The Cybersecurity and Infrastructure Security Agency (CISA) issued critical advisories on December 12 and 7, 2023, spotlighting vulnerabilities in Industrial Control Systems (ICS) from major industry players like Schneider Electric, Mitsubishi Electric, and Johnson Controls. These advisories underscore the escalating cybersecurity challenges facing ICS.
List of CISA Advisories:
ICSA-23-346-01 Schneider Electric Easy UPS Online Monitoring Software
ICSA-22-356-03 Mitsubishi Electric MELSEC iQ-R, iQ-L Series and MELIPC Series (Update B)
ICSA-23-341-01 Mitsubishi Electric FA Engineering Software Products
ICSA-23-341-02 Schweitzer Engineering Laboratories SEL-411L
ICSA-23-341-03 Johnson Controls Metasys and Facility Explorer
ICSA-23-341-05 ControlbyWeb Relay
ICSA-23-341-06 Sierra Wireless AirLink with ALEOS firmware
These CISA advisories severs as the timely reminder that the cybersecurity landscape for Industrial Control Systems (ICS) has become increasingly perilous, with a surge in sophisticated cyber threats targeting these critical systems. A prime example is the Stuxnet attack, which emerged as a highly advanced attacks specifically designed to target ICS.
As suggested in the CISA's advisory, the #1 best practice to "Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet".
The Challenge of Unknowingly Exposed ICS Systems
CISA's recommendation highlighs the criticality of asset discovery and visibility in cybersecurity. The difficulty lies in identifying how these ICS systems are exposed. Automated systems can proactively identify exposed ICS systems, but unfortunately, attackers can exploit the same technology for malicious purposes.
Taking Schneider Electric as an example, let’s explore its EGX system. This system is known for delivering innovative energy management and automation solutions.
Attackers can find such devices by scanning for TCP port 502 for targeted IP ranges. Here's is an example response from an IP hosted in Switzerland.
Unit ID: 0Unit ID: 1-- Slave ID Data: <omit here>Unit ID: 255-- Device Identification: Schneider Electric EGX200 5.000 There might be an assumption that attackers would overlook port 502, as it's not commonly targeted like ports 22 (SSH), 445 (SMB), or 3389 (RDP). However, this underestimates the sophistication of cyber threats. The Modbus protocol, integral to industrial device communication, has been a standard since its creation in 1979 by Modicon (now part of Schneider Electric) for use with PLCs. As a widely recognized protocol in industrial settings, Modbus typically uses port 502 for TCP communication. This knowledge is not proprietary; it's part of the Modbus standard. In fact, port 502 often is hardcoded in devices, as detailed in Schneider Electric's FAQ documentation. This standardization, while useful for legitimate purposes, also simplifies an attacker's task of locating vulnerable systems. As we all know, security through obscurity is never a viable defense,
Proactive Measures with C2SEC's XSPM:
In this evolving threat landscape, it's crucial to take proactive measures. C2SEC's XSPM platform offers a powerful solution. It enhances capabilities to discover, classify, and manage digital assets, including those in ICS environments. Specifically,
Advanced Discovery: With C2SEC’s XSPM, organizations can gain comprehensive visibility into their digital ecosystem, identifying vulnerable ICS components that may be exposed.
Risk Classification and Management: The platform aids in classifying and prioritizing risks, enabling targeted and effective risk mitigation strategies.
Continuous Monitoring: C2SEC's solution offers continuous monitoring and assessment, ensuring real-time insights into the security posture of ICS assets.
Conclusion:
As the ICS threat landscape evolves, the need for robust security measures becomes more acute. C2SEC's XSPM platform emerges as an essential tool, offering the advanced capabilities needed to safeguard ICS environments and maintain operational resilience.