ICS under serious risk from a wormable Windows Vulnerability

The most recent patch from Windows, May 2019, [1] fixes around 80 different vulnerabilities, among of them is the CVE-2019-0708 which is, according to Microsoft “An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”, meaning it can be wormable and get full control of the remote device, I repeat get control of the remote device by using the Remote Desktop Protocol (RDP) formerly known as Terminal Services.

It is well known that a particular vulnerability is critical when Microsoft decides to patch their unsupported Windows versions, it is the case now, and Microsoft released patches for Windows XP, Windows 7, Windows Server 2003 and Windows Server 2008.

Although we know there is a large amount of Windows 7, even Windows XP, devices in the wild, as well as Windows Server 2003 and 2008, a good portion of this are still working in Industrial Control Systems, either as HMIs or as part of the SCADA infrastructure. An interesting statistic is provided by CyberX Labs indicates that after analyzed traffic from 850 operational technology systems, which are used to manage factory production lines, gas monitoring, and other types of industrial operations. Researchers found that 53 percent of them run unsupported versions of Windows, many of which are likely affected by the just-patched vulnerability [2].

One of the reasons behind this decision is that Control Software Manufacturers decide to use the available Operative System (OS) in the development moment and tuned specific libraries or software packages in order to get the most of the OS. When patches are available is usual that manufacturers recommend customers to wait until testing is completed and the possible impact is assess and addressed. Once that happened, they decide to release the package to customers, what is interesting is that in order to minimize the possible impact of patches to the application, due to the reliability required to work in ICS environments, full patching of the OS could not be in the manufacturer scope. Some of the vulnerable systems can be found in Mission Critical Environments, which due to their critical tasks cannot be easily halted in order to be patched. Additional strategies to the patch to protect our organizations are blocking the TCP port 3389 in the Firewall [3].

It is important to understand the criticality of this issue, the exploitation of this vulnerability is not only related to data exfiltration, malicious actors could exploit this and cause a much larger impact affecting negatively our life standards, due to the potential impact to critical infrastructure [4]. Understanding the integration of IT protocols in ICS and its seamless integration into IT Environments, it is completely feasible to enforce the following IT strategies in the ICS Network:

Monitoring

Device monitoring is a well-known and widely used IT strategy in order to increase device visibility for Security practitioners in the enterprise. In the case of ICS, we could use the same strategy in order to define what is not “normal” in the environment and address it in the shortest time.

Network Monitoring

Network segmentation is widely used in order to create specific groups of devices and to isolate them for different reasons. In the particular case of ICS segmentation based on criticality could one solution. The scope of the devices to be isolated requires a deep analysis understanding the industry, its criticality and standards applied.

Establishing controls in ICS is critical to protect not only data, but operations related to the control process.

As usual, prevention, wise use of resources and budget, together with detailed processes and training for Security staff will always be the pillars where our security strategy could rest confident of being protected.

References

[1] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
[2] https://arstechnica.com/information-technology/2019/05/microsoft-warns-wormable-windows-bug-could-lead-to-another-wannacry/
[3] https://www.securityweek.com/wormable-windows-rds-vulnerability-poses-serious-risk-ics
[4] https://www.nist.gov/cyberframework/critical-infrastructure-resources