS management to the cloud: Easier management, reliable business continuity, performance analytics, centralization, remote management and other advantages are all justifications.
“In the past, we’ve learned difficult lessons about other technologies that were quickly evolved and adopted without adequate consideration for security. We’d do well to heed those lessons again, today,” Katz said.
SEE: How to manage passwords: Best practices and security tips (free PDF) (TechRepublic)
To that end, Team82 makes the following recommendations for organizations that have already moved to, or are considering, cloud management of OT and ICS networks:
- Every device connected to cloud solutions should be treated as a trusted communication element. Implement supply chain risk management programs that can provide insights into supplier’s security posture and potential vulnerabilities.
- Active monitoring of industrial assets is essential. Be sure to keep track of which existing solutions aren’t cloud connected and regularly check for updates to ensure new software with new capabilities is installed immediately to improve visibility.
- Implement zero-trust architecture to prevent attackers from moving laterally if a network is penetrated.
- In-line exploits are nearly impossible to detect, so ensure you have software in place that can detect lateral movement and actively monitors all traffic from critical assets.
- Security operations centers are often IT-centric. Train them on and have them ready to respond to OT network incidents as well.
When those things aren’t possible, “at a minimum, credentials must be secured using two-factor authentication, roles must be defined, permissions carefully orchestrated, and identities managed as a crucial defense-in-depth step for cloud,” Katz said.