2018-01-05

Protecting Industrial Control Systems from Spectre and Meltdown

The big news today is the Spectre and Meltdown bugs. These vulnerabilities let attack code such as Javascript steal passwords, encryption keys and session cookies from kernel memory and/or browser windows on nearly all modern computers. The performance hits and code changes needed to fix these bugs are extensive. A LOT of costly testing will be needed in the very short term before fixes for Meltdown and Spectre can safely be applied to our ICS/OT/SCADA networks. The only bright spot in this situation is that as usual, Waterfall customers are taking these developments in stride. Properly-designed ICS security programs make it practically impossible for any attack code to reach vulnerable systems. Outside of this community, Spectre and Meltdown will be a major problem.


The Problem 
Meltdown is CVE-2017-5754, and Spectre is CVE-2017-5753 and CVE-2017-5715. All three vulnerabilities have to do with “predictive execution” behavior of modern Intel, AMD and ARM CPUs. Meltdown lets attack code steal information, such as passwords and encryption keys, from kernel memory, even in virtual/cloud environments. Spectre lets such code steal information from other parts of the same process the code is running in – for example in a browser, malicious ads can steal passwords and session keys from banking or e-commerce web pages.

Weaponizing these vulnerabilities against industrial control systems is straightforward. Spectre lets attackers steal remote access credentials and hijack Microsoft Edge, Google Chrome, Mozilla Firefox and other browser-based remote access sessions. Once an attacker has a foothold on an ICS network, Meltdown lets attack code steal system-level credentials and encryption keys, even across VM boundaries, enabling escalation of privilege.

Security Updates 
The fixes for these vulnerabilities are challenging. The fix for Meltdown slows down interrupt-intensive applications by up to 30% – including applications that do a lot of disk I/O, or network I/O. The fix for Spectre is not as straightforward – the fixes are application-specific. Applications may need to be recompiled, reconfigured or sometimes redesigned, coded and tested to deal with these hardware issues, and every application is different. Spectre is likely to haunt application developers for at least the next decade.

The ability of Spectre to steal credentials and hijack web sessions means that web browsers on IT networks need to be patched and reconfigured as soon as possible. One reconfiguration that helps somewhat is “site isolation,” which can be enabled today in Chrome and Firefox with some memory performance impacts.

The changes needed to fix Spectre and Meltdown vulnerabilities more thoroughly are so extensive that costly and extensive testing will be needed before the updates can safely be applied to reliability-critical control systems. For example, Microsoft cautions that installing their Meltdown security update will cause “blue screens of death” on machines running certain software, such as older versions of some anti-virus engines, which is why the Microsoft update refuses to install when such engines are detected – at least the engines that Microsoft recognizes. In the very short term, what every control system owner and operator will be asking is “how long can we safely delay this very costly testing process?” and “do I need to drop everything and start testing and applying these fixes yesterday?”.

Impacts on Waterfall Customers 
The answer to these important questions is “it depends on how exposed you are.” Waterfall’s Unidirectional Security Gateway customers, for example, are likely to take all of these alarming-seeming developments in stride. Yes, IT teams will be scrambling to secure Internet-exposed IT networks, but unidirectionally-protected ICS networks are at essentially no greater risk today than they were a week or a month ago.

Unidirectionally-protected networks are generally part of an overall security program that emphasizes physical and cyber perimeter protection over constant, aggressive patching. All cyber attacks are information after all, and if we can control the flow of information into our networks, we can control the flow of attacks. At Waterfall’s customers, we generally see unidirectional gateways allowing monitoring of industrial networks, without allowing any information, not even one bit, back into the network. This prevents malware propagation, hijacked remote access sessions and remote control of RAT-style malware. We also see strong removable media controls in place, media cleansing stations, and unidirectional file server replication to essentially eliminate the need for removable media.

Meltdown and Spectre vulnerabilities can only be exploited if stolen remote access credentials can be used by remote attackers, or if exploit code can reach the target ICS network in order to try to exploit the vulnerabilities. Neither is true with control systems using advanced, unidirectional protections. Waterfall customers are waiting for the Meltdown/Spectre updates to become available, and are scheduling those updates into long-term testing & re-certification plans.

Looking Forward 
Meltdown and Spectre vulnerabilities mean that owners and operators are in trouble, when their industrial control systems are protected from IT networks by only firewalls, software, encryption and passwords. As the Meltdown and Spectre vulnerabilities are weaponized over the coming weeks, the situation at such sites will become increasingly urgent. We feel for you.

For anyone who would like to explore what thoroughly-protected industrial networks look like, I recommend the best-selling “SCADA Security – What’s broken and how to fix it.” I suggest at least chapters 5 and 6, and maybe skim chapter 2 to pick up the book’s terminology.

For the duration of the Meltdown/Spectre emergency, Waterfall has offered to make copies of that book available free of charge to most owners, operators, security practitioners, educators and the press. Click here if you would like to request a copy. We wish you the best.

2 comments:

  1. A good point about the need for extensive testing of software and firmware updates in this environment. I am, however, a little concerned about the almost cavaleir dismissal of the problem for systems behind the 'Waterfall perimeter'. It seems to me that hardware bugs like these are going to lead to new and innovative exploits that may not be readily apparent at this time. It seems to me to be too early to declare protection.

    ReplyDelete
  2. All cyber attacks are information. If we can control the flow of information into our control systems, we control the flow of attacks. Waterfall customers generally have excellent control over the flow of information into their system. I expect that for the duration of the Meltdown / Spectre emergency, these kinds of sites will physically turn off the flow of all executable files and remote access into important control systems. Control systems protected only by software, and not by hardware flow controls, will have a much harder time of it.

    ReplyDelete