Security Issues Affecting Industrial Control Systems

by Lee Carter, Principal Engineer of Cyber Security at Capula

On 4th January Common Vulnerabilities and Exposures (CVE) were released following on from a study undertaken by security researchers at Google’s Project Zero*, working with academic and industry researchers. The CVE related to a design flaw in processors designed by Intel, AMD and ARM that could lead to attackers gaining unauthorised access to devices. These flaws known as Meltdown and Spectre have been widely discussed over the last couple of weeks in the general press as well as security circles, but how do they affect Industrial Control Systems (ICS), since these hold your business’ most critical data?

Within the ICS domain many DCS and SCADA platforms, over recent years, have been implemented using solutions based on the affected processor architecture.  This poses a major risk to many business clients, especially those providing critical national infrastructure services, where service disruption, unavailability of plant or public exposure to sensitive information must be avoided to preserve health and safety, business reputation, financial impact and customer disruption

Whilst many companies are aware of these issues, ICS operators are not always able to apply the same rigor to system security patching because of the 24*7 operational nature of their systems plus the additional testing, verification and performance validation that will be required prior to patching the live assets. There is therefore, a potential for many ICS to remain unpatched and vulnerable to attack.

Both Meltdown and Spectre exploit flaws in processors in-order to bypass memory isolation or to leak kernel memory in the operating system. Operating systems by design prohibit one application from accessing memory that is used by another. If memory isolation fails or is compromised, an adversary using a malicious application may be able to access sensitive information held in memory.

What you need to know

Meltdown (CVE-2017-5754) primarily affects Intel processors manufactured since 1995, excluding Itanium and Atom processors before 2013. This flaw could allow a hacker to bypass the hardware barrier between applications run by users and the computers core memory. To fix Meltdown, a software patch is required to change the way the operating system handles memory, which may have impacts on the performance. This patch in certain circumstances can reduce system performance by as much as 30%.

Spectre (CVE-2017-5753 and CVE-2017-5715) also affects most processors made by Intel, AMD and ARM. This flaw may permit a hacker to trick applications into giving up information that could be sensitive. Spectre is harder to exploit, however it is also more complex to remediate and is likely to present a longer term risk than Meltdown.

Like WannaCry (CVE-2017-0144) which was discovered in March 2016 and hit headline news in April, this security flaw quickly became part of the hacker’s standard toolkit for exploits. It is likely that both Meltdown and Spectre will be high on the list of first to try exploits when they are exploiting computer systems for some time to come.

While it is important that systems are patched, it is equally important to ensure the process you run or the service you deliver to your customers isn’t jeopardised by patch management. After all confidentiality and integrity is of little comfort if your process doesn’t offer reliable availability. Some of our partners are suggesting that these patches are not yet fully complaint with their software suite therefore they should not be automatically applied unless certified by the vendor.

How Capula Can Help You

Capula has been designing, installing and supporting ICS running on Windows, UNIX, Linux and derivatives for over 40 years. Our engineers are skilled in supporting computer hardware from modern devices to legacy systems. Our approach is to review the risks and assess the impact before making changes to a critical running system which may compromise availability. We offer a bespoke approach to dealing with the latest challenges, to ensure that systems are fully patched, secured and that processes are not jeopardised. Our bespoke Cyber Security services include:

  • Security analysis
  • Performance benchmarking
  • Patch management
  • System analysis to confirm all systems operational and functional
  • Qualifying patches to ensure these are complaint with vendor systems

We offer this package as part of a one-off consultation or part of a service contract. Contact us on call 01785827300 to find out more.

For more information about protecting your ICS download our Tip Sheet

*Although originally the design flaws were discovered in processors designed by Intel, AMD and ARM on 1st June for Spectre and 28th July 2017 for Meltdown.