Industrial Cybersecurity Pulse
  • SUBSCRIBE
  • Threats & Vulnerabilities
  • Strategies
  • IIoT & Cloud
  • Education
  • Networks
  • IT/OT
  • Facilities
  • Regulations
  • Threats & Vulnerabilities
  • Strategies
  • IIoT & Cloud
  • Education
  • Networks
  • IT/OT
  • Facilities
  • Regulations
  • Resources
  • Helpful Links
  • Editorial Calendar
  • Advertise
  • Contribute
  • Content Partners
  • Contact Us
  • Privacy Policy
  • Terms and Conditions
SUBSCRIBE
  • Resources
  • Helpful Links
  • Editorial Calendar
  • Advertise
  • Contribute
Industrial Cybersecurity Pulse
Subscribe
Industrial Cybersecurity Pulse
  • Threats & Vulnerabilities
  • Strategies
  • IIoT & Cloud
  • Education
  • Networks
  • IT/OT
  • Facilities
  • Regulations
  • Networks

How serial-to-Ethernet converters help attackers breach cyber-physical assets

  • Cynalytica
  • August 29, 2021
Courtesy of Brett Sayles
Total
0
Shares
0
0
0
0

In industrial automation, serial-to-Ethernet converters/gateways and serial device servers are a widely used method for enabling remote communications and monitoring of devices that only support serial interfaces such as RS-232, RS-485, and RS-422, to name a few. The devices are typically used to convert serial to ethernet protocols (and vice versa) in order to migrate legacy industrial control systems (ICS) networks to modern Ethernet TCP/IP networks and enable interoperability within operational technology (OT) environments.

In an age where digital transformation heavily influences critical infrastructure’s initiatives, serial-to-Ethernet converters provide ICS operators with a cost effective and easy-to-use solution to achieve operational efficiency. However, as the ICS threat landscape rapidly broadens, they have proven to be a double-edged sword for asset owners – by presenting malicious threat actors with a gateway to high-risk cyber-physical devices.

Background of serial communications in ICS

Serial communications have been deployed in industrial automation since the 1960s and, despite the development of newer digital standards, are still used in ICS thanks to their simplicity and efficiency. Recent industry estimations suggest 30-60% of ICS still rely on legacy serial protocols such as Modbus, Profibus, and DNP3, which were developed in 1979, 1989, and 1993, respectively. These protocols are intrinsically insecure as they were not developed with security in mind and although superseding and more secure serial communication technologies are now available, like Ethernet for instance, industrial automation manufacturers often choose to support connectivity based on RS-232, RS-485, and RS-422 serial interfaces because they are inexpensive and universally supported. Furthermore, many ICS environments still operate obsolete legacy controllers due to the expense and significant downtime associated with replacing them.

Background of serial-to-Ethernet converters in ICS

Nowadays, the standard network communication is routable TCP/IP, which means a significant number of OT networks depend conjointly on TCP/IP and serial communications. Before TCP/IP existed, connectivity to field devices was restricted to localized networks i.e. engineers were required on-site to investigate incidents and carry out network maintenance and updates. While the introduction of TCP/IP helps establish remote connectivity, it cannot be fully achieved within a network that has serial connected devices – this is where serial-to-Ethernet converters come in.

Serial-to-Ethernet converters, as the name suggests, connect legacy serial-connected devices to a local area network (LAN) by converting serial to TCP/IP (and vice versa) and enable two way communications for remote access and monitoring. The devices range in security, capability, and implementation, and can be found in any ICS environment that remotely communicates with their serial-connected assets. There are various types of serial-to-ethernet converters such as:

  • 1-port models which enable remote connection to a single serial device
  • Multiple port models (also known as device servers) which enable remote connection to multiple serial devices

There are also different implementations for the converters based on the serial port’s physical layer (RS-232, RS-485/422, etc.) and they are often protocol specific.

As exemplified by the sheer volume of serial-to-Ethernet converters within ICS, the technology brings undeniable value to operators who are attempting to enhance their OT network efficiency and increase productivity – albeit at the expense of their network security.

