Security in ICS and OT digitalization -
comprehensive cyber resilience for Industrial Control Systems
As OT and IT converge, it is time for an all-encompassing approach to securing mission-critical digital assets.
So how do you prevent a cyber-attack on your mission-critical ICS devices when the barriers between OT and IT are blurried by wireless sensor networks or by the use of cloud-based applications at shop level?
Start with the essential controls recommended by NERC CIP or IEC 62443, start with full visibility about connected devices and the changes happening on them.
Many models have been derived to describe the requirements for cyber security in the world of Industrial Operational Technology, the world of cyber-physical systems where an attack has the potential for severe real-life damages (see our infographic 'A History of ICS Cyber Incidents & Attacks'). Common to all is that essential controls are needed at intersections and on assets to detect malicious changes, whether they are made to a system's configuration settings, alter critical data, or drop malicious files. Malicious change as the root cause for almost all cyber incidents needs be detected and controlled to safeguard the availability of assets and the processes they enable. This is exactly what NNT's ChangeTracker Gen7 R2 with its unique feature set for Industrial Control System is designed for.
How to Converge OT and IT Networks and Protect Industry Digitalization
DOWNLOAD NNT’S ICS/OT SOLUTION BRIEF
discover and highlight any dangerous behaviour
Both standards, NERC CIP and IEC 62443, mandate to have the ability to monitor the digital infrastructure to enable the following:
- develop and maintain a baseline configuration of assets
- authorize and document any change to a baseline
- continuously monitor and alert about any malicious change
- apply hardened configuration settings to any new asset added to the infrastructure
Our ICS feature set will not only help you to automate these tasks, and help you to document your security measures for audit purposes. As it is part of the larger functionalities of ChangeTracker Gen7 R2, you are gaining visibility across the domains of Operational Technology and Information Technology. As the demarcation between the two fades away, this is what is needed to stay ahead of the technological changes coming along with the digitalization labeled Industry 4.0 making use of wireless sensor networks, cloud and container applications, or factory virtualization (Digital Twin, Virtual Power Plant).
In an ever-connected, highly automated environment, every assets needs serious care and attention in terms of cyber security and resilience. Secure configuration baselines, change control, and vulnerability management are non-negotiable.
NNT make the entire process of creating a baseline configuration as easy as possible.
NERC CIP requires a baseline to encompass operating systems, firmware, applications, custom software and many more.
Change Tracker's simple Wizard UI walks you through the process so anyone can create their own Baselines within minutes!
In addition, to further simplify that process, there is an unlimited supply of published hardened build standards, such as the Center for Internet Security (CIS) Benchmarks or the DISA Security Technical Information Guides (STIG), ready to be used and amended where needed.
Simple, UX-driven workflows make the maintenance of a configuration baseline straightforward, providing all the flexibility needed to promote changes to the baseline as they are required. It works to keep everything secure in Industrial Control, starting with systems like PLCs, HMIs, Historian and including advanced cloud and container infrastructures.
For example, following routine patching where not just product versions may change, but also the associated open ports and underlying filesystem, registry and configuration settings, you decide if you want to ‘promote changes to the baseline’. You can also assign basic logic to the promoted changes to either replace or extend the Baseline.
A number of security frameworks reference the need for change control, integrity monitoring and an established configuration standard or hardened build standard. You’ll find the need for such a baseline or Gold Build Standard in all compliance frameworks (for example, NIST 800-53 CM-2 and CM-3, CIS Control 5.2, PCI DSS Requirement 2) but especially NERC CIP 007-3 and 010-3 as a means of guaranteeing security.
Without a consistent build how else can you expect security to be maximized?
The NERC CIP 010 process is shown in the diagram and the NNT Baseline Configuration management process allows you to follow this cycle
Advisories
-
Rockwell Automation PanelView 800
28 September 2023
1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Rockwell Automation
- Equipment: PanelView 800
- Vulnerability: Improper Input Validation
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to disclose sensitive information, modify data, or cause a denial-of-service.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Rockwell Automation PanelView 800, a graphics terminal, are affected:
- PanelView 800 2711R-T10T: V3.011
- PanelView 800 2711R-T7T: V3.011
- PanelView 800 2711R-T4T: V3.011
3.2 Vulnerability Overview
3.2.1 Improper Input Validation CWE-20
An input/output validation vulnerability exists in a third-party component that the PanelView™ 800 utilizes. Libpng, which is PNG's reference library, version 1.6.32 and earlier does not properly check the length of chunks against the user limit. Libpng versions prior to 1.6.32 are susceptible to a vulnerability which, when successfully exploited, could potentially lead to a disclosure of sensitive information, addition or modification of data, or a denial-of-service condition.
CVE-2017-12652 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
3.3 BACKGROUND
- CRITICAL INFRASTRUCTURE SECTORS: Energy, Water and Wastewater, Telecommunications
- COUNTRIES/AREAS DEPLOYED: Worldwide
- COMPANY HEADQUARTERS LOCATION: United States
3.4 RESEARCHER
Rockwell Automation reported these vulnerabilities to CISA.
