By Chris Grove
Spectre and Meltdown are two newly discovered vulnerabilities that affect hardware running in the majority of the world’s computing devices. Chances are, just about every computer user has an affected device within his or her proximity.
Just about every machine with a modern processor is impacted, ranging from workstations to servers to phones and tablets.
This includes Microsoft Windows, Linux, Android, Google ChromeOS, Apple macOS on Intel and ARM processors. Most Intel chips manufactured after 2010 are vulnerable, while many AMD, ARM and other chipsets are also affected.
Spectre and Meltdown are different, but related. Spectre comprises two vulnerabilities: CVE-2017-5753: Bounds check bypass and CVE-2017-5715: Branch target injection, while Meltdown consists of one – CVE-2017-5754: Rogue data cache load.
These vulnerabilities make systems susceptible to what are called ‘side-channel’ attacks, which rely on physical hardware implementation, and do not directly attack the logic or code. These types of attacks generally include things such as tracing electromagnetic radiation (i.e. TEMPEST), monitoring power consumption, analyzing blinking lights, cache analysis, etc.
Since IT, IoT, and IIoT devices are widely prevalent and infrequently updated, the presence of vulnerable devices may remain in production environments for generations to come.
If one of these vulnerabilities ends up used to compromise a device, this could give an attacker access to privileged data in the system. The vulnerabilities do not grant access to the system — they only enable attackers to read data that should otherwise be restricted. In other words, an attacker still needs to break into the system to execute the attack.
Whereas this might sound “encouraging,” it’s actually a critical concern in systems with multiple users, where data from one space of memory belonging to a user should still be isolated from others.
Simply put, in shared or multi-tenant environments, such as a virtual, cloud, or any other multi-user environment, strict barriers must exist between users. Otherwise, any cloud customer could access data belonging to other customers sharing the same CPU.
The same compartmentalization occurs within applications, which need to be isolated from each other. For example, a web browser shouldn’t have direct access to data the Windows operating system uses to store passwords or other sensitive information.
Every operating system implements multiple levels of security to prevent this behavior from happening — including Windows UAC, SELinux, and more. For that reason, it turns out the Spectre and Meltdown vulnerabilities may not be as bad as you think, particularly if you’re not a cloud user.
Mind Reading Capability
Imagine, for a moment, that you’ve been newly bestowed with: Spectre Meltdown Mindreading Capability. For the sake of brevity, let’s call it SMMC. SMMC gives you the “power” to read someone else’s mind, as long as you’re both in the same room.
Your SMMC can work on almost anyone, anywhere — the mall, theater, and even poker tables in Vegas. Regardless of your location, you can read the minds of others, as long as you’re in the same room with them. You now have access to data that’s meant to be private, such as secrets, confidential or sensitive information, and more.
SMMC doesn’t work remotely; you must be in close proximity to the other person and in the same room.
Now, let’s imagine a different scenario: You’re in your own room, by yourself, and you use SMMC to gain access to your own data. Aside from the potential mind-mirror exploding aftermath, what’s the point of executing an attack on your own mind? You already have access to the data, and you can recall it at will.
In a nutshell, that’s the idea behind Spectre and Meltdown. They’re effective in a multi-tenant room where more than one person’s secrets must remain private.
However, there’s no point in executing an attack in a room with only one owner, since technically, there are no secrets. As long as you’re the only person who will ever occupy the room, your data is safe – even though you’re still vulnerable to attack.
Spectre and Meltdown have generated coverage in mainstream media due to the sheer number of systems they’ve impacted. Nearly everyone owns a device that’s vulnerable to attack.
However, being vulnerable doesn’t necessarily mean you’ll be impacted by the bug itself. Sometimes, as in the case of the Microsoft patch, the cure causes the pain, not the attack itself.
Another example is the impact of the Meltdown/Spectre patch on Rockwell FactoryTalk, which resulted in outages on FactoryTalk Servers. As of now, the patch has not yet been tested by Rockwell, and is currently not approved for use on any FactoryTalk systems.
The mitigations are still a topic of considerable debate. A few have negatively impacted performance, rendering systems unusable and creating other problems still being resolved by various vendors and user communities. Some patches are no longer available to the public, and have yet to be re-issued.
ICS environments encompass different types of equipment, including:
• Windows workstations (engineers)
• Windows servers (DNS, AD, etc)
• Linux servers (Historians, Firewalls, automation systems)
Almost all ICS networks are vulnerable to attack. Whether or not a specific device is at risk depends on multiple factors, such as chipset, firmware level, etc. Needless to say, we can expect substantial research and patching in the near future.
HMIs, panels, and displays utilize the affected chips. Some PLC manufacturers are still assessing the threat. Many systems that support industrial controllers such as automation systems, batch control systems, production control servers, printers, OPC Systems, SCADA systems, peripheral devices, and IIoT devices including cameras, sensors, etc., are most likely vulnerable.
Understand the Vulnerability
First and foremost, being aware of what exists in your ICS environment is critical to securing it successfully. You can’t secure what you’re not aware of. In turn, having an automated asset inventory in your toolbox is essential to understanding what equipment is at risk and requires attention.
Next, having visibility into your asset inventory is vital. Without this, you’re left with a list of industrial devices that must be manually examined to determine whether their specific hardware module is affected.
Understanding the ICS asset inventory is also important to identify vulnerable assets and to track patching efforts.
Chris Grove, CISSP, NSA-IAM, is director of industrial security at network monitoring provider Indegy.