Skip to content

Stuxnet與Schneider Triconex SIS控制器中發現的最新漏洞之間的相似之處

 

Overview

As the NSA urges companies to secure their industrial networks, two vulnerabilities were found in Schneider Electric Triconex SIS devices. Both of the vulnerabilities reside within the Tricon Communication Module (TCM) which connects the Triconex SIS to Ethernet networks. The first vulnerability (CVE-2020-7486) is a Denial of Service attack that causes the TCM to enter a fault state, and the latter (CVE-2020-7491), a more serious one, is a legacy debug port exposed to the network, that allows attackers to get root style privileges on the TCM, and upload malicious firmware to it.

While the vulnerabilities themselves are severe, exploiting them will not directly impact the SIS operation. In case of a failure in a plant, SIS operations will work normally. 

Most SIS devices use the key switch methodology, where a physical switch controls the state of the SIS. When the SIS is operating normally, this switch should be in the ‘Run’ state. In order to harm the SIS from the TCM by uploading malicious code to it, the SIS key switch must first be physically changed to ‘Program’ or ‘Remote’.

 

Hiding Malicious Activity, As Seen In Stuxnet

Leveraging CVE-2020-7491, an attacker can write its own firmware to the TCM. Because the TCM resides between the SIS and the OT Ethernet network, malicious code installed on it TCM can be used to hide or modify activity sent or received by the SIS.

SIS HMIs are usually connected to the Ethernet network. These HMIs can be fed incorrect information from the TCM module, causing fake SIS data to be displayed in the HMI. 

Moreover, the TCM could hide the malicious code blocks from the programming software, rendering it undetected from engineers. 

Similar practices have been seen in the past in the Stuxnet campaign, hooking network code to hide malicious activity. A rootkit was installed on PCs with engineering software and a part of its operation was to hide the infected PLC code blocks from being seen in the programming software.
Moreover, Stuxnet prevented operators from noticing its set of instructions sent to peripheral devices (centrifuges, etc) by hiding those instructions from the process image output. These monitoring and HMIs devices were fed incorrect information showing that the PLCs are functioning normally, and no out of the ordinary instructions were sent to them.

 

Mitigation Recommendations

  1. There are countless vulnerabilities in industrial equipment, and more vulnerabilities are discovered every day. A safety net in the form of a passive, industrial network traffic monitoring system (such as the SCADAfence Platform), will be able to slow down all attacks, enabling you to respond, and will detect most attack vectors. Such products increase the cost of an attack, in a way that makes the attack irrelevant for most attackers. See our webinar on Efficient Industrial Cyber Security Programs for more information.
  2. Update the TCM modules using the latest firmware from Schneider Electric. Updates can be found in the official advisory – Legacy Triconex  Product Vulnerabilities
  3. Make sure SIS devices are behind a firewall and only communicating in ports they should communicate in. Both vulnerabilities were found in undocumented services communicating on non standard ports.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About SCADAfence
SCADAfence helps companies with large-scale operational technology (OT) networks embrace the benefits of industrial IoT by reducing cyber risks and mitigating operational threats. Our non-intrusive platform provides full coverage of large-scale networks, offering best-in-class detection accuracy, asset discovery and user experience. The platform seamlessly integrates OT security within existing security operations, bridging the IT/OT convergence gap. SCADAfence secures OT networks in manufacturing, building management and critical infrastructure industries. We deliver security and visibility for some of world’s most complex OT networks, including Europe’s largest manufacturing facility. With SCADAfence, companies can operate securely, reliably and efficiently as they go through the digital transformation journey.

【GREYCORTEX MENDEL人工智慧監控軟體】3.6.1新版上市

GREYCORTEX has released the latest version of its MENDEL network traffic analysis solution. Version 3.6.1 brings important  improvements and bug fixes.

ENHANCEMENTS

Improved Incident management

  • Added incident label management (custom labels)
  • Excluded false positive incidents by default
  • Possibility to add watchers from incident page form
  • Ability to change incident state
  • Changed PDF report title
  • Added time range into PDF report title page
  • Added new items into incident overview header in PDF report

Faster representation of event queries in the lightbox
Removed user information from managerial/security reports and emails
Reworked firewall plugins compatibility with PaloAlto
Added ability for no-reinstall recovery after motherboard replacement on DELL server

FIXED ISSUES

In general, our development team focused on improving user experience and reporting, as well as more improvements to user experience, system stability, and performance.

