Industrial cybersecurity vendor Claroty launched Team82, its research arm that provides vulnerability and threat research to customers and defenders of industrial networks worldwide. The unit investigates industrial software, networks, and protocols for vulnerabilities, and works in a coordinated manner with vendors to get flaws addressed before threat hackers are able to exploit them.
The Team82 dashboard is a resource for users to stay up to date on the latest CVEs disclosed by its researchers, affecting industrial devices and networks. Equipped with an extensive industrial control systems (ICS) testing lab, the team works closely with industrial automation vendors to evaluate the security of their products. The Common Vulnerabilities and Exposures (CVE) system provides a method for publicly sharing information on cybersecurity vulnerabilities and exposures.
Team82, formerly the Claroty Research Team, has made a total of 146 vulnerability discoveries and disclosures to date and was the first to develop and release signatures for Ripple20 and Wibu-Systems CodeMeter vulnerabilities and the threat attackers that target them.
“Team82’s latest research was motivated by the reality that organizations in the Industry 4.0 era are incorporating cloud technology into their OT and IIoT for simplified management, better business continuity, and improved performance analytics,” Amir Preminger, VP research at Claroty, said in a press statement. “In order to fully reap these rewards, organizations must implement stringent security measures to secure data in transit and at rest, and lockdown permissions. We thank the CODESYS and WAGO teams for their swift response, updates, and mitigations that benefit their customers and the ICS domain.”
Team82 released on Wednesday a new report on critical vulnerabilities found in cloud-based management platforms for ICS, highlighting the rise of ICS in the cloud and the growing need to secure cloud implementations in industrial environments.
“The momentum behind bringing cloud capabilities to ICS is undeniable for a number of reasons, including better telemetry and analysis of device performance, management of logic and remote device configuration, improved diagnostics and troubleshooting, a centralized view of processes, and redundancy, which is critical to business continuity,” Uri Katz, a Claroty researcher, wrote in the report.
Team82 identified critical vulnerabilities in programmable logic controllers (PLCs) sold by WAGO, as well as CODESYS’s Automation Server platform that manages industrial devices from the cloud. Team82 was able to leverage those vulnerabilities and turn them into attacks that could put threat hackers in a position to remotely control a company’s cloud OT implementation and threaten any industrial process managed from the cloud.
The flaws Team82 disclosed are remotely exploitable and can be used to target a cloud-based management console from a compromised field device or take over a company’s cloud and attack PLCs and other devices to disrupt operations.
The report also examines what makes up a cloud-based operational technology (OT) and supervisory control and data acquisition (SCADA) infrastructure and the attack surface available to attackers, before diving into Team82’s research, the vulnerabilities disclosed, the attacks developed, in addition to the recommendations to protect OT cloud implementations.
“When referring to the cloud, we are usually referring to the portion of a company’s IT or OT infrastructure that is hosted on the remote, internet-facing servers of predominant providers, such as Amazon Web Services, Google Cloud Platform, or Microsoft Azure. Part of that infrastructure includes hosted applications that leverage a cloud-based management console supporting different users, including OT engineers, managers, and administrators,” Katz wrote.
Each user has a specific role, and the management console needs to support different kinds of functionality for the SCADA network based on the offered services declared by the vendor. These functionalities include the ability to download configuration files to PLCs, collect tags data from PLCs, or provide HMI-like web-based screens. There are many ways to integrate SCADA devices with the cloud, but overall the idea is the same.
“At the top of the architecture, we have the different users and their machines which interact with the cloud-based management console,” according to Katz. “Through the management console, operators and administrators tune settings, including specifications for which devices are commissioned and configured. These settings also dictate the logic that needs to be executed by the PLCs and configure what data points (tags) will be collected and presented by the management console’s view screens,” he added.
Companies in the Industry 4.0 era are adopting cloud technology as it relates to industrial IoT (IIoT) and OT to reap various benefits, such as simplified management, better business continuity, and improved performance analytics, the report said. They must also implement stringent security measures to secure data in transit and at rest, in addition to locking down permissions.
“At a minimum, credentials must be secured using two-factor authentication, roles must be defined, permissions carefully orchestrated, and identities managed as a crucial defense-in-depth step for cloud,” Katz said.