Courtesy: Cynalytica
Courtesy: Cynalytica

Network cybersecurity challenges

Legacy serial communications present profound security challenges to ICS as the protocols were devised before modern cyber threats existed; thus, no emphasis was placed on security. Legacy serial protocols do not support encryption and authentication of commands, and are unable to log commands sent to devices securely. Consequently they are susceptible to tapping, interception, replay attacks, malicious and unauthenticated command execution.

This lack of security protection is exacerbated when a routable network device that enables two-way communications is introduced; legacy devices will accept any command from a converter with no authentication of the message due to the security flaws mentioned above.

As Billy Rios (CEO of WhiteScope) said in an interview with Security Ledger entitled Serial to Ethernet Converters are the Huge Critical Infrastructure Risk Nobody Talks About (Paul Roberts April 11th, 2016):

“Once you have access to the converter, its game over.” “The devices attached to it will do whatever you tell them to do.”

This is not to say that all serial-to-Ethernet converters do not have their own built-in security features. Depending on the vendor, some provide more security features than others, but this comes at a cost. Also, the converters with security features are still not entirely immune to exploits and require a degree of vigilance from vendors and operators alike. Over the past few years, ICS-CERT has published advisories relating to several serious vulnerabilities found in serial-to-Ethernet converters – this alone should perturb ICS asset owners.

If a device’s software is not sufficiently patched and updated, it can lead to serious security issues. Astonishingly, a quick search on Google will show an array of security-related incidents such as leaked passwords and vendors‘ inadequate responses in addressing the problems. With that in mind, it’s little wonder that Reid Wightman, director of Digital Bond Labs, told Security Ledger:

“We’ve always told customers to treat these products as if they’re totally vulnerable to anything.” – “I haven’t encountered a serial converter yet that is very secure.”

Serial-to-Ethernet converters’ roles in previous cyber incidents

Ukraine 2015: On 23 December 2015, the first known successful cyberattack on a power grid took place. Attackers successfully compromised ICSs of three energy distribution companies in Ukraine and shut off power at 30 substations, leaving 230,000 people without electricity for up to six hours. A DHS report stated that the adversaries:

“Rendered Serial-to-Ethernet devices at substations inoperable by corrupting their firmware.”

Although it is unclear if the converters in question had any security features, it is evident that the hackers leveraged the devices to achieve their overall goal – which was to exploit the substations’ legacy field devices.

How to mitigate the risks associated with serial-to-Ethernet converters

To ensure safe and reliable industrial processes, asset owners must enforce strict cybersecurity hygiene policies similar to those that follow the relevant NERC/CIP ICS cybersecurity compliance guidelines. It also goes without saying that procedures for implementing security patches need to be strictly observed in order to prevent known vulnerabilities from being exploited. Nevertheless, even with the most observant operators, an ICS is still vulnerable to attack so long as they are using serial-to-Ethernet converters to communicate to their legacy devices. Consequently, it is critical for operators to validate the data along the serial bus to accurately monitor a legacy device’s behavior.

On the back of a string of high-profile cyber-physical attacks, the DOD and ICS security practitioners are now vouching for passive monitoring of legacy field devices at level 0/1 (between field devices and controllers) –  ‘Passive’ meaning the appliance cannot write to the line and inadvertently introduce an attack vector to the device it is monitoring. Additionally, level 0/1 monitoring provides a solution to spoofing attacks/false feedback attacks. As seen in previous cyber-physical incidents, adversaries can intercept data points received by SCADA and send false data representing normal operations to monitoring tools while writing malicious commands on the field device. Therefore operators should not trust serial-related data points unless they are tapped directly from the serial line from a secure device.

This article was originally posted on Cynalytica’s blog. Cynalytica is a CFE Media content partner. Edited by Chris Vavra, web content manager, CFE Media and Technology, cvavra@cfemedia.com.

Cynalytica, Inc., is a partner member of the Control System Integrators Association (CSIA). For more, visit the company profile on the Industrial Automation Exchange.

Original content can be found at cynalytica.com.

