Open Source Software Exposes ICS Device Vulnerabilities to Hackers

Open Source Software Exposes ICS Device Vulnerabilities to Hackers

This article was updated on September 12, 2019.

It’s disturbing to think that disruption and damage to our critical infrastructure can happen by simply combining the use of Open Source Software (OSS) tools with malicious intent. Fortunately, those same tools are being used by ICS security researchers around the world to increase industrial control systems cyber security.

In the article “Attackers Can Easily Find Vulnerabilities within Critical Infrastructure with OSS Tools”, published recently by SC Magazine, Nozomi Networks CTO Moreno Carullo takes a look at what security researchers are doing to find and shut down critical infrastructure vulnerabilities.

How Does Open Source Software Contribute to the ICS Cyber Security Problem?

Open source software is used everywhere. A recent report by software vendor Black Duck uncovered some eye-catching statistics:

  • 96% of applications scanned during their research audit contained open source components
  • 78% of the codebases examined had at least one vulnerability
  • The average number of codebase vulnerabilities was 64

Because open source code is so pervasive, attackers can use one hack for many targets. In fact, Black Duck predicted that cyber attacks based on open-source related vulnerabilities would increase by 20% last year alone.

In the article “Attackers Can Easily Find Vulnerabilities Within Critical Infrastructure with OSS Tools”, Moreno discusses some of the other underlying causes of industrial control system (ICS) vulnerability, including:

  • OT systems lack built-in ICS security
  • Industrial protocols were not designed to provide integrity and confidentiality

He also explains how ICS security researchers around the world are leveraging OSS tools to find insecure practices and vulnerabilities, and close the door with encrypted communications and network visibility, segmentation and monitoring.

For example, Nozomi Networks researchers recently created a security testing and fuzzing tool using OSS. It was designed to automatically find vulnerabilities in proprietary protocols used by ICS devices – including PLCs, remote terminal units (RTUs), and so on.

Using only their OSS-based tool, the Nozomi Networks team quickly identified multiple zero-day vulnerabilities within the PLCs of several vendors. The tool found at least one vulnerability for each device, and also uncovered issues related to the management software in several devices.

Sharing Responsibility for Solving the Industrial Cyber Security Problem

Responsibility for securing our critical infrastructure lies with all of us, from device vendors and critical infrastructure operators to ICS cyber security researchers and solution providers.

Regulatory bodies are quickly developing guidelines and setting goals to reduce the threat. Recently, a report by the US Department of Commerce and Department of Homeland Security (DHS) highlighted the need for device makers and software providers to improve the security capabilities of IoT components and software. The report noted that while effective tools for enhancing IoT resilience exist, they aren’t yet widely used. Specifically, it recommended that IoT devices not be shipped with known security flaws, and that devices include an update mechanism to patch vulnerabilities once they are discovered.

The industrial infrastructure market is moving in the right direction to address OT cyber security risks, but it’s going to take time to close all the gaps. Fortunately, critical Infrastructure operators have access to actionable information and data about known vulnerabilities, such as ICS-CERT Alerts, malware research, mitigation briefs and Nozomi Networks’ new research paper – TRITON: The First ICS Cyber Attack on Safety Instrument Systems – Understanding the Malware Its Communications and Its OT Payload. Plus, effective solutions like Nozomi Networks Guardian are available to provide real-time OT cyber security and ICS operational visibility for their industrial control networks.