Critical Vulnerabilities in Cloud-based ICS Management Platforms


Claroty Team82, formerly known as The Claroty Research Team, has released a new report, “Top-Down and Bottom-Up: Exploiting Vulnerabilities in the OT Cloud Era,” on the exploitability of cloud-based management platforms responsible for monitoring ICS, and developed techniques to exploit vulnerabilities in automation vendor CODESYS’ Automation Server and vulnerabilities in the WAGO PLC platform. Team82’s research mimics the top-down and bottom-up paths an attacker would take to either control a Level 1 device in order to eventually compromise the cloud-based management console, or the reverse, commandeer the cloud in order to manipulate all networked field devices.

“Team82’s latest research was motivated by the reality that organisations in the Industry 4.0 era are incorporating cloud technology into their OT and IIoT for simplified management, better business continuity, and improved performance analytics,” said Amir Preminger, VP research at Claroty. “In order to fully reap these rewards, organisations must implement stringent security measures to secure data in transit and at rest, and lock down permissions. We thank the CODESYS and WAGO teams for their swift response, updates, and mitigations that benefit their customers and the ICS domain.”

Team82 makes the following recommendations:

  • Treat all cloud-connected solutions as a trusted communication to your industrial network, and implement a supply chain risk management program that includes gaining insights into supplier’s security program.
  • Know that existing solutions that aren’t cloud-connected may be connected in their next upgrade—active monitoring of industrial assets are critical to detect unexpected connections to vendors’ networks, so you can re-assess the risk and take steps to mitigate as required.
  • Implement a zero-trust architecture and policies to limit unexpected communications from traversing the industrial network.
  • While an in-line exploit of a trusted cloud connection is almost impossible to detect, an attacker will likely next attempt to move laterally to compromise other systems within the industrial network. Ensure you have monitoring capabilities established to identify unexpected lateral movement communications from critical assets.
  • Ensure your security operations center (SOC) and incident response teams are ready to respond in a timely and appropriate manner to industrial network incidents. SOC teams are often IT-centric, and some of their playbooks may need to be updated for OT environment considerations. Consider a retainer incident-response service as well to ensure rapid response in the event of an incident.