Phone : +91 95 8290 7788 | Email : sales@itmonteur.net

Register & Request Quote | Submit Support Ticket

Home » Cyber Security News » Deep lateral movement in OT networks: When is a perimeter not a perimeter?

Deep lateral movement in OT networks: When is a perimeter not a perimeter?

Deep lateral movement in OT networks: When is a perimeter not a perimeter?

 

 Malware can find its way to the target computer system in a variety of ways, from phishing attacks to the use of untrusted applications and compromised WiFi networks (Illustration: Rahul Awasthi)
Malware can find its way to the target computer system in a variety of ways, from phishing attacks to the use of untrusted applications and compromised WiFi networks (Illustration: Rahul Awasthi)

Forescout’s Vedere Labs’ latest research report is the first systematic study into deep lateral movement: how advanced adversaries can move laterally among devices at the controller level – also known as Purdue level 1 or L1 – of OT networks.

Deep lateral movement lets attackers gain deep access to industrial control systems and cross often overlooked security perimeters, allowing them to perform highly granular and stealthy manipulations as well as override functional and safety limitations.

This research demonstrates that there is a lot of ”network crawl space”; that is, space that is not on asset owners’ radars, such as links that run between security zones at deep system levels that might not receive the attention they deserve. To close these gaps, an L1 device that sits between segments still needs a corresponding perimeter security profile.

In the proof-of-concept developed for this research, we use two new vulnerabilities that we are publicly disclosing for the first time: CVE-2022-45788 and CVE-2022-45789. They allow for remote code execution (RCE) and authentication bypass, respectively, on Schneider Electric Modicon programmable logic controllers (PLCs) – one of the most popular families of PLCs in the world, used in several critical infrastructure sectors. These issues were found as part of our OT:ICEFALL research in 2022 but were not disclosed then at the request of the vendor. More details about the issues are available on Schneider Electric’s advisories SEVD-2023-010-05 and SEVD-2023-010-06

There is little prior work on lateral movement for L1 devices, which has mostly focused on worms moving between identical L1 devices on the same segment or upstream hacking to L2 and above (e.g., from a PLC to an engineering workstation). Vedere Labs hopes that with this new research we increase the cybersecurity community’s understanding of deep lateral movement and how to mitigate attacks.

Here are the main findings of the research. For full details, read the new technical report.

What is deep lateral movement?

OT L1 devices such as PLCs are notoriously insecure. RCE has been demonstrated against many of them using techniques such as insecure engineering interfaces (see OT:ICEFALL), malicious logic or firmware downloads and memory corruption vulnerabilities (see Project Memoria). Additionally, malware such as TRITON has shown that real-world threat actors are both capable of and interested in developing such capabilities.

Regardless, L1 devices that sit at the intersection of multiple, mixed networks (from Ethernet and fieldbuses to industrial wireless and trunked radio) are frequently treated as security perimeters. However, they lack the hardening and risk profiles that would accompany workstations or servers in a similar position. Worse yet, vendor and regulatory guidance may implicitly support this practice.

This issue has become more pertinent with the rise of the industrial Internet of Things (IIoT)I, where gateways enable direct communications between L1 devices on the edge and cloud platforms, potentially exposing this soft underbelly beyond the traditional hardening at the intermediate Purdue levels.

Why bother with deep lateral movement?

Deep lateral movement can enable attackers to achieve outcomes otherwise impossible. Attackers might use this technique for two main reasons:

  • Perimeter crossing: Attackers may need to move around hardened or across unacknowledged perimeters. A common example of zone-crossing at level 1 is the interaction between the basic process control system – which directly controls the industrial process being automated – and a safety instrumented system – which is responsible for safety, emergency procedures and bringing the industrial process to a safe state. Another underestimated perimeter in OT is the one regulated by fieldbus couplers. Couplers are very limited gateways that move specific sets of input/output values between two different fieldbuses and are often used as perimeters between asset owners and third-party managed systems.
  • Granular control: Deep lateral movement may be used to establish more granular control over specific systems by interacting with nested devices in a way not possible through what is intentionally exposed. To bypass functional and safety limitations or reach deeply nested devices, attackers may have to move through multiple L1 devices first.

Newly disclosed vulnerabilities in Schneider Electric Modicon PLCs

As mentioned, the Schneider Electric Modicon family of PLCs is one of the most popular in the world. In fact, Modicons were the first PLCs on the market when introduced in 1968. The popularity of these devices has led their targeting by threat actors. As a part of the recent wave of hacktivist attacks targeting OT, the GhostSec group targeted an exposed M340 belonging to the Nicaraguan ISP UFINET by writing the value 0 to all its Modbus registers.

The newly uncovered issues, summarized below, only affect the Modicon PLC Unity line. CVE-2022-45788 is an example of RCE via an undocumented memory write operation, while CVE-2022-45788 exemplifies a broken authentication scheme. As we explain in the technical report and demonstrate in the proof-of-concept for L1 lateral movement, when combined, these vulnerabilities can lead to RCE on Modicon Unity PLCs.

As noted, Modicon PLCs are extremely popular and widely used around the world. Estimating the number of affected devices based on public data is difficult because these devices are not supposed to be accessible via the internet. However, we are still able to see close to a thousand PLCs exposed online via Shodan, predominantly in the power industry (44%), followed by manufacturing (19%) and agriculture (15%). We found multiple instances of public subnets, likely used by system integrators or contractors, exposing Modicon PLCs for different power generation projects.

