By Gregory Hale
Heartbleed may need a band aid to fix various small wounds in the industrial control environment, but it surely does not need open heart surgery.
Heartbleed is a vulnerability in OpenSSL Versions 1.0.1 through 1.0.1f that contains a flaw in its implementation of the transport layer security/datagram transport layer security (TLS/DTLS) heartbeat functionality that could disclose private/encrypted information to an attacker.
The Heartbleed issue, labeled CVE-2014-0160, could allow attackers to read process memory of running OpenSSL processes. This could reveal secrets, like transmitted data, passwords or private keys.
“We all know the importance of protecting information ‘privacy’ or ‘confidentiality’ through the use of encryption,” said Joel Langill, founder of Infrastructure Defense Security Services. “In general, this problem represents moderate risk to ICS, but can be managed, as I would not expect a large number of devices to posses this vulnerability. The devices that I am most concerned about would be security devices like firewalls and VPN switches used at the perimeter that typically communicate over public networks, and utilize SSL/TLS as one form of encryption.”
Encryption in and of itself is generally a good thing when it comes to securing communications, but in this case it opens the end user up to an attack.
“One very common means of performing this encryption over networks is based on the Secure Sockets Layer (SSL)/Transport Layer Security (TLS) mechanism,” he said. “This mechanism is used in everything from web access, to email, some VPNs, and even communication with ICS components.”
“The basis of this encryption is the use of cryptographic keys, which in the case of servers using OpenSSL that are vulnerable (Heartbleed is a vulnerability in the OpenSSL crypto library) could allow an actor to extract these keys, as well as the usernames and passwords used to create the secure connection and the data exchanged in the encrypted session from the memory of the vulnerable server,” he said.
That is the bad news and the possible attack, but the good news is OpenSSL is not a part of Microsoft’s core framework (Internet Information Services, Exchange).
“Microsoft does not implement OpenSSL in their platforms, so the largest majority of ICS hosts that reside in level 2 and level 3 applications are not vulnerable,” Langill said. “This would include typical ICS servers, application servers, historians, ancillary applications (asset management, condition monitoring, etc.). The area of concern within the ICS environment is now strictly focused on (a) embedded devices that are not based on a Windows OS — this means not only the obvious WinXP, Win7, 2003, 2008, etc. but also WinCE, XP Embedded, etc., (b) provides SSL/TLS encryption typically in the form of an HTTPS session, and (c) is enabled under normal circumstances.”
With security awareness continuing its growth curve in the industry, this could allow for a more enlightened conversation between users and suppliers.
“We all expect that the major vendors will follow Siemens lead and provide a statement as to the fact that they have investigated their products and that they are or are not vulnerable,” Langill said.