The recently disclosed Spectre and Meltdown vulnerabilities, which affect hardware running in the majority of the world’s computing devices have made headlines recently. The list of at risk equipment includes workstations, servers, phones, tablets, as well as Microsoft Windows, Linux, Android, Google ChromeOS, Apple macOS on most Intel chips manufactured after 2010. Many AMD, ARM and other chipsets are also affected.
Spectre and Meltdown are different, but related. Spectre comprises two vulnerabilities: CVE-2017-5753 (bounds check bypass) and CVE-2017-5715 (branch target injection), while Meltdown consists of CVE-2017-5754 (rogue data cache load).
These vulnerabilities make systems susceptible to ‘side-channel’ attacks, which rely on physical hardware implementation, and do not directly attack the logic or code. These types of attacks generally include things such as tracing electromagnetic radiation (i.e. TEMPEST), monitoring power consumption, analyzing blinking lights, cache analysis, etc.
Which devices are at risk?
Whether or not a specific device is at risk depends on multiple factors, such as chipset, firmware level, etc. Needless to say, we can expect substantial research and patching in the near future.
Many HMIs, panels, and displays utilize the affected chips. Some PLC manufacturers are still assessing the threat.
Many systems that support industrial controllers such as automation systems, batch control systems, production control servers, printers, OPC Systems, SCADA systems, peripheral devices, and IIoT devices including cameras, sensors, etc., are likely vulnerable. However, Spectre and Meltdown vulnerabilities in these systems does not necessarily mean industrial control devices are at risk.
What is the impact to industrial control devices and systems?
The Spectre and Meltdown vulnerabilities can be used to compromise a device, allowing an attacker to access privileged data in the system. The vulnerabilities do not grant access to the system, they only enable attackers to read data that should otherwise be restricted. In other words, an attacker still needs to break into the system to execute the attack.
While this is a serious threat in systems with multiple users, like a cloud solution for example, it doesn’t pose a high level of risk in single-user systems.
To use an analogy, these vulnerabilities essentially enable you to read people’s minds — as long as you’re in the same room with them. You could access data that’s meant to be private, such as secrets, confidential or sensitive information, and more.
If you’re in a room by yourself, you already have access to all the secrets of the people in that room – i.e. yourself. What’s the point of executing an attack on your own mind, if you already have access to it?
In a nutshell, that’s the idea behind Spectre and Meltdown. They’re effective in a multi-tenant environments where one user’s secrets must be kept private from other users.
Since ICS environments are not multi-tenant, these vulnerabilities do not enable access to any data not already available to anyone with system access.
What can be done to mitigate the risk?
First and foremost, being aware of what exists in the ICS environment is critical, since undocumented devices can’t be secured. Therefore, automated asset inventory tools are essential to understanding what equipment is at risk and requires attention.
Next, having in-depth visibility into asset inventory is vital. Without this, you’re left with a list of industrial devices that must be manually examined to determine whether their specific hardware module is affected.
Automated ICS asset inventory tools are also valuable for identifying vulnerable devices and tracking patching efforts.
Finally, in order to exploit these vulnerabilities, an attacker needs access to the network. This emphasizes the importance of having a network monitoring system, which can identify anyone connecting into the network, as well as communicating with or modifying key assets.