Do you have experience and expertise with the topics mentioned in this article? You should consider contributing content to our CFE Media editorial team and getting the recognition you and your company deserve. Click here to start this process.

Cynalytica

Related Topics
  • CFE Content
  • Featured
Previous Article
  • Strategies

How to secure the future of industrial controls: Fortinet OT Symposium, Manufacturing Day

  • Gary Cohen
  • August 28, 2021
Read More
Next Article
More advanced solutions are needed to better protect an offshore platform from cyberattack. Courtesy: Naval Dome
  • Regulations

Naval Dome concludes cybersecurity project abroad deepwater drilling rigs

  • Naval Dome
  • August 30, 2021
Read More
You May Also Like
Courtesy: Brett Sayles
Read More

Managing external connections to your operational technology (OT) environment

SwRI used programmable logic controllers (PLCs) connected to input/output (I/O) modules to a test network. Algorithms scanned the network for cyberattacks through data packets transferred over the Modbus/TCP protocol. Courtesy: Southwest Research Institute (SwRI)
Read More

IDS developed for industrial control systems

Six key constituents can drive targeted solutions to the ICS environment: 1. Audit and application of security policies and procedures; 2. Access controls with secure data transfers; 3. Threat detection of abnormal and malicious activity at all levels of the ICS infrastructure; 4. Risk management and mitigation; 5. Process sensors security and authentication; and 6. Resolution of key security problems that requires intrinsic relationship with vendors. Courtesy: MG Strategy+, Control Engineering
Read More

Six critical components of integrated cybersecurity for industrial control systems (ICS)

Figure 1: To determine effectiveness and maturity, take a particular control and plot the effectiveness score on the Y-axis of a graph and the DMS on the X-axis of the graph. By seeing which quadrant the result falls into, people can quickly make some general statements about the systems under consideration. Courtesy: Maverick Technologies
Read More

Securing the ICS: Measure solution effectiveness, maturity

elliTek's IIoTA MES Gateway Appliance. Courtesy: elliTek
Read More

Cybersecurity and IT/OT convergence: How important is your data?

Courtesy: Brett Sayles
Read More

NERC CIP checklist for identification and categorization of BES cyber assets

Many wonder where to start when attempting to protect embedded systems in OT cybersecurity? Here are some great places to start.
Read More

An overlooked ICS cybersecurity gap for companies

Image courtesy: Brett Sayles
Read More

Improve legacy critical infrastructure protection

SUBSCRIBE

GET ON THE BEAT

Keep your finger on the pulse of top industry news

SUBSCRIBE TODAY!
VULNERABILITY PULSE
  • Mitsubishi Electric - June 14, 2022
  • Meridian Cooperative - June 14, 2022
  • Johnson Controls - June 14, 2022
  • Microsoft - June 14, 2022
  • Citrix - June 14, 2022

RECENT NEWS

  • Protecting the power grid through cyber-physical threat response
  • How to secure Industry 4.0 in a highly connected world
  • Managing external connections to your operational technology (OT) environment
  • Webcast: Addressing Cybersecurity Challenges in Industry 4.0
  • How a desert water utility helped protect critical infrastructure

EDUCATION BEAT

Introduction to Cybersecurity within Cyber-Physical Systems

Cyber-physical systems serve as the foundation and the invention base of the modern society making them critical to both government and business.

REGISTER NOW!
HACKS & ATTACKS
  • Ron Brash Interview: Expert advice on finding the root of the ransomware problem
  • Throwback Attack: How the modest Bowman Avenue Dam became the target of Iranian hackers
  • Minimizing the REvil impact delivered via Kaseya servers
  • Key takeaways from 2020 ICS-CERT vulnerabilities
Industrial Cybersecurity Pulse

Copyright 2022 CFE Media and Technology.
All rights reserved.


BETA

Version 1.0

  • Content Partners
  • Contact Us
  • Privacy Policy
  • Terms and Conditions

Input your search keywords and press Enter.

By using this website, you agree to our use of cookies. This may include personalization of content and ads, and traffic analytics. Review our Privacy Policy for more information. ACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT