The potential ramifications are “the stuff of modern-day nightmares,” according to Ross Brewer, vice president and managing director for international markets at LogRhythm. The product is widely deployed, and used in several areas of process control in 38 countries – with the largest installations based in the UK, US, Australia, Poland, Canada and Estonia. An exploit could knock the systems completely offline, or inject malicious code into the systems for remote monitoring and control.
“If the flaw was to be exploited, the consequences would be devastating, particularly given 38 countries could be affected,” Brewer said via email. “More needs to be done to ensure these types of security gaps are spotted immediately.”
Unfortunately, a public proof-of-concept exploit has already been spotted, according to ICS-CERT. The vulnerability is exploitable by using a command to load an arbitrary resource from an arbitrary DLL located in the program’s main folder.
ICS-CERT said that it’s attempting to coordinate with the vendor and security researchers to identify mitigations. In the meantime, it recommends that users take defensive measures to minimize the risk of exploitation of these vulnerabilities by reducing network exposure for all control system devices and/or systems, ensuring that they are not accessible from the internet. Also, companies should locate control system networks and devices behind firewalls, and isolate them from the business network.
If remote access is required, employ secure methods, such as VPNs, recognizing that VPN is only as secure as the connected devices.
“Control system security has traditionally been limited to physical assets, rather than cyber security, given that when the systems were developed; internet use was yet to be commonplace,” said Brewer. “However, this has left gaping holes and vulnerabilities, and as some of the most infamous cyberattacks in recent memory have affected SCADA systems, such as the Stuxnet and Flame viruses, it is clear that this now needs to be addressed to avoid a blackout.”