In this Help Net Security interview, Grant Geyer, Chief Strategy Officer at Claroty, discusses the prevalent vulnerabilities in Windows-based engineering workstations (EWS) and human-machine interfaces (HMI) within OT environments. Geyer also addresses the challenges and solutions for securing remote access to critical OT assets.
What are some of the most common vulnerabilities in Windows-based engineering workstations (EWS) and human-machine interfaces (HMI) within OT environments?
It’s critical that we expand the scope of the question from vulnerabilities to exposures. Let me explain: by definition NIST defines a CVE as “a weakness in the computational logic (e.g., code)…” By this definition entire classes of easily exploitable weaknesses that are commonly present in OT assets are excluded. Some examples include weak & credentials, hard-coded credentials, and clear text communication.
Making the problem even more vexing is that many HMIs and EWS run on the Windows operating system, and by design have obsolescence periods measured in years to decades – far beyond that planned life of the OS. It’s therefore not unusual to find Windows 7 or XP systems in OT environments that are highly vulnerable and can’t be patched, leaving them susceptible to exploitation. Those systems that are still supported often run critical applications that cannot be easily updated or patched without significant downtime, leading to vulnerabilities being left unaddressed.
To emphasize the risk: over 25% of the 1,134 vulnerabilities in the CISA Known Exploited Vulnerabilities Catalog are based on the Windows operating systems making these old operating systems a clear favorite of cyber criminals and foreign actors.
Can you describe the potential impact of an attacker gaining control over an EWS or HMI?
If an attacker gains control over an EWS or HMI, the consequences can be severe and multifaceted. Control over these systems allows an attacker to manipulate critical processes, potentially causing production disruptions or halting operations altogether.
Let’s take an event that happened last month. Claroty’s Team82 became aware of an alleged hack by the Iranian Handala hacking group against a prominent provider of integrated computer-aided design and computer-aided manufacturing (CAD/CAM) solutions for manufacturing applications. In addition to claims of exfiltrating data, Handala claims to have introduced backdoors into current releases of the CAD/CAM software creating the potential for a supply chain attack against any organization using the software.
The group went further in suggesting a connection between their activities and recent accidents and explosions of machinery. While Claroty saw no evidence that their claim was true, a backdoor like this could have significant impact on industrial customers who use the CAD/CAM software for their manufacturing and metal cutting operations. If a backdoor enabled attackers access to the system, an attacker could remotely:
- Exfiltrate proprietary designs, which, depending on the target’s business model, could have national security or commercial implications.
- Create changes to the design of systems, which could have safety implications for the end users of manufactured products.
- Cause sabotage to the equipment, impacting continuity of production and potentially creating safety issues for plant workers.
Given the increasing reliance on remote and third-party access, particularly for EWS and HMIs, how can organizations ensure the security of their OT networks?
There is a clear benefit to industrial organizations of faster mean-time-to-repair by leveraging remote access for first- and third-parties to conduct maintenance. However, if not properly secured attackers can walk right through the virtual front door to attack the OT environment. In a recent analysis, Claroty found that 13% of the HMIs and EWS sampled had an insecure internet connection, and 36% of those contain at least one Known Exploited Vulnerability (KEV), making them both remotely accessible and readily exploitable entry points for threat actors to disrupt operations.
While this is indeed concerning, there are solutions available in the market designed specifically to enable secure user-to-machine communications that align with the operational, environmental, and risk tolerance constraints of OT environments. At the core of it, we have to remember that because of the safety and operational risks, every connection to an OT asset needs to be privileged. Additionally, organizations need to ensure least privileged access is enforced for all of the first- and third party engineers. Regularly auditing and reviewing access permissions through an identity governance program helps to identify and remove unnecessary or outdated access rights, reducing the attack surface.
Previously isolated OT assets are increasingly being connected to public networks. What are the driving factors behind this trend, and what are its implications?
The trend of connecting previously isolated OT assets to public networks is driven by several factors, including the need for real-time data analysis, remote management, operational efficiency, and improved decision-making. Real-time data collection and analysis enable organizations to optimize processes, predict maintenance needs, and improve overall productivity.
Remote management capabilities allow for monitoring and control of OT systems from anywhere, reducing the need for on-site personnel and enabling quicker response to issues. However, this increased connectivity also brings significant implications. The integration of OT and IT networks expands the attack surface, making OT systems more vulnerable to cyberattacks that traditionally targeted IT environments. This convergence necessitates enhanced security measures to protect critical infrastructure from sophisticated attacks.
The most important action that any organization can take is to understand their OT attack surface area and take purposeful actions to reduce the inherent risk by pathing or implementing compensating controls. That’s where incident detection programs follow – to ensure effective monitoring around the residual risk that can’t be taken off the table.
What are the future challenges and opportunities in securing remote access to mission-critical OT assets?
The two biggest challenges around securing remote access to mission-critical OT assets are different depending on whether it’s a user or machine that needs to connect to the OT asset. In terms of user access, the fundamental challenge is that the cyber security team doesn’t know what the assets are, and who the users are. That’s where the knowledge of the OT engineers – coupled with an inventory of the assets comes into play.
The security team can leverage the inventory, experience, and knowledge of the OT engineers to operate as the “first line of defense” to stand up the organizational defenses. With respect to machine-to-machines access organizations typically don’t have an understanding of what “known good” traffic should look like between these assets. Without this understanding knowledge, it’s impossible to spot the anomalies from the baseline.
That’s where a good cyber-physical system protection platform comes into play, providing the ability to understand the typical communication patterns that can eventually be operationalized in network segmentation rules to ensure effective security.