4. MITIGATIONS
Customers using the affected software are encouraged to apply risk mitigations, if possible. Additionally,
Rockwell Automation encourages customers to implement their suggested security best practices to minimize the risk of
vulnerability.- Updating to v6.011 or later will mitigate the issue.
- Security Best Practices
For more information, see Rockwell Automation's Security Advisory
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:
- Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
- Locate control system networks and remote devices behind firewalls and isolating them from business networks.
- When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
5. UPDATE HISTORY
- September 28, 2023: Initial Publication
-
DEXMA DexGate
28 September 2023
1. EXECUTIVE SUMMARY
- CVSS v3 8.0
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: DEXMA
- Equipment: DEXGate
- Vulnerabilities: Cross-Site Scripting, Cross-Site Request Forgery, Improper Authentication, Cleartext Transmission of Sensitive Information, Exposure of Sensitive Information to an Unauthorized Actor
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could result in the attacker impersonating a user, executing arbitrary code, and accessing the connected network.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following version of DEXGate is affected:
- DEXGate: Version 20130114
3.2 Vulnerability Overview
3.2.1 CROSS-SITE SCRIPTING (XSS) CWE-79
The affected product is vulnerable to a cross-site scripting vulnerability, which could allow an attacker to access the web application to introduce arbitrary Java Script by injecting an XSS payload into the 'hostname' parameter of the vulnerable software.
CVE-2023-40153 has been assigned to this vulnerability. A CVSS v3 base score of 5.4 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N).
3.2.2 CROSS-SITE REQUEST FORGERY (CSRF) CWE-352
The affected product is vulnerable to a cross-site request forgery vulnerability, which may allow an attacker to perform actions with the permissions of a victim user.
CVE-2023-42435 has been assigned to this vulnerability. A CVSS v3 base score of 5.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L).
3.2.3 IMPROPER AUTHENTICATION CWE-287
The affected product is vulnerable to an improper authentication vulnerability, which may allow an attacker to impersonate a legitimate user as long as the device keeps the session active, since the attack takes advantage of the cookie header to generate "legitimate" requests.
CVE-2023-4108 has been assigned to this vulnerability. A CVSS v3 base score of 8.0 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
3.2.4 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319
The affected product is vulnerable to a cleartext transmission of sensitive information vulnerability, which may allow an attacker with access to the network, where clients have access to the DexGate server, could capture traffic. The attacker can later us the information within it to access the application.
CVE-2023-41088 has been assigned to this vulnerability. A CVSS v3 base score of 6.3 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N).
3.2.5 EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR CWE-200
The affected product is vulnerable to an exposure of sensitive information to an unauthorized actor vulnerability, which may allow an attacker to create malicious requests for obtaining the information of the version about the web server used.
CVE-2023-42666 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
3.3 BACKGROUND
- CRITICAL INFRASTRUCTURE SECTORS: Multiple
- COUNTRIES/AREAS DEPLOYED: Worldwide
- COMPANY HEADQUARTERS LOCATION: Spain
3.4 RESEARCHER
Aarón Flecha Menéndez of S21sec reported these vulnerabilities to CISA.
4. MITIGATIONS
Dexma has not responded to CISA's requests to coordinate at this time.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:
- Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
- Locate control system networks and remote devices behind firewalls and isolating them from business networks.
- When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
- Do not click web links or open attachments in unsolicited email messages.
- Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
- Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
5. UPDATE HISTORY
- September 28, 2023: Initial Publication
-
Mitsubishi Electric FA Engineering Software
26 September 2023
1. EXECUTIVE SUMMARY
- CVSS v3 9.3
- ATTENTION: Low attack complexity
- Vendor: Mitsubishi Electric
- Equipment: FA Engineering Software Products
- Vulnerability: Incorrect Default Permissions
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow a local attacker to execute code, which could result in information disclosure, tampering with and deletion of information, or a denial-of-service (DoS) condition.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Mitsubishi Electric FA Engineering Software Products are affected:
- GX Works3: All versions
3.2 Vulnerability Overview
3.2.1 INCORRECT DEFAULT PERMISSIONS CWE-276
In all versions of Mitsubishi Electric GX Works3, code execution is possible due to permission issues. This could allow an attacker to cause information disclosure, tampering with and deletion of information, or a denial-of-service (DoS) condition.
CVE-2023-4088 has been assigned to this vulnerability. A CVSS v3 base score of 9.3 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
3.3 BACKGROUND
- CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
- COUNTRIES/AREAS DEPLOYED: Worldwide
- COMPANY HEADQUARTERS LOCATION: Japan
3.4 RESEARCHER
01dGu0 of ZHEJIANG QIAN INFORMATION & TECHNOLOGY CO., LTD reported this vulnerability to Mitsubishi Electric.
