At the beginning of July, Rockwell Automation released a security advisory about a vulnerability in one of its products. Working with the U.S. government, the company said it had become aware that a state-backed hacking unit had developed the ability to run malicious code on the communication modules of an industrial controller.
The company wouldn’t identify who had this ability to attack its products and an accompanying advisory from the Cybersecurity and Infrastructure Security Agency said there were no known instances of the vulnerability being exploited in the wild.
It’s rare that vulnerabilities affecting industrial control systems that are targeted by hackers working on behalf of nation states are discovered before they are exploited. By publicly revealing the vulnerability and urging customers to patch their system, Rockwell may have effectively burned the ability of a foreign intelligence agency to attack U.S. critical infrastructure systems.
But computer security researchers caution that advisories of this nature often lack key information, causing delays in addressing them. While alerts affecting nation states targeting industrial control systems may require a measure of secrecy, computer security researchers argue they are too often stymied in obtaining information they need to fix vulnerabilities.
Advisories such as Rockwell’s provide a rare window into how advanced hacking groups target industrial systems and prompted researchers at Forescout Technologies to look more closely at how Rockwell hoped to fix their systems. Aiming to write threat detection rules for their customers, the researchers found discrepancies in the detection rules and the patches released by the firm.
“We took the patched version and the unpatched version of the firmware and we looked at the code for what was actually patched and what was not,” said Daniel dos Santos, head of security research at ForeScout.
The researchers found bits of code that were changed in the patch that were not mentioned in the detection rules issued by the vendor. An email service had portions of the code patched but that fix was not addressed in the detection rules released by Rockwell. Another proprietary service called “Spy Object” was found in the mitigation rules but the patch did not touch that portion of code. And even if patches were applied, Forescout researchers concluded that an attacker could still move through an infected network, a phenomenon the company calls “deep lateral movement.”
The Rockwell alert points to the possibility that the vulnerability might be exploited to manipulate firmware on targeted systems to achieve persistence, a suggestion that Forescout’s researchers argue could indicate that the discoverer of the vulnerability also has reviewed a piece of malware that could be used to exploit the vulnerability.
“This suggests that whoever uncovered this capability with the unnamed advanced persistent threat (APT) may have also uncovered an as-of-yet undisclosed post-exploitation payload focusing on firmware manipulation and persistence,” Forescout’s report notes.
“I do understand that when you are working with the government there is a level of ‘secrecy’ that is required,” dos Santos said. “They say that they found something. Let’s believe them; I’m not saying they’re not right. But it’s like where are the details? How can we as a community share things that then can be analyzed by everybody?”
When U.S. cybersecurity officials last year revealed the existence of the malware known as “Pipedream”, described as a highly capable tool for attacking industrial control systems, researchers were once again left with scant technical details about the program.
More broadly, the lack of detailed information about vulnerabilities in industrial control systems is a common enough problem that it can be safe to assume that vendors are leaving information out in vulnerability disclosures, dos Santos argues.
Rockwell did not respond to requests for comment.
Asked about the lack of detail regarding the Rockwell vulnerability, a spokesperson for CISA pointed to its coordinated vulnerability disclosure process, which works with vendors to release information to the broader public about a particular vulnerability.
Rockwell’s ControlLogix controllers are typically used in manufacturing environments and include control, safety logic and communication services that allow components to talk to other systems in the network. The controllers are separate modules that can be attached to a chassis depending on the facility’s needs and unique configuration.
“This is similar to a laptop, where the CPU, hard disk and networking cards connect via the motherboard and the user can replace each of these ‘modules’ for another compatible one,” dos Santos explained in an email.
The vulnerability in the communication module could allow hackers to connect to the other modules on the chassis or the network like a logic or safety controller, which could lead to disabling safety constraints.
The Rockwell alert notes that the company is not aware of any exploitation of the vulnerability “and the intended victimization remains unclear,” however it’s likely that it was developed to target critical infrastructure sectors.
Ron Fabela, CTO at cybersecurity firm XONA Systems, said that for industrial control system vulnerabilities, “it’s no longer useful to just know what is affected, but asset owners and defenders need to know what to do about it.”
“Similarly, any time we read the latest threat research report on APT activity in ICS there often lacks a ‘so what’ or ‘what now’ analysis, leaving research companies with just awareness of the problem but little practical application outside of the event specifics,” Fabela said.
After releasing the July patch, Rockwell published an additional alert in September for the same communication modules. This time around, the patch changed code in the email service that was also patched in the previous release. However, Rockwell said that this new vulnerability did not have to do with the previous one that was discovered by state hackers.
“It’s just very confusing,” dos Santos said.