“The results of omissions of fairly rudimentary controls”
Industrial switches used to build networks in the oil and gas and maritime logistics sectors, as well as broader critical national infrastructure (CNI) are rife with security vulnerabilities, according to cybersecurity company Positive Technologies.
The Framingham, Massachusetts-based company said it had identified five vulnerabilities in US-based Moxa’s EDS-405A, EDS-408A, and EDS-510A series switches, including three that are “highly dangerous” and seven in the IKS-G6824A switches.
These include the default plain text storage of passwords, improper web interface access control that allows ostensibly “read-only” users to alter configurations, and web server cookie value that is not generated with proper encryption, so attackers can reuse it to recover an administrator’s password, and worse.
The switches did also not have sufficient measures in place to prevent multiple failed authentication attempts, which makes the switches susceptible to brute force attacks.
The find is just the latest indication that the Industrial Internet of Things (IIoT) remains a dangerously insecure space.
Moxa, which boasts customers in 70 countries and says it has connected over 30 million devices has pushed out firmware updates and urged users to disable web console access.
Paolo Emiliani, Industry and SCADA Research Analyst at Positive Technologies, explained: “A vulnerable switch can mean the compromise of the entire industrial network. If ICS [Industrial Control Systems] components are parts of the body, you can think of network equipment as the arteries that connect them all. So disruption of network interactions could degrade or even stop ICS operations entirely.”
Positive Technologies experts said they advise the disabling all unneeded equipment features (such as the management web interface) immediately after setup.
“If features cannot be disabled, companies should take preventive action to detect malicious activity with the help of an ICS monitoring and incident reaction solution”, the company said in release on Monday.
Vulnerabilities in Industrial Switches No Anomaly…
The research follows a Trend Micro security report that found radio frequency tools in widespread industrial use are easier to hack than an average garage door and Positive Technologies’ report is just the latest in a string of finds that reveal the extent to which operational technology is dangerously insecure.
Responding to the flaws, Ofer Maor, director of solutions management at Synopsys, said: “Looking at the list, some of these vulnerabilities are results of omissions of fairly rudimentary controls, which is another indication that not much effort has been put into the security of these systems. Unfortunately, this is not surprising.”
“The historically secluded nature of critical infrastructure devices (i.e. they are on dedicated networks that were not connected to the internet) allowed them to ‘stay under the radar’ as far as attack surfaces go, and allowed the vendors, or at least some of them, to keep ignoring security. Like with any type of software, there is no magic pill here. Vendors of critical infrastructure devices and software, much like any other IoT vendor, must build secure development programs, starting with secure architecture, through secure coding, training of developers, and implementing of rigorous automated and manual testing procedures for security, much like they do for quality.”
The 2018 SANS Industrial IoT Security Survey paints a picture of a desperately troubled security environment for those in the operational technology (OT) sector.
“Lack of control over development processes and complex supply chains aggravates end user concerns”, said Sid Snitkin, VP, cybersecurity services for the ARC Advisory Group responding to that report.
He added: “Managing endpoint security updates and patches is another daunting challenge. Plant staffs are already overwhelmed with security hygiene tasks for existing assets. There is no bandwidth for coordinating security patches from a multitude of different OEMs. Likewise, few plants have the kind of secure remote access needed to enable direct management by the OEMs”