Patching critical infrastructure: What Bash means for ICS security

On September 25, a bug deemed “Shellshock” was discovered in Bash, a command shell on Unix, Linux and Mac OS X operating systems that is used heavily in scripting and for communication between one program and an operating system for certain kinds of services. Much of the media attention has centered on how Shellshock is a threat to cybersecurity in general, lumping all practice areas under one umbrella. Since critical infrastructure networks are much more difficult to patch and update than corporate networks, many control system security practitioners are wondering what, specifically, are the implications of Shellshock on control system networks, and what can we do to protect against these vulnerabilities. Surprisingly, a recent search of the Internet yielded no clear summary of the impacts of Shellshock on control networks specifically, hence this posting.

In order to be affected by Shellshock in the first place, a device must have Bash installed. Since Bash is not a standard Windows component, it’s unlikely that Windows systems will be vulnerable unless the program was installed for some reason. Mac OS X and Linux both use Bash heavily, and if any non-Linux Unix is running on a network, then Bash is also very likely deployed somewhere within that system, if not everywhere.

Here are some examples of how Bash might affect particular systems:

·         Web servers that use CGI scripts, like Apache, transfer information like the “user agent” string directly to Bash. That string can be set in some browsers, and is easily set in many popular command-line Internet tools. The exploitation of these vulnerable web servers is trivial. This compromise can be accomplished from any IP address that has access to send a web request into the vulnerable server.

·         Most Mac/Linux/Unix gear that uses DHCP on an industrial network is ripe for an attack from the local network. While most critical control systems have been drilled into using static IP addresses rather than DHCP for exactly this reason, some sites still have equipment using DHCP. If a hacker can get his hands on a laptop or other computer connected to a control network and can turn on a DHCP server on the machine, all bets are off.

·         Every device that runs Linux or some other Unix derivative with Bash installed, and has a Web user interface, is vulnerable. This includes a lot of networking gear, firewalls and even some RTUs, PLCs and other equipment. Figuring out which of these firmware-based systems have Bash installed is problematic in itself. Vulnerable equiment can generally be hacked by any machine, which can send a message to the Web server.

Software and firmware updates should of course only be applied to equipment on control system networks after thoroughly researching a patch’s reliability. In principle, while patches are being tested, or in some cases still being developed, all vulnerable DHCP, web and other functionalities should be disabled. This is easier said than done since it is not even clear which devices with embedded Unix-based operating systems have Bash installed at all, not to mention that some of the affected functions may be essential to the current design and operation of the control system.

This is just another example of why many control system vendors deploy Unidirectional Security Gateways. The gateways replicate servers to external networks to provide seamless, safe integration of control system networks with corporate and other networks. IT teams can then feel free to install the latest, up-to-the-second updates to all equipment on corporate networks, including the replica servers, without putting critical operations at risk.

The takeaway here is nothing new, and yet, is underlined with each new serious vulnerability. And all software has bugs, some of which are security vulnerabilities, meaning all software can be hacked. Industrial users should deploy hardware-enforced, stronger-than-firewalls perimeter protections to ensure that the next Shellshock, or dozen Shellshocks, do not expose critical infrastructures to attacks from corporate networks, and from the Internet beyond those networks.

To find out more about ICS security solutions, check out our products page here.