ICS Patch Management: Case Studies on Schneider and GE Digital
The purpose of an ICS patch management program aims to ensure that ICS is secured and executed by testing, implementing, and deploying trusted patches. This approach helps in ensuring that the industrial control system is updated and is defended against cyber threat actors and malicious operators. It is applicable for all ICS software and hardware elements in both Operational Technology (OT) and Information Technology (IT).
Patches are critical for resolving security breaches and cyber risks arising from cyber attacks performed by cyber threat actors. ICSs are critically leveraged in risk management mission-efficiently scrutinizing and managing critical infrastructures for remotely scattered systems. These systems are potential targets for security breaches and attacks, posing extreme security challenges for ICS asset owners and stakeholders. Important parts of ICS patch management comprise:
- Configuration management
- Creating accustomed baselines of systems
- Latest inventory for both OT and IT software and hardware
- Identifying patches for software and hardware
- Assessing complexity of patches
- Patch test before implementation
- Getting updates for authentication vendors
- Ensuring security
- Preparing backup.
Significance of patch management in ICS ecosystem
It is difficult to handle critical security defects, especially in OS-based devices within the ICS framework. Ransomware attacks spanning industrial operations have targeted diverse industries in the past few years. The main reason behind the ransomware spread is unpatched systems on OT and IT ecosystems. While running ICS network inspections, multiple devices with unpatched critical susceptibilities can be found, letting ransomware or other malware infiltrate.
OT systems are generally 30 to 40 years old systems that lag in advanced designs, which in turn open doors for cyber threats even after vulnerability patching. Cyberpunks take advantage of these potential targets to cause disruptions in the IT and OT environment. Patch management can be used for delivering a robust security environment in the following ways:
- It can enable security components, such as encrypted authentication or add MFA (Multi Factor Authentication)
- Security specific, such as for correcting security defects in the ICS environment
- Operational fix, such as stability or feature update.
How to enforce patch management to enhance ICS security?
From isolated systems to massively interconnected networks, Industrial control systems have come a long way. This development of ICS systems has made them more open to high-risk cyber threats. The reason behind such vulnerable systems is the old and unpatched software still used in the OT space resulting in security breaches and loss of organizations’ data. However, the security of these systems can be enhanced by enforcing patch management. Below are the five essential steps to implement patch management in industrial control systems for optimized protection.
1. Data gathering
New security vulnerabilities are found and broadcasted daily with the developed growth rate of cyber risks globally. Patch management is essential for delivering methods to mitigate system vulnerabilities. Usually, vendors post security advisories on their websites when they find or patch a new vulnerability. By gathering data on the latest known patches, you can keep track of your asset vulnerabilities.
2. Evaluate/Assess
It is often challenging to decide which patch is suitable for updating the system performance. Patches are modifications that can affect the security, dependability, or performance of OT systems. Sometimes, a patch applied can cause issues and make other applications incompatible in the system, such as the user no longer providing support. Some users execute a compatibility list, and it’s an excellent approach to assess your system specifications and compatibility list before using a patch.
3. Deploy
Most ICS systems operate 24/7 and require high availability. However, applying a patch can result in a pause in the systems’ functions as the component requires a reboot, making it challenging to execute efficient patch management. A good approach is to enforce planned maintenance when a patch is applied to avoid issues.
4. Test
It is advised to evaluate a patch before applying it to the system. Patch evaluation can be done in several ways, such as:
- Arrange a separate test environment using the same software and hardware and then apply a patch.
- Simulate the environment with virtual systems.
Test the patch on a duplicate system or system that is of no more use first so that there is a backup if the patch does not give the desired results.
5. Record before and after patching
It is essential to record the before and after changes in the system after the patch management process is completed. The record should be maintained in a corporate management workflow to secure the latest modifications and maintain compliance. Also, once the patch is applied, ensure that it is applied successfully. Moreover, documenting the patching method indicates that appropriate measures are taken to mitigate known cyber risks if a security incident happens.
Case study: High-severity flaws in Schneider and GE digital’s SCADA software
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently issued an industrial control system (ICS) advisory related to numerous susceptibilities affecting Schneider and GE Electric’s Easergy medium voltage safety relays.
In a report published on February 24, 2022, the U.S. agency quoted on risk evaluation:
“Successful exploitation of these vulnerabilities may disclose device credentials, cause a denial-of-service condition, device reboot, or allow an attacker to gain full control of the relay. This could result in loss of protection to your electrical network.“
Security experts Timothée Chauvin, Paul Noalhyt, Yuanshe Wu at Red Balloon Security found and reported Schneider Electric flaws.
The two high-severity flaws affect Schneider Easergy P3 versions before v30.205 and Easergy P5 versions before v01.401.101. Information on the defects are as follows –
- CVE-2022-22722 (CVSS score: 7.5) – Use of hardcoded credentials (CWE-798). If the cyberattacker hacks the details of the SSH cryptographic key for the system and takes operational control of the local active network bonded to this product, they could monitor and control traffic associated with product configuration.
- CVE-2022-22723 (CVSS score: 8.8) – Classic buffer overflow (CWE-120). A buffer copy without checking the size of input susceptibility is present in Easergy P5 systems that could direct to a buffer overflow, resulting in program crashes and arbitrary code execution by sending specially prepared packs to the relay over the network. Security and tripping functions via GOOSE can be affected.
- CVE-2022-22725 (CVSS score: 8.8) – A classic buffer overflow (CWE-120) vulnerability in Easergy P3 systems could result in program disruptions and arbitrary code implementation when specially prepared packs are transmitted to the system over the network.
Along with Schneider’s Easergy news, the U.S. federal agency also published the alert connected to General Electric’s Proficy CIMPLICITY SCADA software, cautioning of two security breaches that could be manipulated to disclose sensitive data, perform code execution, and local privilege escalation.
GE Digital is a leading deliverer of industrial software solutions and IIoT services. As such, their devices are operated in almost every industry. GE CIMPLICITY is a popular HMI/SCADA system with a well-established history. CIMPLICITY is generally the critical component that manages and observes the functions in the manufacturing environment.
The two vulnerabilities on the CIMPLICITY potentially present a huge disruptive effect on this functional server.
The two vulnerabilities are:
- CVE-2022-23921(CVSS – 7.5)– Privilege Execution Vulnerability
- CVE-2022-21798(CVSS – 7.5) – Credentials Vulnerability.
How does ATS provide the essential service for ICS Security for critical infrastructures?
At present, patch management and susceptibility are gaining traction in OT. Patch management is a critical part of a comprehensive ICS security program, but it is difficult because deploying patches can raise the risk to the current system, such as system reboot, which can result in a pause of the ICS network functioning.
Patch implementation in OT comes with some complex challenges, such as identifying new vulnerabilities and deciding the suitable patch to modify them.
ATS incorporates innovative technology, products, and services in a well-balanced synergy with 18 years of experience in the cybersecurity niche to enhance the company’s operations aiming for top-tier performance and efficiency in today’s advanced generation.
ATS has a team of security experts who can help develop and implement ICS patch management programs and deploy patch management software to satisfy the conditions in standards such as ISA/IEC 62443 and NERC CIP.
ATS strives to enhance its services in the Middle East to assist its clients in securing their integrated IT-OT networks and filling OT cyber security gaps by implementing solutions to provide critical visibility, control, and behavioral analytics.
To know more about OT Cyber Security, download the new eBook on Operational Technology (OT) from ATS. Be the first to receive a free copy of this premium content by downloading it today.
