Thursday, April 17, 2014

Why "Heartbleed" will only require a Band-Aid in more most ICS installations

(This article was originally posted on ISSSource on April 16, 2014 by Gregory Hale with contributions from Joel Langill)

Heartbleed may need a band aid to fix various small wounds in the industrial control environment, but it surely does not need open heart surgery.

Heartbleed is a vulnerability in OpenSSL Versions 1.0.1 through 1.0.1f that contains a flaw in its implementation of the transport layer security/datagram transport layer security (TLS/DTLS) heartbeat functionality that could disclose private/encrypted information to an attacker.

The Heartbleed issue, labeled CVE-2014-0160, could allow attackers to read process memory of running OpenSSL processes. This could reveal secrets, like transmitted data, passwords or private keys.

“We all know the importance of protecting information ‘privacy’ or ‘confidentiality’ through the use of encryption,” said Joel Langill, founder of Infrastructure Defense Security Services. “In general, this problem represents moderate risk to ICS, but can be managed, as I would not expect a large number of devices to posses this vulnerability. The devices that I am most concerned about would be security devices like firewalls and VPN switches used at the perimeter that typically communicate over public networks, and utilize SSL/TLS as one form of encryption.”

Encryption in and of itself is generally a good thing when it comes to securing communications, but in this case it opens the end user up to an attack.

“One very common means of performing this encryption over networks is based on the Secure Sockets Layer (SSL)/Transport Layer Security (TLS) mechanism,” he said. “This mechanism is used in everything from web access, to email, some VPNs, and even communication with ICS components.”

“The basis of this encryption is the use of cryptographic keys, which in the case of servers using OpenSSL that are vulnerable (Heartbleed is a vulnerability in the OpenSSL crypto library) could allow an actor to extract these keys, as well as the usernames and passwords used to create the secure connection and the data exchanged in the encrypted session from the memory of the vulnerable server,” he said.

That is the bad news and the possible attack, but the good news is OpenSSL is not a part of Microsoft’s core framework (Internet Information Services, Exchange).

“Microsoft does not implement OpenSSL in their platforms, so the largest majority of ICS hosts that reside in level 2 and level 3 applications are not vulnerable,” Langill said. “This would include typical ICS servers, application servers, historians, ancillary applications (asset management, condition monitoring, etc.). The area of concern within the ICS environment is now strictly focused on (a) embedded devices that are not based on a Windows OS — this means not only the obvious WinXP, Win7, 2003, 2008, etc. but also WinCE, XP Embedded, etc., (b) provides SSL/TLS encryption typically in the form of an HTTPS session, and (c) is enabled under normal circumstances.”

With security awareness continuing its growth curve in the industry, this could allow for a more enlightened conversation between users and suppliers.

“We all expect that the major vendors will follow Siemens lead and provide a statement as to the fact that they have investigated their products and that they are or are not vulnerable,” Langill said.

Additional Resources
Heartbleed Dashboard - SCADAhacker.com
ISSSource - tag "Heartbleed"
IDS Signatures for SNORT/Suricata (ICS-CERT | FBI)
The Heartbleed Bug
ICS-CERT

3 comments:

  1. Nice information about the Electronics. Click here for more information on PLC Training Courses in Delhi

    ReplyDelete
  2. Hello all
    am looking few years that some guys comes into the market
    they called themselves hacker, carder or spammer they rip the
    peoples with different ways and it’s a badly impact to real hacker
    now situation is that peoples doesn’t believe that real hackers and carder scammer exists.
    Anyone want to make deal with me any type am available but first
    I‘ll show the proof that am real then make a deal like

    Available Services

    ..Wire Bank Transfer all over the world

    ..Western Union Transfer all over the world

    ..Credit Cards (USA, UK, AUS, CAN, NZ)

    ..School Grade upgrade / remove Records

    ..Spamming Tool

    ..keyloggers / rats

    ..Social Media recovery

    .. Teaching Hacking / spamming / carding (1/2 hours course)

    discount for re-seller

    Contact: 24/7

    fixitrogers@gmail.com

    ReplyDelete
  3. I want to share a testimony on how Le_Meridian funding service helped me with loan of 2,000,000.00 USD to finance my marijuana farm project , I'm very grateful and i promised to share this legit funding company to anyone looking for way to expand his or her business project.the company is UK/USA funding company. Anyone seeking for finance support should contact them on lfdsloans@outlook.com Or lfdsloans@lemeridianfds.com Mr Benjamin is also on whatsapp 1-989-394-3740 to make things easy for any applicant. 

    ReplyDelete