You Report, They Act
The investigation and exploitation of vulnerabilities in industrial devices is a strategy aimed at assessing the information and security of the systems affected. While performing certain tasks — both relating to investigation and auditing — zero-day vulnerabilities (also known as 0-day) may be detected in certain devices (PLC, RTU, HMI, etc.), applications or operating systems used in industry. These vulnerabilities are not publicly known and so, it is vital to create systems for notification, treatment and patching of same. As patching in industrial devices is a significant challenge, this must be taken into account when reporting a vulnerability so it can be resolved.
In order to appropriately manage vulnerabilities, a set of different phases to be followed when reporting a vulnerability is proposed.
Before tackling the development of the phases required to appropriately manage vulnerabilities, it should be noted that the investigation tests of same within industrial environments must be performed in a development or test environment. Analysis should not be performed within production environments, because, although the tests to be performed have been appropriately tested and checked in advance, it is possible that behaviour may be different during production.
Processing phases
During phase 1 relating to identification, the way the devices are analysed is particularly important. This phase is divided in two parts: identification and evidence of vulnerabilities. It should be noted that these two parts are different. During the identification phase, the auditor or security investigator will apply the techniques at their discretion and based on their experience in certain tasks in order to identify vulnerabilities. To evidence vulnerabilities, the investigator/auditor must be more rigorous and, therefore, will not be able to perform many of the actions used in identification. Some actions not permitted to evidence vulnerabilities include:
- Use of any malware.
- Use of vulnerabilities for any purpose beyond proving their existence. To show the existence of the vulnerability non-aggressive methods can be used, for example, listing a system directory.
- Use of social engineering.
- Compromising a system and maintaining the access on a persistent basis.
- Tampering with data accessed by means of exploitation of the vulnerability.
- Sharing the vulnerability with third parties.
- Performing DoS or DDoS attacks.
In phase 2, which we call the report phase, CERTs or CSIRTs come into play. They are incident response teams that – depending on the type – can, among other services, help both investigators and auditors reporting vulnerabilities and the manufacturer affected. Some of the help provided by certain CERTs establishing contact between the actors involved in the vulnerability or facilitating the management and evaluation of the failure detected. These and other forms of helping help will benefit all the parties involved. The role played by a CERT or CSIRT is useful for informing the manufacturer so they can resolve the vulnerability in the shortest time possible.
Investigators or auditors must report the vulnerabilities in a safe manner. To do so, it is advisable to use PGP signatures that verify the origin of the information along with its encryption, in order to preserve the privacy of the manufacturer affected.
In addition to informing, another function that a CERT or CSIRT could perform is that of reproducing the vulnerabilities reported. This reproduction is made for the purpose of obtaining a deeper understanding of the problems that the vulnerability detected may cause and, if needed, helping the manufacturer affected more efficiently at the technical level of problem solving.
This analysis task constitutes phase 3, where the vulnerability is reproduced and, if needed, further information would be requested from the investigator or auditor who has reported the vulnerability with the aim of accurately reproducing the problem.
It should be noted that, currently, there are industrial manufacturers that have their own CERT for managing the vulnerabilities of their products and, as such, they play a double role: that of the CERT that provides the notification of the vulnerability, verifying in advance the existence of same, and that of the manufacturer, who will be notified.
The treatment of the vulnerabilities constitutes the phase 4. This phase is based on the classification of the vulnerability, definition of its impact and mitigation or solution of same. The first step in this phase is the reservation of the CVE code following the standard nomenclature of vulnerabilities. This standard is used to facilitate the exchange of information between the different databases and tools. Along with this reservation, the vulnerability is sometimes assigned a value that will define its criticality level, agreed between the investigator or auditor and the manufacturer affected. To do so, the measures to be used are those set by the CVSS (Common Vulnerability Scoring System) framework. This framework is completely open and universally accepted for the establishment of metrics of vulnerabilities. The problem with this standard when assessing a vulnerability is that it is primarily intended for IT environments and, thus, the assessment of vulnerabilities in OT environments may be more complex. In the case of base metrics, this is not a problem, as the following metrics are included and can be applied within an industrial environment:
- Access vector
- Complexity of the attack
- Privileges required
- Need of interaction by a user
- Scope
- Impact on the Confidentiality
- Impact on Integrity
- Impact on Availability
For temporal and environmental metrics, other types of indicators may be required to assess the vulnerability reported more accurately.
Once these arrangements have been completed, it will be necessary to resolve the vulnerability of the system affected or, if this is not possible, to temporarily mitigate it until a final solution is reached. The investigator or auditor can propose a mitigation mechanism or strategy.
The manufacturer must manage and develop a patch. This process may be extended, as it will be necessary to execute different quality tests in different environments.
Finally, we reach phase 5. This phase focuses on the responsible publication and dissemination of the vulnerability through an official channel in the notices section of the CERT website that has managed the vulnerability and in the appropriate section of the manufacturer's website. It would be advisable to manage and agree the responsible publication with the manufacturer so they can develop, test and publish the patch. Once the patch has been published, the investigator can disseminate their vulnerability analysis. In this cases, it is vital to act in accordance the applicable legislation.
Exceptions
There are certain exceptions to this phases cycle. Specifically we can identify two exceptions: when the vulnerability cannot be resolved and when the manufacturer disregards the communications of the CERT.
In the first case, the publication will be made in private. The information will only be available for the clients, so other countermeasures can be applied. In the second case, both if the management of the vulnerability is successful or not, each CERT can define a period after which if the party responsible for its management has not taken sufficient measures to tackle it, the CERT will issue a notification of the vulnerability along with the investigator or auditor who has reported it, if they wish.
Links of interest
Some links of interest where publications of vulnerabilities on industrial control systems can found:
- INCIBE-CERT – Security and industry CERT
- ICS-CERT – INDUSTRIAL CONTROL SYSTEMS CYBER EMERGENCY RESPONSE TEAM
Summary of the phases
PHASE | NAME | DESCRIPTION |
1 | Identification | Analysis of industrial devices in search of vulnerabilities on the part of the investigators or auditors |
2 | Report |
Submission of the vulnerability to the CERT with the aim of informing the industrial manufacturer affected and initiate action to resolve the vulnerability |
3 | Analysis | Reproduction and confirmation of the vulnerability by the CERT. In this phase, the CERT may request further information from the person who has reported the vulnerability in order to reproduce it or provide further information to the manufacturer affected |
4 | Treatment | Classification of the vulnerability. Use of CVSS metrics and assignment of CVE code |
5 | Responsible publication | Publication of the vulnerability through an official channel to disseminate it and inform all clients of the manufacturer of the problems identified so these can be solved |
Conclusions
Vulnerabilities identified in industrial devices are sometimes complex due to the characteristics of the devices, relating to both hardware and software but, should this prevent an investigator or auditor from investigating vulnerabilities affecting this type of device? After reading this article, the logic answer should be 'no'.
Reporting vulnerabilities in the devices within Industrial Control Devices provides major advantages. These are some examples of them:
- Improvement of the cybersecurity of the devices affected.
- Trust of the clients in the manufacturers that conduct security modifications in their devices.
- Compliance with cybersecurity regulations that may affect the industrial sector.
- Repository for investigations and auditors.
Finally, reporting vulnerabilities in industrial control systems provides a significant benefit both for investigators/auditors and for manufacturers, not only due to the aforementioned advantages, but also for the overall improvement it offers for security in the industrial sector.