Embedded OT Vulnerabilities: An Asset Owner Perspective
What should asset owners be aware of with embedded OT systems and buried vulnerabilities, and what remediation tactics are available?
Learn MoreSubscribe to stay in the loop with the latest OT cyber security best practices.
Embedded systems play a significant role in all of our lives, showing up in everything from the simplest home routers to the most complex critical infrastructure, IoT, and industrial controls. Securing these systems, however, remains challenging not just because of their proximity to hardware and design, but also due to their operational environments.
Today, most embedded hardware includes dozens of physical components and packs software complexity similar to that of early PCs. In the quest to secure them, we need to ask:
The proliferation of small computational devices such as smartphones along with the commoditization of network infrastructure has blurred the definition of embedded systems. When we talk about such systems in the realm of ICS and IoT, it’s important to distinguish them from commodity systems. Think of them like this:
In OT/ICS as we know these as devices like Programmable Logic Controllers (PLCs), Distributed Control Systems (DCSs), Remote Terminal Units (RTUs), Variable Speed Drives (VFDs), flow meters and valves, relays, TCP-to-serial gateways, embedded Human Machine Interfaces (HMIs).
On the consumer IoT front, or even among the new PLC 2.0 type devices that comprise the so-called Industrial Internet of Things (IIoT), they might also include integrated mesh-based sensors, smart lighting and locks, smart refrigeration, and so on.
While some of these devices might run Linux, use Bash, and run Python, many others have specialized hardware that leverages microcontrollers, FPGAs, and real-time operating systems (RTOS) to ensure predictability and deterministic behavior without the need for a full-blown OS.
In the symbiotic relationship between the hardware and software that comprises most embedded systems, it’s the software that largely dictates when and how the device works.
In the good ol’ days, computational resources were scarce; the performance of embedded devices depended on proprietary software/hardware and low-level programming languages. Programmers and engineers knew where every byte was going and there was little extraneous code. While occasional flaws — those found in the C programming language, for example — were present, such problems were practically non-existent when compared to embedded environments of today.
Embedded systems tightly linked to hardware still exist, but many modern devices now run common software, application frameworks, modern protocols, webservers, and Linux. Newer platforms boast better available resources (e.g., 1GB vs 32MB of RAM), wireless connectivity via certified System-on-Chip (SoC) modules, and copious software such as FOSS, Python, and more. For good and for ill, this evolution has changed the way newer devices are developed and the features they offer.
In the embedded realm, software gets wrapped into all-encompassing packages dubbed firmware. Firmware updates often pack a variety of constituents including OS and drivers, filesystems, apps libraries, interpreted scripts/languages, services (FTP, SSH, HTTP/HTTPS, MQTT, etc.), logging daemons, and network stacks.
As such, an embedded system is the same as any other computer. There are bound to be flaws in the software and in the system design itself. Defenders must protect embedded systems from unfettered access, update where possible, harden if capable, and monitor continuously. The more abstract — or kludged together —software gets the more likely vulnerabilities within it become.
Imagine for a moment flawless code. Picture the most technologically complex system operating without issue. Conjure a single, silver-bullet solution that will save humankind from itself. Hard to imagine, right?
Thanks to the way devices are designed, engineered, developed, maintained, and sold, embedded systems, like any other enterprise computing product, will be flawed. While there have been major improvements in code analysis, fundamental software design problems continue to slip through into production. Most programmers remain woefully inept at making good security decisions in the development stage and profit-motivated vendors have little appetite to address that shortcoming.
Among the embedded security challenges not addressed by any single solution:
As systems developed with minimal rigor become over-provisioned, vulnerabilities flourish and risks proliferate. Today, an attacker rarely needs to bring their own hacking tools to an embedded device. They simply take advantage of the systems’ inherent flaws, live off the land, and persist in the environment as long as they please.
Risks for systems with network connectivity that use large amounts of software of varying quality are prevalent across ICS/OT, IoT, and even commodity products. As long as they are managed appropriately, however, asset owners can likely live with them. It’s a lot like driving a car – you can be careful, but accidents still happen, and much of the onus for risk reduction is on the driver.
Some risks to consider when it comes to embedded systems:
Most devices feature a hodgepodge of source code. Inside that code are known vulnerabilities that frequently go unreported and ultimately require mediation and management by the asset owner.
Embedded systems can contain out-of-date software and unsupported components. Compensating controls are needed to improve security with or without updates and patches.
Modern embedded devices are dangerously easy to deploy. Contractors, third parties, even your own employees can install rogue devices that can communicate to outbound systems via wireless/RF technologies such as 5G or LTE. Comprehensive asset management and physical site security program is a must.
Compromised cloud-based management destroys all other defenses. An attacker with unauthorized access to a centralized cloud management system has direct access to the plant floor at scale. Management platforms should be highly secure, and devices isolated and monitored for anomalies.
If the device is on the internet or accessed even by a port forward, it is exposed. It’s best to consider allowing only connections from specific IP addresses and limiting access if possible.
If a device is compromised, it may be used to affect other systems. A malicious intruder with sufficient time, resources, or skill can get a foothold on one vulnerable device and use it as a launchpad for more widespread — and devastating — attacks.
Devices still have physical access risks regardless of age. Many devices, even new ones, lack sufficient physical tampering protections. Access to devices should be limited to authorized individuals where possible.
Humans are still a risk. People will continue to misconfigure devices, make mistakes, use weak passwords, and more. In addition to security awareness training, periodic internal audits should be performed to see if devices are configured or deployed insecurely. And when it comes to embedded systems, employees should be trained to download software only from trusted sites and how to validate it against known good sources.
If you’re now panicking at the scope of embedded systems insecurity, take heart. Not all devices are easily exploitable or they are exploitable only under certain conditions largely affected by how you deploy and configure them.
One key to addressing the challenge is to get ahead of the embedded security problem before it gets a foothold in the organization. Owners must insist on robust security during procurement, design of solutions, and throughout cybersecurity factory acceptance and site testing. This way, OEMs and vendors will learn they cannot continue unchallenged. Trust, but always verify.
As a community, we should not let poorly secured products gain traction in the market. We must demand security as a necessary feature. Software engineers and developers take note – even if you are a cog in the machine, we are all affected; especially when embedded devices become integral to the systems responsible for our lights, our water, our health, our daily lives.
In the meantime, if we force the market to deliver drastically improved solutions, we can avoid the security apocalypse plaguing ICS environments. And before the naysayers state that all of these demands will make products more expensive, a well-designed, robust product is often no more expensive or time-consuming to develop. The price tag is always far less than the cost of getting breached.
What should asset owners be aware of with embedded OT systems and buried vulnerabilities, and what remediation tactics are available?
Learn MoreURG11 and network stack flaws are not anything new. They are miscreants leftover from the 90’s and early 2000’s – a period where these types of software flaws were rampant. For the most part, these flaws represent an era where devices lacked proper robustness testing and customers were obligated to trust the vendor’s security practices. While most of these were…
Learn MoreFrom an asset owner’s perspective: Defining firmware and discovering embedded vulnerabilities to protect devices from exploitation.
Learn More