4. MITIGATIONS
Mitsubishi Electric recommends that customers take the following mitigation measures to minimize the risk of exploiting this vulnerability:
- Install the version described in the Mitsubishi Electric advisory into the default installation folder. If it is necessary to change the installation folder from the default, select a folder that only users with Administrator privileges have permission to change.
- Install an anti-virus software on the computer using the affected product.
- Use your computer with the affected product within the LAN and block remote login from untrusted networks, hosts, and users.
- When connecting your computer with the affected product to the Internet, use a firewall, virtual private network (VPN),
etc., and allow only trusted users to remote login. - Don't open untrusted files or click untrusted links.
For more information, see the Mitsubishi security advisory.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.
5. UPDATE HISTORY
- September 26, 2023: Initial Publication
-
Suprema BioStar 2
26 September 2023
1. EXECUTIVE SUMMARY
- CVSS v3 6.5
- ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
- Vendor: Suprema Inc.
- Equipment: BioStar 2
- Vulnerability: SQL Injection
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to perform a SQL injection to execute arbitrary commands.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Suprema BioStar 2, an access control system, are affected:
- BioStar 2: version 2.8.16
3.2 Vulnerability Overview
3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN SQL COMMAND ('SQL INJECTION') CWE-89
Suprema BioStar 2 v2.8.16 was discovered to contain a SQL injection vulnerability via value parameters.
CVE-2023-27167 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).
3.3 BACKGROUND
- CRITICAL INFRASTRUCTURE SECTORS: Multiple
- COUNTRIES/AREAS DEPLOYED: Worldwide
- COMPANY HEADQUARTERS LOCATION: South Korea
3.4 RESEARCHER
CISA discovered a public proof of concept (PoC) as authored by Yuriy (Vander) Tsarenko and reported it to Exploit-db.
4. MITIGATIONS
SupremaINC has released BioStar 2 2.9.4 to fix this vulnerability.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:
- Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
- Locate control system networks and remote devices behind firewalls and isolating them from business networks.
- When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
5. UPDATE HISTORY
- September 26, 2023: Initial Publication
-
Advantech EKI-1524-CE series
26 September 2023
1. EXECUTIVE SUMMARY
- CVSS v3 5.4
- ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
- Vendor: Advantech
- Equipment: EKI-1524-CE, EKI-1522-CE, EKI-1521-CE
- Vulnerabilities: Cross-Site Scripting
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to execute code in the context of the session.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following Advantech serial device servers are affected:
- EKI-1524-CE series: versions 1.24 and prior
- EKI-1522-CE series: versions 1.24 and prior
- EKI-1521-CE series: versions 1.24 and prior
3.2 Vulnerability Overview
3.2.1 Cross-Site Scripting CWE-79
Advantech EKI-1524, EKI-1522, EKI-1521 devices through version 1.21 are affected by a stored cross-site scripting vulnerability, which can be triggered by authenticated users in the device name field of the web-interface.
CVE-2023-4202 has been assigned to this vulnerability. A CVSS v3 base score of 5.4 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).
3.2.2 Cross-Site Scripting CWE-79
Advantech EKI-1524, EKI-1522, EKI-1521 devices through version 1.24 are affected by a stored cross-site scripting vulnerability, which can be triggered by authenticated users in the ping tool of the web-interface.
CVE-2023-4203 has been assigned to this vulnerability. A CVSS v3 base score of 5.4 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).
3.3 BACKGROUND
- CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
- COUNTRIES/AREAS DEPLOYED: Worldwide
- COMPANY HEADQUARTERS LOCATION: Taiwan
3.4 RESEARCHER
These vulnerabilities were discovered during research by R. Haas, A. Resanovic, T. Etzenberger, M. Bineder at St. Plten UAS, supported and coordinated by CyberDanube.
4. MITIGATIONS
Advantech recommends users upgrade to the latest version available (currently v1.26) as shown below:
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:
- Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
- Locate control system networks and remote devices behind firewalls and isolating them from business networks.
- When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
- Do not click web links or open attachments in unsolicited email messages.
- Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
- Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
5. UPDATE HISTORY
- September 26, 2023: Initial Publication
CASE STUDY
Learn about NNT Change Tracker for Industrial Control Systems (ICS) and Operational Technology (OT)
Change Tracker Gen 7R2: Complete configuration and system integrity assurance combined with the most comprehensive and intelligent change control solution available.
Fast Cloud: Leverage the world’s largest whitelist repository to automatically evaluate and verify the authenticity of file changes in real-time with NNT FAST™ (File Approved-Safe Technology)
Vulnerability Tracker: The world’s only limitless and unrestricted vulnerability scanning solution with unparalleled accuracy and efficiency, protecting your IT assets on premises, in the cloud and mobile endpoints.
Log Tracker: Comprehensive and easy to use security information & event log management with intelligent & self-learning correlation technology to highlight potentially harmful activity in seconds
Are you ready to get started in securing your IT environment with
industry-approved foundational controls, intelligent change control and automation?
New Net Technologies (NNT) is now part of Netwrix