Narrowing Down Potential Zero Days

Thursday, April 19, 2018 @ 05:04 PM gHale

By Robert Landavazo
It seems axiomatic that a Zero Day vulnerability is undefendable.

At the moment a particular exploitable bit of software code is discovered by a malicious hacker and the clock starts ticking from zero-day forward, clearly, by definition, there is no protective patch or workaround yet available. That means the hacker has free rein to wreak havoc while the good guys work frantically to play catch up.

Indeed, Zero Day attacks against industrial control systems are a growing threat, with nearly as many known attacks in 2017 alone as in all the years before combined. And it seems to be a trend that, unfortunately, will be increasing.

RELATED STORIES
Fighting Through OT Language Barrier
Fixing Human Attack Surface
Detecting Moves Leading to Attack
Spectre, Meltdown ICS Impact

Not to throw all operational technology (OT) network gear and SCADA device manufacturers under the bus, it seems evident there are some well-known products that hit the market with inherent vulnerabilities. There are also some manufacturers who seem less than interested in creating patches in a timely manner, if at all.

A good illustration of the state of the environment can be inferred from some of the verbiage in the FY2018 Intelligence Authorization Act, which seeks to help secure critical infrastructure in industrial environments.

In one of the subsections, Congress instructs the National Laboratories — which one would think should be on the cutting edge of technology — to investigate the use of analog control systems rather than digital relays in order to avoid Zero Day attacks.

In other words, the idea of throwing away five decades of advancements and returning to the days of non-networked electromechanical relays seems to be on the table as a reasonable solution. If that doesn’t show a lack of confidence in industrial product manufacturers when it comes to cyber security, I don’t know what does.

It seems clear the responsibility for stopping attacks lies not with the manufacturers of the individual devices, but with the individual operators of OT networks. After all, it is their organization that is going to take the primary hit and suffer the financial, legal and reputational fallout. Industrial cyber security should be looked at as an “aftermarket” issue, with operators working to make optimum use of internal and third-party resources to keep their networks secure.

Known Vulnerability Attacks
Zero Day attacks are scary. And dramatic. Action movies love to show the basement hacker or the enemy government spy effortlessly gaining illicit control of the power plant computers and gleefully destroying the electric grid, whether for ransom or for terrorism purposes.

In the real world, however, such Zero Day exploits, although increasing, are still relatively rare. More common are attacks against vulnerabilities that are well documented and for which patches exist, or are otherwise more readily defendable.

To be frank, with OT a lot younger as an industry and working hard to grow and evolve in the realm of cyber security, the current sophistication level in the field is akin to where enterprise IT might have been around ten years ago. Too often, professional, expert OT teams are not yet fully established and deployed. Products are not thoroughly tested and vetted for the actual environment before being installed. Crucial data moving across the plant floor is not encrypted. There are precarious, exploitable connections to other networks.

In other words, in some organizations, there may be some lower hanging cyber security fruit to be concerned about, with many robust product and service solutions readily available. For example, most every plant should ensure their OT environment has taken the following actions:

Discover Your Assets — Inventory and catalog all devices, including make/model/firmware version, to determine what is doing what and if it is optimized for current needs

Secure Your Network — Identify points of external connectivity, installing or upgrading firewalls to isolate industrial control systems from corporate networks and the internet

Monitor Your Endpoints — Gain visibility into what’s happening at the endpoints of the network, so you are aware of activity over time, both normal and nefarious.

In addition, all OT network operators should subscribe to alerts, advisories, reports and other invaluable resources.

Go on Offensive
These basics of cyber security are vital, and they will take OT leaders far, but only so far. The inherent problem with the way vulnerabilities are traditionally mitigated is the need to be locked in the mindset of playing continuous catch-up.

The bad guys find a vulnerability, and the good guys work aggressively over days, weeks or even months to mitigate it. And the cycle repeats.

One obvious way to be strategically proactive rather than continually reactive is making greater use of ethical hacking techniques and internal programs focused on cyber security so more and more potential “exploitabilities” can be discovered and mitigated before the bad guys even know of their existence.

These actions can be effective in cutting down the potential universe of Zero Day vulnerabilities, with the catch-up game at least played with friends rather than foes.

Even more promising perhaps are emerging network protection products that rely not on the need for patches but, rather, detect anomalies in network traffic regardless of the existence of a patch. Thus, as they perform deep packet inspection (DPI) of traffic, they are looking not to identify known signatures of known problems, but instead for patterns inconsistent with normal usage and indicative of attempts to exploit the network. Therefore, there is no need to wait on a patch, and the endless, ineffectual cycle of being attacked and playing catch up is broken.
Robert Landavazo is a systems engineer at Tripwire where he focuses on securing Industrial Control Systems.



Leave a Reply

You must be logged in to post a comment.