The world's most capable, rugged and secure
industrial control system...
Introducing Bedrock OSA® Remote
- Intrinsically-secure PLC and RTU control
- 10 or 20 channels of universal I/O
- Free IEC 61131-3 engineering software
- -40ºC to +80ºC temperature range
- Rugged, all-metal case 5.4 in x 8.9 in x 2.3 in
Is Compliance with Security Standards Enough?
July 25, 2022 | Robert Bergman
Verdere Labs, the cyber security research arm of Forescout Technologies, analyzed control products of 10 of the largest control system providers and identified 56 cyber security vulnerabilities. They said that hackers exploiting these vulnerabilities could gain network access to a target device on which they could remotely execute code, change the logic, files or firmware of OT devices, bypass authentication, compromise credentials, cause denials of service or have a variety of operational impacts.
The researchers were especially concerned that the vulnerabilities were in products often deployed in critical infrastructure industries such as oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining, and building automation. The following are among their findings.
- Designs lack basic security controls.
- More than one-third of these vulnerabilities allow for compromise of credentials, with firmware manipulation coming in second and remote code execution (RCE) third.
- Nine vulnerabilities related to unauthenticated protocols or broken authentication schemes.
- 74% of the product families affected by the found vulnerabilities have some form of security certification.
- Vulnerabilities in OT supply chain components tend not to be reported by every affected manufacturer.
Insecure by design
Most of the vulnerabilities they discovered differed from the common vulnerabilities and exposures (CVEs) that ICS CERT Advisories catalogues. These they feel are often brushed off as faults specific to a vendor or asset owner. They sought to provide a “more quantitative overview” of OT vulnerabilities that would relate to intentional design-related decisions. These ranged from “persistent insecure-by-design practices in security-certified products to subpar attempts to move away from them.”
They found this especially troublesome because many of these products were marketed as being secure by design or compliant with cyber security standards that guide designs. Of the products examined, 18 percent had IEC 62443 certification, 26 percent had Achilles L1, 18 percent had Achilles L2 and 9 percent were based on IEC 62443, but not actually certified.
Do standards matter?
While the researchers acknowledged that standards-driven hardening efforts have certainly contributed to major improvements in OT security, they do feel that for the most part the standards have been less successful at “maturing secure development lifecycles for individual systems and components.”
They call for device manufacturers to “properly secure OT devices and protocols, for asset owners to actively procure for secure-by-design products and for the wider security community to ensure that security controls are robust rather than merely functional.” They also invite other researchers, device vendors and the cybersecurity community at large to collaborate on future research.
For more details on how Bedrock secure-by-design control technology checks off, and often exceeds, the requirements of most cyber security standards body, see the Bedrock Revolution White Paper Series.