The pro’s don’t bother with vulnerabilities; they use features to compromise the ICS
Ralph Langner
This quote I found in Dale Peterson blog . I strongly agree with it, because many ICS/OT devices still suffer from insecure by design features. However, that doesn’t mean that NIST vulnerabilities and CVEs don’t matter ! It does matter and it could lead to serious harm sometimes. The goal in OT/ICS security is not to focus on NIST database only, but must also make a huge priority for design issues by doing something about it. Asset owners and vendors should focus on both types of vulnerabilities [2]. Relying on NIST CVEs for OT/ICS is only scratching the surface[2]. We security professionals should look for OT/ICS documents features that allow us to manipulate the system and try to change or hide these features that lead to an impact or a security incident.
There are other types of vulnerabilities not just design and CVEs of course. In fact according to NIST , it classifies them in its document 800-82 to 6 types:
- Policy and Procedure vulnerabilities
- Architecture and Design Vulnerabilities
- Configuration and Maintenance Vulnerabilities
- Physical Vulnerabilities
- Software Development Vulnerabilities
- Communication and Network Configuration Vulnerabilities
In this article, I try to focus on the design type. Why ? Recently I saw some OT/ICS vendors trying to develop secure by design features in their products. Also, I don’t want to forget the excellent project “Top 20 Secure PLC Coding Practices” that was a product of OT/ICS community cooperation, many thanks to them.So, back to the vendors, Big vendors such as Honeywell‘s implementation of secure boot and built-in firewall in its PLCs, Siemens application of communication encryption and other vendors who have started to add security features, please go there and have a look. I think they are working to overcome the most critical issue “insecure design” and prepare for more secure future towards its customers. Also, I saw a good white paper by Bedrock Automation, where they apply their concept “intrinsic security” , in another word “secure by design” to its products. They have listed their secure components as:
- Metal (For protection)
- Ports (remove or close unnecessary ports , otherwise authentication is required)
- Pins and Electromagnetic Interference (EMI)
- Electromagnetic Pulse and Cyber Defense (EMP)
- Counterfeiting
- Cryptography and Strong Encryption
- Secure boot
- True Random Numbers
- Security Hardened Operating Systems
- Evaluation Assurance Level
- Anti-Tamper for Cyber Defense
- Secure Supply Chain and Key Management System
- Public Key Infrastructure (PKI)
- Hardware Root of Trust
As we can see their specs vary from design , network , software and physical security. I’m not advertising any OT/ICS vendor , but I mention them because its part of what I do that is related to my area of research. I’m not going to rank or analyze these secure features. Maybe I will do it in another article. The point of this article , many of OT/ICS professionals in the past lost hope of seeing “secure by design”come to surface, see this 2013 blog post for example. This is over ! we are finally seeing efforts of OT/ICS vendors in this direction and that is excellent.
The security features mentioned above are implemented deeply at level 0-1 in the ics Purdue model. Other vendors have also started to monitor this level which could help those that don’t have the above new generation hardware such as Siga , Mission Secure , and Fortiphyd [1]. I haven’t covered all vendors by the way.Those vendors have developed solutions that identify process variable anomalies. Its like what our friends Nozomi , Claroty and others do, but at a lower level than our friends. Level 0-1 security was a topic of many OT/ICS experts such as Joe Weiss who has been shouting for securing level 0-1 for a long time [3].
Finally , I have left with you MITRE ATT&CK for ICS. It’s a great database of techniques and tools that are used by adversaries to attack OT/ICS. It lays out many types OT/ICS devices and how they get compromised. Go there, learn it and find out what applies to you. Maybe you don’t have “secure by design” OT/ICS system yet. This database can guide you on how to protect your assets from adversaries.