Some industrial systems still vulnerable to Heartbleed
The danger from Heartbleed has passed for most Internet users, but operators of Industrial Control Systems (ICS) are not that lucky.
The US ICS CERT has issued on Tuesday an advisory about how the flaw still affects some ICS systems and what its operators should do to make it right.
“The ideal ICS network is isolated from the enterprise network and contains little to no external communication connections; however, business demands are requiring increased communication with the ICS network from external networks. These external communication connections are susceptible to the OpenSSL vulnerability, which could be used to exfiltrate credentials for access to components on the ICS network,” the team noted.
“The OpenSSL vulnerability can be present in hosts, clients, and client software. If ICS network credentials are exfiltrated, which can be done with the successful exploitation of the OpenSSL vulnerability, it is possible for an attacker to exercise substantial control over an ICS network. It is extremely common for a set of ICS credentials to have nearly unlimited access throughout the ICS network, which is different from IT networks that typically limit user access to execute job specific duties.”
The team has provided an updated document listing vendors and their products, information on whether they have been affected by the vulnerability and whether they have patched it.
“Asset owners and operators that are unsure of the vulnerability of ICS networking equipment or if they suspect networking equipment of containing the OpenSSL vulnerability, should contact their product vendor,” says the advisory, and notes that they “may need to scan the devices used in their ICS environment if they implement end-of-life devices or their vendor is not communicating with them on this issue.”
But the team warns: “ICS-CERT advises that all scanning of ICS devices for Heartbleed be done in an isolated test laboratory, not in the production environment. If a test environment is not available then the device vendor should be contacted. When it is possible to scan the device, it is possible that device could be put into invalid state causing unexpected results and possible failure of safety safeguards.”
They have enumerated a number of active and passive scanning tools that might be used for the task, have included risk minimization measure that ICS operators can take, and have provided detection signatures.