I want to discuss a subject that doesn't get enough attention in the world of OT/ICS cyber security considering how fundamental it is, and also sparks a surprising amount of controversy. The topic is the importance of conducting ongoing research into OT endpoint device vulnerabilities, particularly for legacy devices.
It should be a unanimous opinion that this research is important. The more we know about vulnerabilities and the more CVEs we generate, the better for everyone involved. However, I frequently encounter industry analysts and self-styled experts that repeatedly question the need and validity of research in the OT sector. Their argument is that legacy equipment is guaranteed to have vulnerabilities, that it is flawed by design and therefore advanced endpoint research is unnecessary. I find this argument ironic because these same experts are often involved in creating products that help detect and manage the vulnerabilities found by researchers. They state publicly that there is no point in doing research and then in the same breath talk about how their product can help mitigate the problems.
Let’s take a look at the current state of OT vulnerability research, including why it’s controversial, who it helps, and who should be responsible for doing it.
In addition to those who publicly decry research while incongruously benefitting from it, OT research is also controversial because some of the large companies that manufacture PLCs and other devices were until recently reluctant to participate. The vendors state that as long as a device is in line with the specifications for the protocols it was designed to meet and the customers accept the contractual agreements that accompany the device, the device should be considered good to go.
Most of the endpoint OT/ICS devices we’re discussing were designed and built in the pre-Internet era and contained no ethernet interfaces. Networking interfaces were an afterthought. When connectivity was added later, all the new features that came along with it, including scalability and centralized management of networks were all good things. The industry welcomed this development. Cyber security testing was not in the forefront of anyone's mind at the time, and for a long time, manufacturers were content to leave it that way.
Government regulations, such as the Sarbanes-Oxley Act also contributed to the reluctance some large manufacturers may have had to OT vulnerability research. Enacted in the US in 2002, Sarbanes-Oxley places certain financial transparency obligations on publicly traded companies. If a manufacturer becomes aware of a vulnerability in their device that may have financial ramifications for the organization, they would be obligated to disclose it publicly. This gave manufacturers reason not to dig too deeply.
The industry is rapidly evolving away from the opinion that research is unnecessary. For the most part, manufacturers have gotten on board with the attitude that they should fully participate in research efforts.
Finally, there are also those who claim that by doing research, and publicly disclosing vulnerabilities, we are arming potential threat actors with additional weapons they can use for an attack. But this of course just isn't true. Threat actors already know how to carry out attacks without this additional information. Also, new vulnerabilities are revealed using ‘responsible disclosure.’ Before a new research report is published, a manufacturer first has 90 days to fix the issue and release a patch for their device.
The first group of people that is helped by high-quality, effective OT vulnerability research is OT operational teams. OT teams are constantly in the position of needing to demand higher budgets from management. Their requests are often met with the response, "if it ain’t broke, why fix it?" If the network is up and running, management doesn’t want to spend money on upgrades. That argument doesn’t translate well into a good cyber hygiene program. The network likely is broken, just not in the way they think it is. As long as devices are working and they are producing products in a factory, or the electric plant is keeping the lights on, or the wastewater is getting treated, it’s easy to dismiss calls for upgrades.
Armed with proper research, the teams responsible for maintaining and upgrading OT/ICS networks are better equipped to make the case that legacy devices need patching or replacing. Presented with facts demonstrating that there is a significant risk to business continuity, business decision makers might reconsider their position and agree to increase budgets.
Beyond OT teams, of course, the general public benefits from this research. If you live in an area where a municipality is providing water and power, and that operation is using equipment that is super vulnerable you should feel good knowing that research is being done to allow critical infrastructure to stay ahead of potential problems. Unfortunately, it doesn't always mean that the municipality is going to upgrade, patch, or replace the vulnerable equipment. However teams need to keep doing due diligence to make sure potential problems with the equipment are brought to light so they can plan for it.
Once we agree that there is a need for OT vulnerability research, the question remains, which organizations or groups should be doing the bulk of the research?
The answer is that ideally the manufacturers of new equipment should do the research themselves and make the public aware of all known vulnerabilities. The best way to do this would be for the manufacturers to hire third-party, impartial pentesters. The testers would alert the vendors to what they find, and the vendors would alert their customers. This should be basic quality assurance audits done by manufacturers.
Unfortunately, until recently that wasn’t always the case. As detailed above, many manufacturers were reluctant to sponsor the research. This certainly wasn’t the case for legacy equipment that was already widely deployed.
But the industry is evolving and many more companies are involved in research than ever before, especially for new product releases. While in the past, manufacturers may have been hyper resistant, even going so far as to use legal language in their warranties to incentivize customers not to do research, they have now at least partially relented. They are doing the research and allowing third-parties to do it as well.
The OT cyber security industry developed in part because manufacturers aren't doing it well enough. There are now multiple companies such as SCADAfence that have developed in part to assist with this research and help the public understand the risk of unaddressed vulnerabilities. Major vendors are no longer actively against this kind of testing. They have come around and recognize its importance and have demonstrated willingness to partner with security companies.
Research done by third parties unconnected to manufacturers also have the advantage of being able to find vulnerabilities that cascade across multiple vendors and create an increased attack surface.
This increased participation by manufacturers and increased acceptance of the need for OT vulnerability research is a reassuring step in the right direction, despite the isolated voices that disagree. The hope is that manufacturers will also work together in the future to create an OT specific bug bounty program as well.
To learn more about SCADAfence’s vulnerability research, or to see the platform in action, schedule a demo.