Spectre and Meltdown are two newly discovered vulnerabilities that affect hardware running in the majority of the world’s computing devices. Chances are, every netizen has an affected device within his or her proximity.
Just about every machine with a modern processor is impacted, ranging from workstations to servers to phones and tablets.
This includes Microsoft Windows, Linux, Android, Google ChromeOS, Apple macOS on Intel and ARM processors. Most Intel chips manufactured after 2010 are vulnerable, while many AMD, ARM and other chipsets are also affected.
Spectre and Meltdown are different, but related. Spectre comprises two vulnerabilities: CVE-2017-5753: bounds check bypass and CVE-2017-5715: branch target injection, while Meltdown consists of one - CVE-2017-5754: rogue data cache load.
These vulnerabilities make systems susceptible to what are called ‘side-channel’ attacks, which rely on physical hardware implementation, and do not directly attack the logic or code. These types of attacks generally include things such as tracing electromagnetic radiation (i.e. TEMPEST), monitoring power consumption, analyzing blinking lights, cache analysis, etc.
Since IT, IoT, and IIoT devices are widely prevalent and infrequently updated, the presence of vulnerable devices may remain in production environments for generations to come.
What's the Impact of the Hack?
If one of these vulnerabilities is used to compromise a device, this could give an attacker access to privileged data in the system. The vulnerabilities do not grant access to the system - they only enable attackers to read data that should otherwise be restricted. In other words, an attacker still needs to break into the system to execute the attack.
Whereas this might sound “encouraging,” it's actually a critical concern in systems with multiple users, where data from one space of memory belonging to a user should still be isolated from others.
Simply put, in shared or multi-tenant environments, such as a virtual, cloud, or any other multi-user environment, strict barriers must exist between users. Otherwise, any cloud customer could access data belonging to other customers sharing the same CPU.
The same compartmentalization occurs within applications, which need to be isolated from each other. For example, a web browser shouldn't have direct access to data the Windows operating system uses to store passwords or other sensitive information.
Every operating system implements multiple levels of security to prevent this behavior from happening - including Windows UAC, SELinux, and more. For that reason, it turns out that the Spectre and Meltdown vulnerabilities may not be as bad as you think, particularly if you’re not a cloud user.
Breaking Down Spectre and Meltdown in Layman's Terms
Imagine, for a moment, that you’ve been newly bestowed with:
Spectre Meltdown Mindreading Capability
For the sake of brevity, let’s call it SMMC. SMMC gives you the ‘power’ to read someone else’s mind, as long as you’re both in the same room.
Your SMMC can work on almost anyone, anywhere - the mall, theater, and even poker tables in Vegas. Regardless of your location, you can read the minds of others, as long as you're in the same room with them. You now have access to data that’s meant to be private, such as secrets, confidential or sensitive information, and more.
SMMC doesn’t work remotely; you must be in close proximity to the other person and in the same room. In addition, you need to be granted permission to enter this room (i.e. in Vegas, you have to be at least 21 years of age to enter certain casinos).
Now, let’s imagine a different scenario: you’re in your own room, by yourself, and you use SMMC to gain access to your own data. Aside from the potential mind-mirror exploding aftermath, what’s the point of executing an attack on your own mind? You already have access to the data, and you can recall it at will.
In a nutshell, that’s the idea behind Spectre and Meltdown. They’re effective in a multi-tenant room where more than one person’s secrets must kept private.
However, there’s no point in executing an attack in a room with only one owner, since technically, there are no secrets. As long as you’re the only person who will ever occupy the room, your data is safe – even though you’re still vulnerable to attack.
Why Spectre and Meltdown and Receiving Major Media Coverage
Spectre and Meltdown have generated coverage in mainstream media due to the sheer number of systems they’ve impacted. Nearly everyone owns a device that’s vulnerable to attack.
However, being vulnerable doesn’t necessarily mean you’ll be impacted by the bug itself. Sometimes, as in the case of the Microsoft patch, the cure causes the pain, not the attack itself.
Another example is the impact of the Meltdown/Spectre patch on Rockwell FactoryTalk, which resulted in outages on FactoryTalk Servers. As of now, the patch has not yet been tested by Rockwell, and is currently not approved for use on any FactoryTalk systems (it may not be for some time to come...)
The mitigations are still a topic of considerable debate. A few have negatively impacted performance, rendering systems unusable and creating other problems still being resolved by various vendors and user communities. Some patches are no longer available to the public, and have yet to be re-issued.
What's the Impact of Meltdown and Spectre on Industrial Control Systems?ICS environments encompass different types of equipment, including but not limited to:
- Windows workstations (engineers)
- Windows servers (DNS, AD, etc)
- Linux servers (Historians, Firewalls, automation systems)
Almost all ICS networks are vulnerable to attack. Whether or not a specific device is at risk depends on multiple factors, such as chipset, firmware level, etc. Needless to say, we can expect substantial research and patching in the near future.
Many HMIs, panels, and displays utilize the affected chips. Some PLC manufacturers are still assessing the threat. Many systems that support industrial controllers such as automation systems, batch control systems, production control servers, printers, OPC Systems, SCADA systems, peripheral devices, and IIoT devices including cameras, sensors, etc., are most likely vulnerable.
How Can Indegy Help Mitigate these Vulnerabilities?
First and foremost, being aware of what exists in your ICS environment is critical to securing it successfully. You can’t secure what you’re not aware of. In turn, having an automated asset inventory in your toolbox is essential to understanding what equipment is at risk and requires attention.
Next, having in-depth visibility into your asset inventory is vital. Without this, you’re left with a list of industrial devices that must be manually examined to determine whether their specific hardware module is affected.
An automated ICS asset inventory is key to identifying vulnerable assets and tracking patching efforts. An industrial cyber security solution such as Indegy automatically gathers this information from industrial devices, and makes it available in its Asset Inventory.
Finally, in order to exploit these vulnerabilities, an attacker needs access to the network. This emphasizes the importance of having a network monitoring system, which enables you to identify anyone connecting into the network, communicating with or modifying key assets.
Patching Vulnerable Systems in Industrial Environments
Patching systems in ICS environments is by no means a trivial process, as these systems are often required for ensuring the safety and stability of industrial processes.
Indegy can assist organizations with the patching process in two ways:
- Monitoring Patching Progress
Indegy enables you to see which systems have been patched, and which ones are still vulnerable. If a system isn’t patched by mistake, Indegy will bring this to your attention.
- Monitoring Personnel and Systems Involved in Patching
Chances are that multiple people will deploy various mitigations/patches, firmware updates, etc. on a variety of platforms, ranging from workstations to servers, PLCs, HMIs ,and IIoT devices. This may result in a number of individuals, in a variety of roles, from different organizations, potentially entering your production environment.
How will you know what each person is working on? Can any of their activities cause disruptions to your industrial processes? What about usage of unmanaged third party laptops which may be compromised? Or cases where remote connections are opened to enable the needed work? All of these can expose your industrial systems to undesired threats.
With Indegy, you can monitor ICS systems safely as employees and external contractors come and leave the plant, or when they connect and disconnect from your network. The platform enables you to track all their activities and get real-time alerts on any unauthorized or suspicious activities.
Indegy empowers you to confirm that your mission-critical industrial control systems haven’t been touched by any unauthorized users, and no mistakes were made while attempting to update your systems. Contact us if you'd like to learn more about how Indegy protects industrial control systems.