OFFICIAL MENDEL PRODUCT SUPPORT

Full-service support is provided for the versions 3.6.x and 3.5.x. Limited service support is provided for previous version 3.4.x. Versions 3.3.x and older are no longer supported, end-users with valid support and maintenance or active SW subscription can upgrade to the supported version(s).

網路存取控管(Network Access Control,簡稱NAC)的重要性


There is no doubt that your wireless network is a critical component of business operations. Strong wireless connectivity enhances productivity and flexibility, especially for organizations that have a Bring Your Own Device (BYOD) policy, IoT infrastructure components, contractors, guest users, and so forth. A wireless network is also inherently scalable, making it ideal for companies undergoing rapid growth. There are a number of daily usage scenarios, however, that can put your wireless network at risk.

Scenario 1: Rogue Devices
It’s inevitable…employees will bring their personal devices (smartphones, wearable watches, etc.) to the office, and a percentage of those will attempt to connect to your wireless network (some automatically). While they may only be connected briefly, they are nonetheless connected. If you can’t see them on the wireless network, you can’t control them – and that’s an unnecessary and avoidable risk to take.

Scenario 2: Guests
Occasionally, an employee might bring their kids to work. Kids being kids these days, they will likely want internet access to play a game or watch YouTube videos on their smartphones or tablets. If you’re lucky, they’ll simply rely on their cellular network to load this content, but if not…guess what? They will try to connect to the corporate wireless network. In this scenario, let’s hope you’ve set up some sort of accessible, internet-only, wireless network, designed to remain separate from the professional corporate network.

Scenario 3: Contractors
Many businesses hire contractors or consultancies to tackle specific projects. These individuals and groups will need network access for extended periods of time and will need to be granted access to company resources and sensitive, proprietary data. In this instance, you should be employing NAC across your wireless network in order to dictate and enforce the level of access these types of individuals receive based on internal policies.

How to Protect Your Wireless Network
Of course, these scenarios will mostly be harmless. Mostly. They could, however, serve as an additional attack surface against your network or a base-station from which to launch a wider DDOS attack. In the past few years, there have been several DDOS attacks on corporate networks via hacked IoT devices that were used as a springboard to dive into networks, such as the 2016 Dyn cyber-attack.

Considering all of these potential risks to your enterprise network, here are a few security focus points to keep your operations safe:

100% coverage and awareness of all access scenarios to your wireless network (via simplified 802.1x based authentication and authorization services). This way you will have full awareness of all connecting devices on your networks at all times.
Auto-segmentation – automatically push unmanaged/unwanted devices from your wireless network to a different network (e.g. internet-only). You should be able to automatically classify and place every device connecting to your network in its correct segment based on your own classification. The right technology affords micro-segmentation by diving deeper and fine-tuning the segmentation options in your internal network and offers automated actions to enforce it.
Immediate disconnect options – you should be able to remove devices from your wireless network, both automatically and manually, no matter where the devices are connecting from.
WiFi provides fast and reliable connectivity for employees and visitors and enhances productivity but if you do not know (or have technology that keeps track) of devices as they attempt to connect to your network, there is not much that you can do to stop it, or to make sure that they are connecting to a harmless section of it. Awareness combined with automated protective actions will allow you to effectively navigate all scenarios while at the same time handling a large number of wireless devices in the enterprise.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Portnox
Portnox provides simple-to-deploy, operate and maintain network access control, security and visibility solutions. Portnox software can be deployed on-premises, as a cloud-delivered service, or in hybrid mode. It is agentless and vendor-agnostic, allowing organizations to maximize their existing network and cybersecurity investments. Hundreds of enterprises around the world rely on Portnox for network visibility, cybersecurity policy enforcement and regulatory compliance. The company has been recognized for its innovations by Info Security Products Guide, Cyber Security Excellence Awards, IoT Innovator Awards, Computing Security Awards, Best of Interop ITX and Cyber Defense Magazine. Portnox has offices in the U.S., Europe and Asia. For information visit http://www.portnox.com, and follow us on Twitter and LinkedIn.。