18 May 2017 We can’t patch what we don’t catch – a lesson from Intel
When covering for risk, best practice teaches us to categorize, measure and profile our vulnerabilities. Intel – the world’s largest and most highly valued semiconductor chip maker and inventor of the processors found in most personal computers – knows this process well. Countless tests are run by the manufacturer to ensure that problems are avoided and the technology carries out its functions without exposing its customers to unwanted threats.
Recently, however, a potential vulnerability turned into a worst-case scenario for the chipmaker. Intel has released a patch for a remote hijacking vulnerability which has been lurking in its Active Management Technology, Intel Small Business Technology and Intel Standard Manageability (all remote management and control systems for PCs) since 2008.
That’s right, 2008.
Through this flaw, attackers can log into a secondary CPU built into high-end Intel motherboards, a secondary CPU that is invisible to the main computer CPU and operating system, and of course to any anti-virus applications. Once inside the secondary CPU, attackers can control the computer’s hardware, enter keystrokes and mouse movements as if there were a person sitting at the computer, and of course install malware in the main computer. The vulnerability has a severity score of 9.3 out of 10.
Software only based security is never bullet proof
When computer manufacturers don’t have time to test every possible scenario before a circuit board or computer model is released to market, the routine mitigation strategy is to send out security or firmware patches, sometimes multiple times per year. Intel did just that, every year, for nearly a decade. Still, these circuit boards contained a remotely exploitable vulnerability that allowed an attacker to gain control of the manageability features provided by the boards. This is the nature of software – all of it has bugs and vulnerabilities, even software that is fully patched.
This does not bode well for networks protected exclusively by software – firewalls, intrusion detection systems, encryption systems and so on. The only safe assumption for software-protected networks is that those networks are constantly compromised. On IT networks, constant compromise may be manageable. When compromised computers are identified on an IT network, incident response teams can erase those servers and restore them from backup. On control system networks however, we cannot restore damaged turbines or human lives “from backups”. Unlike IT networks, even the briefest compromise of control systems equipment and networks is generally seen as an unacceptable risk.
In addition, this software flaw is more serious than most, because the vulnerable firmware for the secondary CPU on the circuit board is not visible in many manual or automated software inventory systems. It may be difficult for affected organizations to determine which of their computers has this embedded capability and vulnerability, so that we can apply the updates. Worse, while Intel supplied the firmware fix to their computer manufacturer customers, it is not yet clear when the manufacturers will themselves pass on the fix to end users who have purchased the vulnerable computers.
The light at the end of the tunnel for ICS
Waterfall customers, of course, protect their most sensitive industrial networks with Unidirectional Security Gateways. One layer of gateways in a defense-in-depth network architecture prevents Internet-based attacks from reaching control system equipment, and issuing commands to parts of the control system that consist of always-vulnerable software, even fully-patched software.
If the world’s largest and most sophisticated chip maker can have a serious vulnerability lurking in its software systems for nearly a decade, we need to consider the risk we are taking when protecting our most critical control systems with software-only security. Waterfall has been protecting industrial networks through hardware-enforced unidirectional technology all over the world since 2007. Our products make it physically impossible for any Internet-based or IT-network-based attack to penetrate the ICS perimeter. This is a capability that is increasingly important in a world where firmware vulnerabilities are buried in places we didn’t even know were possible.