Insecure by Design in the Backbone of Critical Infrastructure

Abstract: We inspected 45 actively deployed Operational Technology (OT) product families from ten major vendors and found that every system suffers from at least one trivial vulnerability. We reported a total of 53 weaknesses, stemming from insecure by design practices or basic security design failures. They enable attackers to take a device offline, manipulate its operational parameters, and execute arbitrary code without any constraint. We discuss why vulnerable products are often security certified and appear to be more secure than they actually are, and we explain complicating factors of OT risk management.

• The paper identifies insecure design choices across 45 OT product families, unveiling 53 vulnerabilities including DoS and remote code execution.
• Methodology involved reverse engineering, traffic inspection, and analysis of weak cryptographic practices and unauthenticated protocols.
• Findings underscore an urgent need to reform certification standards and improve transparency in vulnerability reporting for OT systems.

Insecure by Design in the Backbone of Critical Infrastructure

Introduction

The paper "Insecure by Design in the Backbone of Critical Infrastructure" (2303.12340) explores vulnerabilities existing within Operational Technology (OT) systems, focusing on the risks posed by insecure design choices inherent in these systems. The authors conducted an extensive study of 45 OT product families from ten prominent vendors and identified at least one trivial vulnerability in every product inspected. The paper discusses the implications of such vulnerabilities and the challenges posed by inadequate security certification processes within the context of critical infrastructure.

Methodological Overview

The authors adopted a systematic methodology to investigate OT products. Their approach involved reverse engineering 45 OT product families from key vendors to uncover insecure-by-design practices and security design failures. Reverse engineering included traffic capture and inspection, identifying protocol structures and semantics, and reverse engineering binaries to understand Parsers and Crafters. This methodology facilitated the identification of major security weaknesses, including unauthenticated protocols and basic security failures such as weak cryptographic practices.

The study revealed 53 distinct vulnerabilities, including critical issues like denial-of-service (DoS), configuration manipulation, and remote code execution (RCE). Vulnerabilities were categorized based on type and impact, with attention paid not just to the technical weakness but the potential for exploitation in systems connected to critical infrastructure networks.

Results and Analysis

Vulnerability Types

The study identified several key categories of vulnerabilities:

• Compromise of Credentials: Found in over one-third of the reported vulnerabilities, this includes insecure transmission of credentials and hard-coded secrets.
• Manipulation: Encompasses firmware manipulation and unauthorized configuration changes, often facilitated by the lack of authentication protocols.
• Remote Code Execution: Vulnerabilities permitting arbitrary code execution, frequently due to inadequate logic signing and execution of logic in unsafe environments.

The prevalence of these vulnerabilities underscores the critical risk posed by insecure design practices in current OT systems.

Impact Assessment

The paper provides an impact assessment by estimating the presence of vulnerable OT systems across various essential services sectors like manufacturing, healthcare, and government. By leveraging OSINT and tools like the Forescout Device Cloud, the researchers were able to approximate the scale of exposure, revealing tens of thousands of devices that are potentially vulnerable, with many even being exposed on the internet.

Challenges in Certification Processes

The study highlights a significant mismatch between security certifications and the actual security posture of certified products. Many products that possess industry-standard certifications, such as IEC 62443, were found to have vulnerabilities which should have been identified and mitigated during the certification process. The authors emphasize the inadequacies of security audits that rely heavily on functional testing without comprehensive assessments of proprietary protocols and components.

Risk Management and Information Dissemination

The authors argue for improved transparency and timely dissemination of vulnerability information. They criticize the reticence of vendors in sharing detailed vulnerability data and the complications posed by opaque security certifications. The presence of vulnerabilities in common supply chain components like ProConOS and the lack of comprehensive threat sharing amplify the risks associated with OT environments.

Conclusion

This paper draws attention to the persistent insecurity-by-design problem in OT systems, which could have dire implications for critical infrastructure management. The authors call for more rigorous security evaluations, enhanced transparency in vulnerability reporting, and reform of the existing certification landscapes. The study suggests that overcoming these challenges requires collaboration across industry sectors to establish comprehensive best practices that prioritize security in the design and implementation of OT systems.

Future research could expand upon these findings by exploring ways to strengthen certification protocols and improve the interoperability of security solutions to guard against the exploitation of such vulnerabilities in OT ecosystems.