The Cybersecurity and Infrastructure Security Agency (CISA) has always made recommendations along the lines of keeping the attackers out, performing cyber hygiene and detecting attacks, but they have rarely recommended the monitoring and controlling of the physical process be secured.
The best example of this is the recent INCONTROLLER/PIPEDREAM malware and CISA’s related Alert (AA22-103A) APT Cyber Tools Targeting ICS/SCADA Devices:
“The tools enable them to scan for, compromise and control affected devices once they have established initial access to the operational technology (OT) network.”
This is because the programmable logic controllers (PLCs), controllers and other Level 1 devices, as well as the industrial control system (ICS) protocols, are insecure by design. Access to operational technology (OT) equals compromise with the limitation being the attacker’s engineering and automation skills, and input/output (I/O) and physical process implementation, not an adversary’s security or hacking skills.
This has been known for more than 20 years and was vividly demonstrated 10 years ago in Project Basecamp. The community and society have been lucky that we haven’t often seen this intentional and continuing design decision exploited by an extensible attack platform.
What has been missing for 20 years is the entity with the biggest megaphone, the U.S. government — now in the form of CISA — saying that we need basic source and data authentication and authorization in Level 1 devices and ICS protocols. The CISA alert fails to say this. Instead, they suggest some useful, and some less useful, cyber hygiene tasks to 1) reduce the likelihood of an attacker getting that initial access into the OT environment, and 2) increase the chances of the attack being detected after compromise.
The alert never addresses the core weakness that the attacker’s ICS target is lacking the most basic security controls. You don’t need to hack it. Just send it legitimate, documented commands. “Read the manual” is PLC and process hacking.
The missing bullet in the CISA alert’s mitigations is:
- Develop and deploy a strategy to upgrade to secure ICS protocols and upgrade insecure legacy PLCs, controllers and other Level 1 devices.
One could be sympathetic that perhaps a strategy that may take 1-3 years of focused attention is actionable enough to be included in an alert mitigation; that alert recommendations should focus on immediate actions. If this is the case, we should see this fundamental security problem prominently addressed in other CISA and U.S. government documents. Let’s look.
CISA Critical Infrastructure Control Systems Cybersecurity Performance Goals and Objectives
Yes, it is mentioned in this document. Given this is the preeminent document according to CISA Director Jen Easterly, this is a positive sign. It’s addressed in the System and Data Integrity, Availability and Confidentiality section with this bulleted text:
“Ensure that data in transit is protected against unauthorized access or manipulation.”
“Sample Evidence of Implementation: Organization requires all control system data transmissions employ end-to-end encryption using transport layer security (TLS) to protect data in transit; legacy equipment that is unable to leverage encryption is prioritized for upgrade or replacement.”
This is the first time I’ve seen the U.S. government recommend that asset owners upgrade or replace Level 1 to get past insecure by design. Now, it is one of many objectives and buried a bit deep. And there is serious debate on whether wrap-it-in-TLS is really the best way to meet the integrity, rather than confidentiality, needs in ICS. Whether it is wise or not, Modbus Secure, CIP Secure and other ICS protocol efforts show that the wrap-it-in-TLS approach is carrying the day.
An opportunity was missed with INCONTROLLER/PIPEDREAM to highlight “legacy equipment that is unable to leverage encryption is prioritized for upgrade or replacement.” It would have been great to hear on “60 Minutes” that every CEO with a control system should be asking their CISO or VP of operations about their plan to upgrade ICS components that lack basic security.
Without CISA highlighting and pushing this issue, that we actually have to secure the ICS, then this will be an easy goal to set aside. It has been for two decades already, even though it makes many of the other security goals inside the OT network of little value. To use CISA’s own words, “The tools enable them to scan for, compromise and control affected devices once they have established initial access to the operational technology (OT) network.”
CISA Securing Industrial Control Systems
Maybe … There is a bullet/goal that new OT products are secure by design. Later in the text the SCADA Apologist appears “traditional ICS can have 30-year lifecycles.” It’s a very broad, vision type document that could be read any way you like. It does not throw down the gauntlet saying legacy equipment needs to be upgraded or replaced.
CISA Recommended Cybersecurity Practices for Industrial Control Systems
No … If you are an optimist, you can feel good about “legacy equipment that is unable to leverage encryption is prioritized for upgrade or replacement” in the Performance Goals. Someone with authority finally said it, rather than falling back on how this is hard and will take decades. If this had been said and meant two decades ago, we could say we are securing ICS.
If you are a pessimist, it is one goal amongst many and hasn’t been highlighted. Cyber hygiene, especially patching and monitoring, are where the mindshare and communication effort is happening. INCONTROLLER/PIPEDREAM provided a powerful opportunity to push the point that we actually need to secure the communications and devices that monitor and control these critical infrastructures. For whatever reason, CISA was silent on how this demonstrates the need to “upgrade or replace” insecure by design systems.
For better or worse, CISA has the biggest megaphone in the U.S. and arguably the world. CISA not pushing that the root cause of the ICS security problem finally be addressed, 20 years late, means that only the enlightened few will pursue securing ICS in the near future.
Original content can be found at Dale Peterson.