I recently read a research
by Claroty on their work detecting vulnerabilities in various OPC
protocol stacks. The vulnerabilities were disclosed and ‘corrected’ last year
by the vendors identified in the report. It is an interesting report, though
perhaps a little to cyber geek for my level of expertise, but certainly a worthwhile
contribution to the cybersecurity literature. It does, however, leave an
important question unanswered.

The vendors identified in this report, like those that have
been recently reported in TCP/IP stack vulnerabilities, are not vendors (or at
least the affected products) that control system owner/operators typically deal
with on their plant floors. The vulnerable products are used, however, as
third-party components of many of those products in everyday industrial control
system settings. We have seen only a limited number of advisories about these
vulnerabilities in vendor products that are being bought by industry. Does that
mean that these vulnerabilities do not impact the actual owner/operators of
control systems? That is the $64 million question.

In some unknown number of cases, vendors may have already
included in their equipment design programming ‘fixes’ that mitigate these third-party
vulnerabilities. They may not even have known that they were mitigating
vulnerabilities. Unrelated design decisions and program utilizations may have
already taken care of the problems.

In an equally unknown number of cases, vendors are working
hard at correcting the problems caused by these vulnerabilities by either
incorporating the updated third-party software or specifically reworking their
programming to neutralize the effects of the vulnerabilities.

Unfortunately, the third case, again in an unknown number of
cases, the vendor is quietly holding their breath and hoping that no one will
notice that their equipment is vulnerable to these third-party vulnerabilities.

How is an owner/operator of a control system to know which
case applies to the systems in use on their production floor? There is not a
good answer to that question. Aside from taking the proof-of-concept code
available in research reports like those in the Claroty UPA paper and crafting
a test of their own equipment (and how many owner/operators have that level of
engineering support on hand?) there is not currently a good way to know.

The researchers who report these vulnerabilities do not have
the time, and most certainly not the resources, to test every possible control
system device to see if it is affected by these third-party type
vulnerabilities. What they could do, with some unknown level of additional
effort, is to provide code testing protocols for owner/operators to use to test
their systems to see if they would be impacted by the vulnerabilities. This
could even be a product that they could sell to help compensate them for the
extra work.

By admin