Proof-of-concept: cyber-physical attack on movable bridge

To demonstrate the feasibility of deep lateral movement, we developed a proof-of-concept exploit chain against a nested device setup consisting of several popular PLCs: Schneider Electric Modicon M350, Allen-Bradley GuardLogix and WAGO 750 series. The setup was designed to disallow direct or routed access to crucial controllers and safety systems, demonstrating the techniques that advanced adversaries might employ to circumvent such restrictions.

The scenario we built represents an attacker attempting to gain control over movable bridge infrastructure, with the intent of carrying out a cyber-physical attack to close the bridge at full speed, with safety systems disabled to either hit the bearings with the lock-bar driven or trigger an emergency stop at full velocity causing large inertial forces to damage the bridge.

This scenario is typically very difficult or even impossible to carry out with simple control over a central SCADA interface.

Conclusions and mitigation recommendations

The all-too-common habit of treating certain links – such as serial, point-to-point, radio frequency and couplers – as if they’re immune to many of the same issues that we see on regular Ethernet LAN networks is something that needs to be critically reevaluated.

The impact of a compromised device is not limited to the explicit capabilities of a link or its first-order connectivity. Just because it only exposes a few Modbus registers or is hooked up to an uninteresting device does not mean that an attacker cannot turn that link into something else and use that uninteresting device as a staging point for moving towards more interesting targets.

With the access attackers achieve through deep lateral movement, things might become possible which magnify the impact of an attack.

Mitigating the risks of deep lateral movement requires a careful blend of network monitoring to detect adversaries as early as possible, visibility into often overlooked security perimeters at the lower Purdue levels and hardening the most interconnected and exposed devices.

Forescout recommends the following mitigation strategies for hardening L1 devices and networks:

  • Disable unused services on devices. For instance, if UMAS over Ethernet is not required on a PLC, disable it. Even if the PLC is nested, since we showed in this report how attackers can leverage vulnerabilities on nested devices.
  • Use DPI firewalls and IP-based access control lists to restrict sensitive flows between engineering workstations and PLCs. In cases where only subsets of protocols are required, use deep packet inspection (DPI) to restrict this further.
  • From a forensics perspective, ingest level 1 event logs which contain indicators of malicious activity of this kind.
  • Enforce segmentation through OT-DPI firewalls and/or conformance-checking gateways
    including for point-to-point links.
  • Depending on the risk , certain point-to-point links that cross highly sensitive segments might warrant dedicated drop-in DPI firewalls for Ethernet. For serial links with similar profiles you might want to consider inline taps that collect data out-of-band.

[This article is authored by Forescout’s Vedere Labs.]

Information Security - InfoSec - Cyber Security - Firewall Support Providers Company in India

 

What is Firewall? A Firewall is a network security device that monitors and filters incoming and outgoing network traffic based on an organization's previously established security policies. At its most basic, a firewall is essentially the barrier that sits between a private internal network and the public Internet.

 

Secure your network at the gateway against threats such as intrusions, Viruses, Spyware, Worms, Trojans, Adware, Keyloggers, Malicious Mobile Code (MMC), and other dangerous applications for total protection in a convenient, affordable subscription-based service. Modern threats like web-based malware attacks, targeted attacks, application-layer attacks, and more have had a significantly negative effect on the threat landscape. In fact, more than 80% of all new malware and intrusion attempts are exploiting weaknesses in applications, as opposed to weaknesses in networking components and services. Stateful firewalls with simple packet filtering capabilities were efficient blocking unwanted applications as most applications met the port-protocol expectations. Administrators could promptly prevent an unsafe application from being accessed by users by blocking the associated ports and protocols.

 

Firewall Firm is an IT Monteur Firewall Company provides Managed Firewall Support, Firewall providers , Firewall Security Service Provider, Network Security Services, Firewall Solutions India , New Delhi - India's capital territory , Mumbai - Bombay , Kolkata - Calcutta , Chennai - Madras , Bangaluru - Bangalore , Bhubaneswar, Ahmedabad, Hyderabad, Pune, Surat, Jaipur, Firewall Service Providers in India, Welcome to IT Monteur's Firewall Firm, India's No1 Managed Enterprise Network Security Firewall Support Provider Company in India, Firewall Firm Provider Complete range of Juniper Firewall Support , Cisco Firewall Support , Check Point Firewall Support , Palo Alto Firewall Support , FortiGate Firewall Support , Forcepoint Firewall Support , Sophos Firewall Support , WatchGuard Firewall Support , Baracuda Firewall Support , SonicWall Firewall Support , Gajshield Firewall Support , Seqrite Firewall Support , Firewall , Hardware Firewall , Software Firewall , Firewall India , Firewall , Network Firewall , Firewall Support , Firewall Monitoring , Firewall VPN , WAF Website Firewall , Firewall Security , Firewall India , Firewalls Support Provider in India , Firewall Support Services Provider Company in India

Sales Number : +91 95 8290 7788 | Support Number : +91 94 8585 7788
Sales Email : sales@itmonteur.net | Support Email : support@itmonteur.net

Register & Request Quote | Submit Support Ticket