Vulnerabilities present in protocol gateway gadgets can facilitate stealthy assaults on industrial techniques, enabling risk actors to acquire precious info and sabotage essential processes.
Protocol gateways are small gadgets designed to make sure that varied forms of IT and OT gadgets can talk with one another even when they use completely different protocols. For example, they’ll translate site visitors despatched on the identical protocol however on two completely different bodily layers (e.g. TCP to RTU), translate site visitors on the identical bodily layer however completely different protocols (e.g. Modbus RTU to Profibus), or translate site visitors on completely different bodily layers and protocols (e.g. Modbus TCP to Profibus).
There are two forms of protocol gateways: ones that translate site visitors in real-time, and information stations, which retailer the translated site visitors and supply it on request.
Menace actors may goal protocol gateways for a number of causes. For example, they’ll trigger severe disruption if the machine fails to correctly translate site visitors. Secondly, protocol gateways are much less more likely to be monitored by safety merchandise, making it much less possible that the assault will probably be detected. And since translation points will not be simple to diagnose, an assault could be very stealthy.
Researchers at Pattern Micro have analyzed the Nexcom NIO50, Schneider Electrical Hyperlink 150, Digi One IA, Pink Lion DA10D, and Moxa MGate 5105-MB-EIP protocol gateways, that are utilized in many organizations. The analysis centered on the interpretation of the Modbus communications protocol, which is likely one of the most generally used OT protocols.
The researchers first examined how properly these gadgets can deal with heavy or malformed site visitors, such because the one that might be despatched by an attacker.
Within the case of real-time gateways, the researchers used a fuzzer to generate 1000’s of invalid Modbus TCP and Modbus RTU packets that had been fed to the Schneider, Digi One and Nexcom merchandise to check their firewalling capabilities. Each the Schneider and the Digi One gadgets filtered out many of the invalid TCP packets, however the one from Nexcom fully failed this check.
Pattern Micro researchers confirmed that the Nexcom machine’s failure to deal with the malformed packets — the packets ought to have been dropped or mounted earlier than being translated — could be exploited by an attacker to bypass firewalls and ship malicious requests to the gadgets linked to the protocol gateway. The consultants confirmed how an attacker can ship malicious requests to a PLC in an effort to govern the processes it controls. For instance, the attacker can activate a motor and deactivate essential security sensors, leaving operators at midnight.
Be taught extra about vulnerabilities in industrial techniques at SecurityWeek’s 2020 ICS Cyber Safety Convention and SecurityWeek’s Safety Summits digital occasion sequence
Pattern Micro reported this vulnerability to Nexcom, which mentioned it might not be releasing a patch because of the product reaching finish of life. The cybersecurity agency says it has not examined the affected product’s successor.
Within the case of knowledge stations, Pattern Micro examined the Moxa and Pink Lion merchandise. Knowledge stations should be configured earlier than deployment to assign features and instructions to switches, sensors or different gadgets. This configuration is saved in what is named an I/O mapping desk, which is saved in a SQLite3 database.
I/O mapping tables can comprise plenty of info that may be helpful to a malicious actor when planning an assault, and making unauthorized modifications to the desk can lead to disruption to PLCs, HMIs and different gadgets linked to the focused information station.
The researchers have discovered vulnerabilities within the Moxa machine that an attacker may exploit to achieve entry to the I/O mapping desk, manipulate processes, and trigger disruption. Within the case of the Pink Lion machine, they recognized reminiscence leakage and DoS points.
“By themselves, protocol gateways are possible indirectly concerned within the product or the output of a facility. Nevertheless, they’re an important hyperlink within the circulation of knowledge between completely different sensors, interfaces, gadgets, and equipment inside a facility,” Pattern Micro mentioned.
It added, “Operators want to have the ability to see and belief the information of the power and take motion to stop accidents or potential manufacturing points. Susceptible or uncovered protocol gateways can permit risk actors to compromise the integrity of the reported information, the operators’ potential to view information, or forestall operators from taking motion.”
Associated: Legacy Programming Languages Pose Severe Dangers to Industrial Robots