05 Jan 2018 Protecting Industrial Control Systems from Spectre and Meltdown
Meltdown is CVE-2017-5754, and Spectre is CVE-2017-5753 and CVE-2017-5715. All three vulnerabilities have to do with “predictive execution” behavior of modern Intel, AMD and ARM CPUs. Meltdown lets attack code steal information, such as passwords and encryption keys, from kernel memory, even in virtual/cloud environments. Spectre lets such code steal information from other parts of the same process the code is running in – for example in a browser, malicious ads can steal passwords and session keys from banking or e-commerce web pages.
Weaponizing these vulnerabilities against industrial control systems is straightforward. Spectre lets attackers steal remote access credentials and hijack Microsoft Edge, Google Chrome, Mozilla Firefox and other browser-based remote access sessions. Once an attacker has a foothold on an ICS network, Meltdown lets attack code steal system-level credentials and encryption keys, even across VM boundaries, enabling escalation of privilege.
The fixes for these vulnerabilities are challenging. The fix for Meltdown slows down interrupt-intensive applications by up to 30% – including applications that do a lot of disk I/O, or network I/O. The fix for Spectre is not as straightforward – the fixes are application-specific. Applications may need to be recompiled, reconfigured or sometimes redesigned, coded and tested to deal with these hardware issues, and every application is different. Spectre is likely to haunt application developers for at least the next decade.
The ability of Spectre to steal credentials and hijack web sessions means that web browsers on IT networks need to be patched and reconfigured as soon as possible. One reconfiguration that helps somewhat is “site isolation,” which can be enabled today in Chrome and Firefox with some memory performance impacts.
The changes needed to fix Spectre and Meltdown vulnerabilities more thoroughly are so extensive that costly and extensive testing will be needed before the updates can safely be applied to reliability-critical control systems. For example, Microsoft cautions that installing their Meltdown security update will cause “blue screens of death” on machines running certain software, such as older versions of some anti-virus engines, which is why the Microsoft update refuses to install when such engines are detected – at least the engines that Microsoft recognizes. In the very short term, what every control system owner and operator will be asking is “how long can we safely delay this very costly testing process?” and “do I need to drop everything and start testing and applying these fixes yesterday?”.
Impacts on Waterfall Customers
The answer to these important questions is “it depends on how exposed you are.” Waterfall’s Unidirectional Security Gateway customers, for example, are likely to take all of these alarming-seeming developments in stride. Yes, IT teams will be scrambling to secure Internet-exposed IT networks, but unidirectionally-protected ICS networks are at essentially no greater risk today than they were a week or a month ago.
Unidirectionally-protected networks are generally part of an overall security program that emphasizes physical and cyber perimeter protection over constant, aggressive patching. All cyber attacks are information after all, and if we can control the flow of information into our networks, we can control the flow of attacks. At Waterfall’s customers, we generally see unidirectional gateways allowing monitoring of industrial networks, without allowing any information, not even one bit, back into the network. This prevents malware propagation, hijacked remote access sessions and remote control of RAT-style malware. We also see strong removable media controls in place, media cleansing stations, and unidirectional file server replication to essentially eliminate the need for removable media.
Meltdown and Spectre vulnerabilities can only be exploited if stolen remote access credentials can be used by remote attackers, or if exploit code can reach the target ICS network in order to try to exploit the vulnerabilities. Neither is true with control systems using advanced, unidirectional protections. Waterfall customers are waiting for the Meltdown/Spectre updates to become available, and are scheduling those updates into long-term testing & re-certification plans.
Meltdown and Spectre vulnerabilities mean that owners and operators are in trouble, when their industrial control systems are protected from IT networks by only firewalls, software, encryption and passwords. As the Meltdown and Spectre vulnerabilities are weaponized over the coming weeks, the situation at such sites will become increasingly urgent. We feel for you.
For anyone who would like to explore what thoroughly-protected industrial networks look like, I recommend the best-selling “SCADA Security – What’s broken and how to fix it.” I suggest at least chapters 5 and 6, and maybe skim chapter 2 to pick up the book’s terminology.
For the duration of the Meltdown/Spectre emergency, Waterfall has offered to make copies of that book available free of charge to most owners, operators, security practitioners, educators and the press. Click here if you would like to request a copy. We wish you the best.