22 Jul 2024


Cybersecurity firm warns of new automation dangers

One of Trend Micro's two reports focuses on vulnerabilities in industrial programming languages

The cybersecurity research firm Trend Micro has issued a pair of reports highlighting potential dangers to industrial automation systems posed by vulnerabilities in protocol gateways and programming languages. It says that these flaws could expose automation system to critical attacks that could enable attackers to hijack industrial robots and automation systems to disrupt production or steal intellectual property.

• The first report, Lost in Translation: When Industrial Protocol Translation Goes Wrong, reveals a new class of security vulnerabilities in protocol gateways/converters that could expose Industry 4.0 environments to critical attacks. The Trend researchers analysed five popular Modbus translation gateways and found vulnerabilities and weaknesses including: authentication vulnerabilities that could allow unauthorised access; weak encryption implementations that allow configuration databases to be decrypted; weak implementation of authentication mechanisms; denial-of-service conditions; and flaws in translation functions that could be used to issue stealth commands to sabotage operations.

• The second report, Rogue Automation: Vulnerable and Malicious Code in Industrial Programming, highlights design flaws in eight popular industrial programming languages that could allow attackers to hijack industrial robots and automation machines to disrupt production or steal intellectual property. It warns that the industrial automation world may be unprepared to detect and prevent the exploitation of these issues, adding that it is “imperative” that the industry start embracing network-security best practices and secure-coding practices. The report includes guidelines for ensuring secure coding to decrease potential disruption to OT (operational technology) environments.

The report on protocol converters warns that hackers could exploit the weaknesses in these devices to view and steal production configurations and sabotage key industrial processes by manipulating process controls, camouflaging malicious commands with legitimate packets, and denying control access.

Protocol converters allow machines, sensors, actuators and computers to talk to each other, and to corporate IT systems.

“Protocol gateways rarely get individual attention, but their importance to Industry 4.0 environments is significant and can be singled out by attackers as a critical weak link in the chain,” cautions Bill Malik, Trend Micros vice-president of infrastructure strategy.

The report makes several recommendations for vendors, installers and end-users of industrial gateways, including:
• ensuring that the products have adequate packet-filtering capabilities, so are not prone to translation errors or denial-of-service;
• not relying on a single point-of-control for network security;
• combining ICS firewalls with traffic monitoring for improved security;
• spending time on configuring and protecting gateways, using strong credentials, disabling unnecessary services, and enabling encryption where supported; and
• applying security management to protocols as with other critical OT assets.

The second report – the result of a study conducted jointly by Trend and the Politecnico di Milano in Italy – shows how design flaws in legacy programming languages can lead to vulnerabilities in automation programs.

“Once OT systems are network-connected, applying patches and updates is nearly impossible, which makes secure development up-front absolutely critical,” Malik suggests. “Today, the software backbone of industrial automation depends on legacy technologies that too often contain latent vulnerabilities.”

Legacy proprietary programming languages such as Rapid, KRL, AS, PDL2, and PacScript were designed without attackers in mind. Developed decades ago, they are now essential to critical automation tasks, but cannot be fixed easily.

The researchers also demonstrate how a new kind of self-propagating malware could be created using one of the legacy programming languages.

Trend has worked with the Robotic Operating System Industrial Consortium to establish recommendations to reduce the exploitability of the identified issues.

“Most industrial robots are designed for isolated production networks and use legacy programming languages,” says Christoph Hellmann Santos, programme manager of the ROS-Industrial Consortium Europe. “They can be vulnerable to attacks if connected to, for example, an organisation’s IT network. Therefore, ROS-Industrial and Trend Micro have collaborated to develop guidelines for correct and secure network set-up for controlling industrial robots using ROS.”

These guidelines demonstrate that task programs that rely on these languages can be written more securely to mitigate risks. The researchers offer a checklist for writing secure programs, including:
• treating industrial machines as computers and task programs as powerful code;
• authenticating every communication;
• implementing access control policies;
• performing input validation and output sanitisation;
• implementing proper error-handling, without exposing details; and
• putting proper configuration and deployment procedures in place.

Trend Micro and Politecnico di Milano have also developed a patent-pending tool to detect vulnerable or malicious code in task programs, thus preventing damage at runtime.

The researchers found 40 instances of vulnerable open source code in the eight programming platforms. One vendor has removed a vulnerable automation program from its application store, and two more have acknowledged the potential problems, “leading to fruitful discussion”. Details of the vulnerabilities have also been shared by the US industrial cyber-security organisation ICS-Cert in an alert to its community.

In addition to the freely downloadable reports on gateways and programming languages, Trend Micro has also produced Web pages (on the gateways and languages) and one-page primers (on the gateways and languages).