The most recent patch from Windows, May 2019, [1] fixes around 80 different vulnerabilities,
among of them is the CVE-2019-0708 which is, according to Microsoft “An
attacker who successfully exploited this vulnerability could execute arbitrary
code on the target system. An attacker could then install programs; view,
change, or delete data; or create new accounts with full user rights.”, meaning
it can be wormable and get full control of the remote device, I repeat get
control of the remote device by using the Remote Desktop Protocol (RDP)
formerly known as Terminal Services.
It is well known that a particular vulnerability is critical
when Microsoft decides to patch their unsupported Windows versions, it is the
case now, and Microsoft released patches for Windows XP, Windows 7, Windows
Server 2003 and Windows Server 2008.
Although we know there is a large amount of Windows 7, even
Windows XP, devices in the wild, as well as Windows Server 2003 and 2008, a
good portion of this are still working in Industrial Control Systems, either as
HMIs or as part of the SCADA infrastructure. An interesting statistic is
provided by CyberX Labs indicates that after analyzed traffic from 850
operational technology systems, which are used to manage factory production
lines, gas monitoring, and other types of industrial operations. Researchers
found that 53 percent of them run unsupported versions of Windows, many of
which are likely affected by the just-patched vulnerability [2].
One of the reasons behind this decision is that Control
Software Manufacturers decide to use the available Operative System (OS) in the
development moment and tuned specific libraries or software packages in order
to get the most of the OS. When patches are available is usual that
manufacturers recommend customers to wait until testing is completed and the
possible impact is assess and addressed. Once that happened, they decide to
release the package to customers, what is interesting is that in order to
minimize the possible impact of patches to the application, due to the
reliability required to work in ICS environments, full patching of the OS could
not be in the manufacturer scope. Some of the vulnerable systems can be found
in Mission Critical Environments, which due to their critical tasks cannot be
easily halted in order to be patched. Additional strategies to the patch to protect our
organizations are blocking the TCP port 3389 in the Firewall [3].
It is important to understand the criticality of this issue,
the exploitation of this vulnerability is not only related to data
exfiltration, malicious actors could exploit this and cause a much larger
impact affecting negatively our life standards, due to the potential impact to
critical infrastructure [4]. Understanding the integration of IT protocols in ICS and its
seamless integration into IT Environments, it is completely feasible to enforce
the following IT strategies in the ICS Network:
Monitoring
Device monitoring is a well-known and
widely used IT strategy in order to increase device visibility for Security
practitioners in the enterprise. In the case of ICS, we could use the same
strategy in order to define what is not “normal” in the environment and address
it in the shortest time.
Network Monitoring
Network segmentation is widely used in order
to create specific groups of devices and to isolate them for different reasons.
In the particular case of ICS segmentation based on criticality could one
solution. The scope of the devices to be isolated requires a deep analysis
understanding the industry, its criticality and standards applied.
Establishing controls in ICS is critical to protect not only
data, but operations related to the control process.
As usual, prevention, wise use of resources and budget,
together with detailed processes and training for Security staff will always be
the pillars where our security strategy could rest confident of being
protected.
References
[1] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
[2] https://arstechnica.com/information-technology/2019/05/microsoft-warns-wormable-windows-bug-could-lead-to-another-wannacry/
[3] https://www.securityweek.com/wormable-windows-rds-vulnerability-poses-serious-risk-ics
[4] https://www.nist.gov/cyberframework/critical-infrastructure-resources